You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Nathan Haley <nh...@ie-e.com> on 1997/08/28 19:50:01 UTC

config/1069: Directory deny does not deny by ip

>Number:         1069
>Category:       config
>Synopsis:       Directory deny does not deny by ip
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Aug 28 10:50:01 1997
>Originator:     nhaley@ie-e.com
>Organization:
apache
>Release:        1.2.4 and 1.2.0
>Environment:
Running RedHat Linux 4.1, all current RedHat patches in place.
Using current GCC from RedHat 4.1 release. 
>Description:
We are running with the proxy and several options enabled. The Server is 
multi-homed and serves 5 ip addresses with 3 virtual hosts.

We also have modifications to the proxy routines in place, but they should not
affect this (proxy_connect.c, proxy_ftp.c, proxy_http.c) as they validate a
host a against an external list. Admittedly, I have not tried without these mods.

The Directory deny command does not seem effective. We wish to limit access to
some internal reference pages by IP, while allowing the rest to be open.
I have configured with deny from all, then allows by specific IP's. It does
not limit access at all to the host directories.
I have tried simply deny all and no allows and access is still open.

Appropriate portions of the access.conf:

<Directory /home/httpd/html/local>
Options Includes ExecCGI
AllowOverride None
order deny,allow
deny from all
allow from 209.69.34.130
allow from 209.69.34.136   
allow from 209.69.34.130
allow from 209.69.34.136
allow from 209.69.34.135
allow from 209.69.34.140
allow from 209.69.34.141
</Directory>

<Directory /home/httpd/html>
Options Includes ExecCGI
AllowOverride None
order deny,allow
deny from all
allow from 209.69.34.130
allow from 209.69.34.136
allow from 209.69.34.135
allow from 209.69.34.140
allow from 209.69.34.141
</Directory>  

Have also tried the following with no success:

<Directory /home/httpd/html>
Options Includes ExecCGI
AllowOverride None
order deny,allow
deny from all
</Directory>  


Note on our modifications to mod_proxy:
Just to explain why I don't believe this is at fault...

I added a small piece of code immediately following the test for sites blocked.
I will be submitting a suggestion for this in a moment.
This code block opens a proxy request file and compares entries to determine 
if a site is listed. This allows us to build a large table of sites and
deny and approve without restarting the server. It also always a deny/allow 
version of restriction for the proxy.
If a line not matching the host as compared in the standard checking is not
found in the text file, it calls proxyerror, else it continues normally.
>How-To-Repeat:
URL sample for the above config is http://main.ie-e.com/local/

>Fix:
Sorry, no suggestions
>Audit-Trail:
>Unformatted: