You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/07/03 11:49:23 UTC
[Bug 59785] New: mod_authz_core scoping - ???
https://bz.apache.org/bugzilla/show_bug.cgi?id=59785
Bug ID: 59785
Summary: mod_authz_core scoping - ???
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_core
Assignee: bugs@httpd.apache.org
Reporter: anrdaemon@yandex.ru
Why the hell? I can't limit access to my VHost, only to a directory? What if I
don't use directories, only locations? If it's a completely virtual server?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59785] mod_authz_core scoping - ???
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59785
--- Comment #4 from AR <an...@yandex.ru> ---
???????
As a system administrator, I fully expect RequireAll to be the default.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59785] mod_authz_core scoping - ???
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59785
--- Comment #2 from AR <an...@yandex.ru> ---
I can't seem to use anything, it claims that I have included my directives in
"RequireAny" which I definitely did not.
No matter how I read the documentation, the results doesn't change.
Server version: Apache/2.4.20 (Ubuntu)
Server built: 2016-05-05T00:00:00
Output of config test was:
AH00526: Syntax error on line 14 of
/etc/apache2/sites-enabled/ccenter.msk.ru.conf:
negative Require directive has no effect in <RequireAny> directive
Action 'configtest' failed.
The Apache error log may have more information.
<VirtualHost *:80>
ServerName example.com
DocumentRoot /home/ccenter/htdocs
<Directory /home/ccenter/htdocs>
DirectoryIndex /index.html /index.php
<Files ~ "\.php$">
SetHandler "proxy:fcgi://127.8.0.1:1001/"
</Files>
# Deny abusive crawlers.
Require not ip 198.27.101.168
Require not ip 95.27.49.224
</Directory>
<Location "/">
SetHandler "proxy:fcgi://127.8.0.1:1001/home/ccenter/htdocs/index.php"
</Location>
<Directory /home/ccenter/htdocs/content/handmade>
Require all denied
</Directory>
<Directory /home/ccenter/htdocs/tpl>
Require all denied
</Directory>
<Directory /home/ccenter/htdocs/upload>
<Files ~ "\.php$">
Require all denied
</Files>
</Directory>
</VirtualHost>
# grep -vRP "^\s*#" /etc/apache2/*.conf /etc/apache2/*-enabled/ | grep -iC 3
"require"
/etc/apache2/apache2.conf:<Directory />
/etc/apache2/apache2.conf: Options FollowSymLinks
/etc/apache2/apache2.conf: AllowOverride None
/etc/apache2/apache2.conf: Require all denied
/etc/apache2/apache2.conf:</Directory>
/etc/apache2/apache2.conf:
/etc/apache2/apache2.conf:<Directory /usr/share>
/etc/apache2/apache2.conf: AllowOverride None
/etc/apache2/apache2.conf: Require all granted
/etc/apache2/apache2.conf:</Directory>
/etc/apache2/apache2.conf:
/etc/apache2/apache2.conf:<Directory /var/www/>
/etc/apache2/apache2.conf: Options Indexes FollowSymLinks
/etc/apache2/apache2.conf: AllowOverride None
/etc/apache2/apache2.conf: Require all granted
/etc/apache2/apache2.conf:</Directory>
/etc/apache2/apache2.conf:
/etc/apache2/apache2.conf:
--
/etc/apache2/apache2.conf:AccessFileName .htaccess
/etc/apache2/apache2.conf:
/etc/apache2/apache2.conf:<FilesMatch "^\.ht">
/etc/apache2/apache2.conf: Require all denied
/etc/apache2/apache2.conf:</FilesMatch>
/etc/apache2/apache2.conf:
/etc/apache2/apache2.conf:
--
/etc/apache2/conf-enabled/serve-cgi-bin.conf: <Directory
"/usr/lib/cgi-bin">
/etc/apache2/conf-enabled/serve-cgi-bin.conf: AllowOverride None
/etc/apache2/conf-enabled/serve-cgi-bin.conf: Options +ExecCGI
-MultiViews +SymLinksIfOwnerMatch
/etc/apache2/conf-enabled/serve-cgi-bin.conf: Require all granted
/etc/apache2/conf-enabled/serve-cgi-bin.conf: </Directory>
/etc/apache2/conf-enabled/serve-cgi-bin.conf: </IfDefine>
/etc/apache2/conf-enabled/serve-cgi-bin.conf:</IfModule>
--
/etc/apache2/mods-enabled/alias.conf: <Directory "/usr/share/apache2/icons">
/etc/apache2/mods-enabled/alias.conf: Options FollowSymlinks
/etc/apache2/mods-enabled/alias.conf: AllowOverride None
/etc/apache2/mods-enabled/alias.conf: Require all granted
/etc/apache2/mods-enabled/alias.conf: </Directory>
/etc/apache2/mods-enabled/alias.conf:
/etc/apache2/mods-enabled/alias.conf:</IfModule>
--
/etc/apache2/mods-enabled/status.conf:
/etc/apache2/mods-enabled/status.conf: <Location /server-status>
/etc/apache2/mods-enabled/status.conf: SetHandler server-status
/etc/apache2/mods-enabled/status.conf: Require local
/etc/apache2/mods-enabled/status.conf: </Location>
/etc/apache2/mods-enabled/status.conf:
/etc/apache2/mods-enabled/status.conf: ExtendedStatus On
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59785] mod_authz_core scoping - ???
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59785
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> ---
You can use Location.
https://httpd.apache.org/docs/trunk/mod/directive-dict.html#Context
I'm not sure what complications would arise from allowing them in server
context directly, but it's not free.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59785] mod_authz_core scoping - ???
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59785
--- Comment #5 from Eric Covener <co...@gmail.com> ---
(In reply to AR from comment #4)
> ???????
> As a system administrator, I fully expect RequireAll to be the default.
Bugzilla is for bug reports. 2.2 and 2.0 acted the same way was RequireAny.
More discussion at users@httpd.apache.org.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59785] mod_authz_core scoping - ???
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59785
--- Comment #6 from AR <an...@yandex.ru> ---
They acted similarly, may be, but the treatment of the resulting configuration
was much more in favor of the user in the 2.2.
I'm porting a current 2.2 configuration over to 2.4, and hitting issues like
this one on every turn.
Sanity checks, that refer to obscure defaults; documentation, that fails to
make important points clear.
It took me a handful of attempts and a creative idea to get past this problem.
The small footnote in the
http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require that
"<RequireAny>" is implied, if none is specified, must be an explicit statement
at the top of the page.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59785] mod_authz_core scoping - ???
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59785
--- Comment #3 from Eric Covener <co...@gmail.com> ---
You'll need to find another way to phrase your require directives:
1) requireany is implicit:
When multiple Require directives are used in a single configuration section and
are not contained in another authorization directive like <RequireAll>, they
are implicitly contained within a <RequireAny> directive. Thus the first one to
authorize a user authorizes the entire request, and subsequent Require
directives are ignored.
2) "not" has special limitations:
The result of the Require directive may be negated through the use of the not
option. As with the other negated authorization directive <RequireNone>, when
the Require directive is negated it can only fail or return a neutral result,
and therefore may never independently authorize a request.
Maybe as simple as
<requireall>
require all granted
require not ...
require not ..
</requireall>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org