You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Phil Smith <ph...@gmail.com> on 2013/03/04 22:34:18 UTC
[users@httpd] Limit/LimitExcept - access controls
This discussion is related to the bolded recommendation at:
http://httpd.apache.org/docs/2.2/mod/core.html#limit
stating that:
"In the general case, access control directives should not be placed
within a <Limit> section." and further that... "A <LimitExcept>
section should always be used in preference to a <Limit> section when
restricting access..."
Albeit, the recommendation does say "In general", however for certain
types of access control, it seems to me that the use of both the Limit
and LimitExcept provide the perfect and perhaps the most appropriate
means of access control.
I can see in some cases a LimitExcept on its own can provide
appropriate access control, but not in all and perhaps not even in
most.
For a simple example, I have in an .htaccess file:
<Limit GET POST>
order deny,allow
deny from all
allow from 10.10.10.0/24
</Limit>
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
So, for the resources affected by that .htaccess I only want my users
on 10.10.10.0/24 to have access to those resources and I only want
those users to make GET and POST requests.
In fact, I have seen this same type of access control configuration
suggested in several places when searching on the subject, although
none of them as authoritative as the Apache documentation.
So a user on 10.10.10.0/24 can make a GET or POST request only and all
other IP addresses can do nothing.
I would suggest that recommendation in the Apache Limit docs to state:
"In the general case, access control directives should not be placed
within a <Limit> section without an accompanying LimitExcept directive
protecting the remaining methods.
Am I not seeing something that would suggest that this is not an
appropriate and very tight means of access control?
Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org