You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jonathan Mast <jh...@gmail.com> on 2009/11/25 17:13:19 UTC
Preventing httpd from accessing WEB-INF contents
Can someone please provide the magical httpd config-cantation that will
block httpd from accessing anything in WEB-INF directories?
I need something that will be apply globally and can't be overridden by
VirtualHost directives. I've dug around the httpd config documentation and
I'm just not understanding it, everything I've tried just hasn't worked.
thanks
httpd 2.2
Tomcat 6.0
Re: Preventing httpd from accessing WEB-INF contents
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jonathan,
On 11/25/2009 11:13 AM, Jonathan Mast wrote:
> Can someone please provide the magical httpd config-cantation that will
> block httpd from accessing anything in WEB-INF directories?
<Directory "/path/to/webapp/WEB-INF">
Order deny,allow
Deny from all
</Directory>
> I need something that will be apply globally
How about:
<DirectoryMatch ".*/WEB-INF">
Order deny,allow
Deny from all
</DirectoryMatch>
> and can't be overridden by
> VirtualHost directives
This might not be possible. Any part of httpd.conf can override any
other part, I think. You can make it so that .htaccess files can't
override the "Order" and "Deny" directives, though.
Note that you'll probably want to protect META-INF as well.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksUNy8ACgkQ9CaO5/Lv0PAvNwCgr1MuY9z65FqtjckGGJqftmDO
CBgAniX+ta69krZ8mEQ6mVmW42/GBUMI
=vCxT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Posted by Jonathan Mast <jh...@gmail.com>.
You're right I did misunderstand the Location directive. Its at the top of
the config file now, working fine :)
On Wed, Nov 25, 2009 at 1:31 PM, André Warnier <aw...@ice-sa.com> wrote:
> Jonathan Mast wrote:
>
>> My understanding of Location directives is that cannot be used with regex
>> and if not then thats not what I'm looking for.
>>
>
> Then your understanding of Location directives is wrong.
> Why don't you look up the original article ?
> http://httpd.apache.org/docs/2.2/mod/core.html#location
> (and LocationMatch)
>
>
>
>> I have multiple contexts underneath multiple (virtual) hosts. I need a
>> VirtualHost level directive that will block any attempts to access
>> */WEB-INF/* on that host.
>>
>> Adding a new Location directive to httpd.conf for each context would be
>> alot
>> of work and something that would be easy to forget to do.
>>
>> Well, /you/ are the one who created the mess in the first place, so don't
> complain at us.
> ;-)
>
> A tip (also in the Apache documentation, about VirtualHost) :
>
> Generally speaking, configuration directives you use in the "main" part of
> the Apache server config (by this meaning what is outside of a
> <VirtualHost>..</VirtualHost> block), is inherited by all VirtualHost
> sections, and acts as a default unless specifically overridden inside the
> <VirtualHost> sections.
> In other words, if you use a <LocationMatch> section in the main
> configuration, it will "carry over" to all VirtualHosts.
>
> Note that I'm leaving something here to figure out by yourself, not that
> you would get rusty or lazy or so.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Preventing httpd from accessing WEB-INF contents
Posted by André Warnier <aw...@ice-sa.com>.
Jonathan Mast wrote:
> My understanding of Location directives is that cannot be used with regex
> and if not then thats not what I'm looking for.
Then your understanding of Location directives is wrong.
Why don't you look up the original article ?
http://httpd.apache.org/docs/2.2/mod/core.html#location
(and LocationMatch)
>
> I have multiple contexts underneath multiple (virtual) hosts. I need a
> VirtualHost level directive that will block any attempts to access
> */WEB-INF/* on that host.
>
> Adding a new Location directive to httpd.conf for each context would be alot
> of work and something that would be easy to forget to do.
>
Well, /you/ are the one who created the mess in the first place, so
don't complain at us.
;-)
A tip (also in the Apache documentation, about VirtualHost) :
Generally speaking, configuration directives you use in the "main" part
of the Apache server config (by this meaning what is outside of a
<VirtualHost>..</VirtualHost> block), is inherited by all VirtualHost
sections, and acts as a default unless specifically overridden inside
the <VirtualHost> sections.
In other words, if you use a <LocationMatch> section in the main
configuration, it will "carry over" to all VirtualHosts.
Note that I'm leaving something here to figure out by yourself, not that
you would get rusty or lazy or so.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Posted by Jonathan Mast <jh...@gmail.com>.
My understanding of Location directives is that cannot be used with regex
and if not then thats not what I'm looking for.
