You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Simon <ad...@thelight.org.uk> on 2004/07/14 21:27:27 UTC
[users@httpd] server-status / server-info protection
Im trying to restrict my server-info and server-status pages to
localhost only using the following lines:
<Location /server-info>
SetHandler server-info
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>
<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>
The problem is that for some reason, I can still access these pages from
outside localhost. Are these lines correct/all that I need?
Re: [users@httpd] server-status / server-info protection
Posted by Joshua Slive <js...@gmail.com>.
On Wed, 14 Jul 2004 12:37:50 -0700, Brian Quinn <br...@az511.com> wrote:
> you need to change you access list. The way they are read is Top to
> Bottom, the first match it finds it stops. You are doing a Deny from ALL,
> so it finds that line, then doesn't move on. You need your allow line first.
No, this is not correct. The order of processing is controlled by the
Order directive, not by the order in the config file.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] server-status / server-info protection
Posted by Brian Quinn <br...@az511.com>.
you need to change you access list. The way they are read is Top to
Bottom, the first match it finds it stops. You are doing a Deny from ALL,
so it finds that line, then doesn't move on. You need your allow line first.
Brian
At 12:27 PM 7/14/2004, you wrote:
>Im trying to restrict my server-info and server-status pages to localhost
>only using the following lines:
>
><Location /server-info>
> SetHandler server-info
> Order Deny,Allow
> Deny from all
> Allow from 127.0.0.1
></Location>
><Location /server-status>
> SetHandler server-status
> Order Deny,Allow
> Deny from all
> Allow from 127.0.0.1
></Location>
>
>The problem is that for some reason, I can still access these pages from
>outside localhost. Are these lines correct/all that I need?
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] server-status / server-info protection
Posted by Simon <ad...@thelight.org.uk>.
Joshua Slive wrote:
> On Wed, 14 Jul 2004 20:27:27 +0100, Simon <ad...@thelight.org.uk> wrote:
>
>>Im trying to restrict my server-info and server-status pages to
>>localhost only using the following lines:
>>
>><Location /server-info>
>> SetHandler server-info
>> Order Deny,Allow
>> Deny from all
>> Allow from 127.0.0.1
>></Location>
>><Location /server-status>
>> SetHandler server-status
>> Order Deny,Allow
>> Deny from all
>> Allow from 127.0.0.1
>></Location>
>>
>>The problem is that for some reason, I can still access these pages from
>>outside localhost. Are these lines correct/all that I need?
>
>
> Yes, they are correct.
>
> Are you sure you are editting the right config file?
>
> Have you restarted the server after making changes?
>
> Are there any other <Location> sections that might be overriding these ones?
>
> Are client requests really arriving from outside, or do you have a
> proxy on your local computer that is forwarding to apache? (For
> example, on Mac OSX, all requests look like they come from localhost
> because of a local proxy.)
>
> Joshua.
>
Thanks. It was being over-ridden by another <Location> section later in
the config file. Moving the server-status/server-info <Location>
elements to underneath the other <Location> section solved the problem.
Re: [users@httpd] server-status / server-info protection
Posted by Joshua Slive <js...@gmail.com>.
On Wed, 14 Jul 2004 20:27:27 +0100, Simon <ad...@thelight.org.uk> wrote:
> Im trying to restrict my server-info and server-status pages to
> localhost only using the following lines:
>
> <Location /server-info>
> SetHandler server-info
> Order Deny,Allow
> Deny from all
> Allow from 127.0.0.1
> </Location>
> <Location /server-status>
> SetHandler server-status
> Order Deny,Allow
> Deny from all
> Allow from 127.0.0.1
> </Location>
>
> The problem is that for some reason, I can still access these pages from
> outside localhost. Are these lines correct/all that I need?
Yes, they are correct.
Are you sure you are editting the right config file?
Have you restarted the server after making changes?
Are there any other <Location> sections that might be overriding these ones?
Are client requests really arriving from outside, or do you have a
proxy on your local computer that is forwarding to apache? (For
example, on Mac OSX, all requests look like they come from localhost
because of a local proxy.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org