I have multiple contexts underneath multiple (virtual) hosts. I need a
VirtualHost level directive that will block any attempts to access
*/WEB-INF/* on that host.
Adding a new Location directive to httpd.conf for each context would be alot
of work and something that would be easy to forget to do.
On Wed, Nov 25, 2009 at 11:48 AM, Tobias Crefeld <tc...@cataneo.eu> wrote:
> Am Wed, 25 Nov 2009 11:13:19 -0500
> schrieb Jonathan Mast <jh...@gmail.com>:
>
> > I need something that will be apply globally and can't be overridden
> > by VirtualHost directives.
>
> Why don't you use a standard like Location/Order/Deny/Allow in the
> vhosts config to deny access to WEB-INF, etc.?
>
> Individual config-files for Apache's vhosts are still part of the
> Apache-config and you can insert in it whatever you like to control (or
> crash!) Apache as a whole. Because of this I would never give the
> Tomcat-"User" (e.g. our developers) direct access to the vhost's
> config-files.
>
>
> Regards,
> Tobias.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Preventing httpd from accessing WEB-INF contents
Posted by Tobias Crefeld <tc...@cataneo.eu>.
Am Wed, 25 Nov 2009 11:13:19 -0500
schrieb Jonathan Mast <jh...@gmail.com>:
> I need something that will be apply globally and can't be overridden
> by VirtualHost directives.
Why don't you use a standard like Location/Order/Deny/Allow in the
vhosts config to deny access to WEB-INF, etc.?
Individual config-files for Apache's vhosts are still part of the
Apache-config and you can insert in it whatever you like to control (or
crash!) Apache as a whole. Because of this I would never give the
Tomcat-"User" (e.g. our developers) direct access to the vhost's
config-files.
Regards,
Tobias.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Posted by Jonathan Mast <jh...@gmail.com>.
Thanks! I had to make a slight adjustment to get it to work fully:
<Location ~ /?WEB-INF/ >
AllowOverride none
deny from all
</Location>
Now foo.mysite.com/WEB-INF/* and
foo.mysite.com/another_context/WEB-INF/*are blocked.
I did get this message on httpd shutdown and startup:
[warn] Useless use of AllowOveride ...
Removing it didn't seem to affect the behavior, not sure if I should still
keep it in there.
On Wed, Nov 25, 2009 at 1:07 PM, Tim Funk <fu...@apache.org> wrote:
> Equally well
>
> <Location ~ /WEB-INF/ >
> AllowOverride none
> deny from all
> </Location>
>
> The docs say AllowOverride is not allowed on regex's so I believe in
> reality - this could be overridden with effort.
>
> -Tim
>
>
> Pid wrote:
>
>> On 25/11/2009 16:47, Nikolay Diulgerov wrote:
>>
>>> Try
>>>
>>> <Location /myapp/WEB-INF>
>>>
>>> AllowOverride None
>>>
>>> deny from all
>>>
>>> </Location>
>>>
>>
>> Probably a better solution would be:
>>
>> <LocationMatch /*/WEB-INF/>
>> AllowOverride None
>> deny from all
>> </LocationMatch>
>>
>> <LocationMatch /*/META-INF/>
>> AllowOverride None
>> deny from all
>> </LocationMatch>
>>
>> ... but we're really just guessing what config is already in place - maybe
>> the mod_jk / mod_proxy config could be adjusted instead.
>>
>> Correcting a poor/broken config is a much better solution than attempting,
>> blindly, to stick bandages on an unknown setup.
>>
>>
>> p
>>
>>
>> -----Original Message-----
>>> From: Jonathan Mast [mailto:jhmast.developer@gmail.com]
>>> Sent: Wednesday, November 25, 2009 6:40 PM
>>> To: Tomcat Users List; pid@pidster.com
>>> Subject: Re: Preventing httpd from accessing WEB-INF contents
>>>
>>> yes I am keeping the all the web-app stuff in place. I don't have the
>>> time
>>> to re-architect my entire system to your suggested format.
>>>
>>> I really need to just prevent httpd from accessing anything with
>>> "WEB-INF"
>>> in the url.
>>>
>>> On Wed, Nov 25, 2009 at 11:21 AM, Pid<pi...@pidster.com> wrote:
>>>
>>> On 25/11/2009 16:13, Jonathan Mast wrote:
>>>>
>>>> Can someone please provide the magical httpd config-cantation that will
>>>>> block httpd from accessing anything in WEB-INF directories?
>>>>>
>>>>> I need something that will be apply globally and can't be overridden by
>>>>> VirtualHost directives. I've dug around the httpd config documentation
>>>>> and
>>>>> I'm just not understanding it, everything I've tried just hasn't
>>>>> worked.
>>>>>
>>>>> thanks
>>>>>
>>>>> httpd 2.2
>>>>> Tomcat 6.0
>>>>>
>>>>>
>>>>> At a guess, I'd say you've published, via HTTPD, the web application
>>>> directory.
>>>>
>>>> This is one of the reasons we advise users not publish webapp
>>>> directories
>>>> via HTTPD. Using a separate webapps and document root is advisable.
>>>>
>>>> E.g.
>>>>
>>>> /path/to/site.com/httpdocs
>>>> /path/to/site.com/httpdocs/index.html
>>>> /path/to/site.com/httpdocs/images/
>>>> /path/to/site.com/httpdocs/scripts/
>>>>
>>>> /path/to/site.com/webapps
>>>> /path/to/site.com/webapps/ROOT
>>>> /path/to/site.com/webapps/myapp
>>>>
>>>>
>>>> If this isn't the case, you'll have to supply information about your
>>>>
>>> mod_jk
>>>
>>>> / mod_proxy config so we can see what you're doing.
>>>>
>>>>
>>>> p
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Preventing httpd from accessing WEB-INF contents
Posted by Pid <pi...@pidster.com>.
On 25/11/2009 18:07, Tim Funk wrote:
> Equally well
>
> <Location ~ /WEB-INF/ >
> AllowOverride none
> deny from all
> </Location>
>
> The docs say AllowOverride is not allowed on regex's so I believe in
> reality - this could be overridden with effort.
In that case a standard include containing the config for each virtual
host, might be an improvement, and lower maintenance.
Presumably the only way to be sure, is to not publish the directory in
the first place then?
p
> -Tim
>
> Pid wrote:
>> On 25/11/2009 16:47, Nikolay Diulgerov wrote:
>>> Try
>>>
>>> <Location /myapp/WEB-INF>
>>>
>>> AllowOverride None
>>>
>>> deny from all
>>>
>>> </Location>
>>
>> Probably a better solution would be:
>>
>> <LocationMatch /*/WEB-INF/>
>> AllowOverride None
>> deny from all
>> </LocationMatch>
>>
>> <LocationMatch /*/META-INF/>
>> AllowOverride None
>> deny from all
>> </LocationMatch>
>>
>> ... but we're really just guessing what config is already in place -
>> maybe the mod_jk / mod_proxy config could be adjusted instead.
>>
>> Correcting a poor/broken config is a much better solution than
>> attempting, blindly, to stick bandages on an unknown setup.
>>
>>
>> p
>>
>>
>>> -----Original Message-----
>>> From: Jonathan Mast [mailto:jhmast.developer@gmail.com]
>>> Sent: Wednesday, November 25, 2009 6:40 PM
>>> To: Tomcat Users List; pid@pidster.com
>>> Subject: Re: Preventing httpd from accessing WEB-INF contents
>>>
>>> yes I am keeping the all the web-app stuff in place. I don't have the
>>> time
>>> to re-architect my entire system to your suggested format.
>>>
>>> I really need to just prevent httpd from accessing anything with
>>> "WEB-INF"
>>> in the url.
>>>
>>> On Wed, Nov 25, 2009 at 11:21 AM, Pid<pi...@pidster.com> wrote:
>>>
>>>> On 25/11/2009 16:13, Jonathan Mast wrote:
>>>>
>>>>> Can someone please provide the magical httpd config-cantation that
>>>>> will
>>>>> block httpd from accessing anything in WEB-INF directories?
>>>>>
>>>>> I need something that will be apply globally and can't be
>>>>> overridden by
>>>>> VirtualHost directives. I've dug around the httpd config documentation
>>>>> and
>>>>> I'm just not understanding it, everything I've tried just hasn't
>>>>> worked.
>>>>>
>>>>> thanks
>>>>>
>>>>> httpd 2.2
>>>>> Tomcat 6.0
>>>>>
>>>>>
>>>> At a guess, I'd say you've published, via HTTPD, the web application
>>>> directory.
>>>>
>>>> This is one of the reasons we advise users not publish webapp
>>>> directories
>>>> via HTTPD. Using a separate webapps and document root is advisable.
>>>>
>>>> E.g.
>>>>
>>>> /path/to/site.com/httpdocs
>>>> /path/to/site.com/httpdocs/index.html
>>>> /path/to/site.com/httpdocs/images/
>>>> /path/to/site.com/httpdocs/scripts/
>>>>
>>>> /path/to/site.com/webapps
>>>> /path/to/site.com/webapps/ROOT
>>>> /path/to/site.com/webapps/myapp
>>>>
>>>>
>>>> If this isn't the case, you'll have to supply information about your
>>> mod_jk
>>>> / mod_proxy config so we can see what you're doing.
>>>>
>>>>
>>>> p
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Posted by Tim Funk <fu...@apache.org>.
Equally well
<Location ~ /WEB-INF/ >
AllowOverride none
deny from all
</Location>
The docs say AllowOverride is not allowed on regex's so I believe in
reality - this could be overridden with effort.
-Tim
Pid wrote:
> On 25/11/2009 16:47, Nikolay Diulgerov wrote:
>> Try
>>
>> <Location /myapp/WEB-INF>
>>
>> AllowOverride None
>>
>> deny from all
>>
>> </Location>
>
> Probably a better solution would be:
>
> <LocationMatch /*/WEB-INF/>
> AllowOverride None
> deny from all
> </LocationMatch>
>
> <LocationMatch /*/META-INF/>
> AllowOverride None
> deny from all
> </LocationMatch>
>
> ... but we're really just guessing what config is already in place -
> maybe the mod_jk / mod_proxy config could be adjusted instead.
>
> Correcting a poor/broken config is a much better solution than
> attempting, blindly, to stick bandages on an unknown setup.
>
>
> p
>
>
>> -----Original Message-----
>> From: Jonathan Mast [mailto:jhmast.developer@gmail.com]
>> Sent: Wednesday, November 25, 2009 6:40 PM
>> To: Tomcat Users List; pid@pidster.com
>> Subject: Re: Preventing httpd from accessing WEB-INF contents
>>
>> yes I am keeping the all the web-app stuff in place. I don't have the
>> time
>> to re-architect my entire system to your suggested format.
>>
>> I really need to just prevent httpd from accessing anything with
>> "WEB-INF"
>> in the url.
>>
>> On Wed, Nov 25, 2009 at 11:21 AM, Pid<pi...@pidster.com> wrote:
>>
>>> On 25/11/2009 16:13, Jonathan Mast wrote:
>>>
>>>> Can someone please provide the magical httpd config-cantation that will
>>>> block httpd from accessing anything in WEB-INF directories?
>>>>
>>>> I need something that will be apply globally and can't be overridden by
>>>> VirtualHost directives. I've dug around the httpd config documentation
>>>> and
>>>> I'm just not understanding it, everything I've tried just hasn't
>>>> worked.
>>>>
>>>> thanks
>>>>
>>>> httpd 2.2
>>>> Tomcat 6.0
>>>>
>>>>
>>> At a guess, I'd say you've published, via HTTPD, the web application
>>> directory.
>>>
>>> This is one of the reasons we advise users not publish webapp
>>> directories
>>> via HTTPD. Using a separate webapps and document root is advisable.
>>>
>>> E.g.
>>>
>>> /path/to/site.com/httpdocs
>>> /path/to/site.com/httpdocs/index.html
>>> /path/to/site.com/httpdocs/images/
>>> /path/to/site.com/httpdocs/scripts/
>>>
>>> /path/to/site.com/webapps
>>> /path/to/site.com/webapps/ROOT
>>> /path/to/site.com/webapps/myapp
>>>
>>>
>>> If this isn't the case, you'll have to supply information about your
>> mod_jk
>>> / mod_proxy config so we can see what you're doing.
>>>
>>>
>>> p
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Posted by Pid <pi...@pidster.com>.
On 25/11/2009 16:47, Nikolay Diulgerov wrote:
> Try
>
> <Location /myapp/WEB-INF>
>
> AllowOverride None
>
> deny from all
>
> </Location>
Probably a better solution would be:
<LocationMatch /*/WEB-INF/>
AllowOverride None
deny from all
</LocationMatch>
<LocationMatch /*/META-INF/>
AllowOverride None
deny from all
</LocationMatch>
... but we're really just guessing what config is already in place -
maybe the mod_jk / mod_proxy config could be adjusted instead.
Correcting a poor/broken config is a much better solution than
attempting, blindly, to stick bandages on an unknown setup.
p
> -----Original Message-----
> From: Jonathan Mast [mailto:jhmast.developer@gmail.com]
> Sent: Wednesday, November 25, 2009 6:40 PM
> To: Tomcat Users List; pid@pidster.com
> Subject: Re: Preventing httpd from accessing WEB-INF contents
>
> yes I am keeping the all the web-app stuff in place. I don't have the time
> to re-architect my entire system to your suggested format.
>
> I really need to just prevent httpd from accessing anything with "WEB-INF"
> in the url.
>
> On Wed, Nov 25, 2009 at 11:21 AM, Pid<pi...@pidster.com> wrote:
>
>> On 25/11/2009 16:13, Jonathan Mast wrote:
>>
>>> Can someone please provide the magical httpd config-cantation that will
>>> block httpd from accessing anything in WEB-INF directories?
>>>
>>> I need something that will be apply globally and can't be overridden by
>>> VirtualHost directives. I've dug around the httpd config documentation
>>> and
>>> I'm just not understanding it, everything I've tried just hasn't worked.
>>>
>>> thanks
>>>
>>> httpd 2.2
>>> Tomcat 6.0
>>>
>>>
>> At a guess, I'd say you've published, via HTTPD, the web application
>> directory.
>>
>> This is one of the reasons we advise users not publish webapp directories
>> via HTTPD. Using a separate webapps and document root is advisable.
>>
>> E.g.
>>
>> /path/to/site.com/httpdocs
>> /path/to/site.com/httpdocs/index.html
>> /path/to/site.com/httpdocs/images/
>> /path/to/site.com/httpdocs/scripts/
>>
>> /path/to/site.com/webapps
>> /path/to/site.com/webapps/ROOT
>> /path/to/site.com/webapps/myapp
>>
>>
>> If this isn't the case, you'll have to supply information about your
> mod_jk
>> / mod_proxy config so we can see what you're doing.
>>
>>
>> p
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Posted by Jonathan Mast <jh...@gmail.com>.
yes I am keeping the all the web-app stuff in place. I don't have the time
to re-architect my entire system to your suggested format.
I really need to just prevent httpd from accessing anything with "WEB-INF"
in the url.
On Wed, Nov 25, 2009 at 11:21 AM, Pid <pi...@pidster.com> wrote:
> On 25/11/2009 16:13, Jonathan Mast wrote:
>
>> Can someone please provide the magical httpd config-cantation that will
>> block httpd from accessing anything in WEB-INF directories?
>>
>> I need something that will be apply globally and can't be overridden by
>> VirtualHost directives. I've dug around the httpd config documentation
>> and
>> I'm just not understanding it, everything I've tried just hasn't worked.
>>
>> thanks
>>
>> httpd 2.2
>> Tomcat 6.0
>>
>>
> At a guess, I'd say you've published, via HTTPD, the web application
> directory.
>
> This is one of the reasons we advise users not publish webapp directories
> via HTTPD. Using a separate webapps and document root is advisable.
>
> E.g.
>
> /path/to/site.com/httpdocs
> /path/to/site.com/httpdocs/index.html
> /path/to/site.com/httpdocs/images/
> /path/to/site.com/httpdocs/scripts/
>
> /path/to/site.com/webapps
> /path/to/site.com/webapps/ROOT
> /path/to/site.com/webapps/myapp
>
>
> If this isn't the case, you'll have to supply information about your mod_jk
> / mod_proxy config so we can see what you're doing.
>
>
> p
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Preventing httpd from accessing WEB-INF contents
Posted by Pid <pi...@pidster.com>.
On 25/11/2009 16:13, Jonathan Mast wrote:
> Can someone please provide the magical httpd config-cantation that will
> block httpd from accessing anything in WEB-INF directories?
>
> I need something that will be apply globally and can't be overridden by
> VirtualHost directives. I've dug around the httpd config documentation and
> I'm just not understanding it, everything I've tried just hasn't worked.
>
> thanks
>
> httpd 2.2
> Tomcat 6.0
>
At a guess, I'd say you've published, via HTTPD, the web application
directory.
This is one of the reasons we advise users not publish webapp
directories via HTTPD. Using a separate webapps and document root is
advisable.
E.g.
/path/to/site.com/httpdocs
/path/to/site.com/httpdocs/index.html
/path/to/site.com/httpdocs/images/
/path/to/site.com/httpdocs/scripts/
/path/to/site.com/webapps
/path/to/site.com/webapps/ROOT
/path/to/site.com/webapps/myapp
If this isn't the case, you'll have to supply information about your
mod_jk / mod_proxy config so we can see what you're doing.
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org