Hi.
On the face of it, I do not understand it either.
I have re-read the doc, and I believe your Order, Allow and Deny
directives are correct for what you want to do.
The first thing maybe to check is if you don't by any chance have some
<Location> sections that override your <Directory> section.
Also, I encountered lately a couple of cases where AAA-control
directives seemed to be "inherited" from a wider context to a more
narrow one, unless specifically overriden in the narrower context.
For example, if you have something like
<Directory /var/www/dir>
AAA-control directive type 1
</Directory>
<Directory /var/www/dir1/subdir>
(no AAA-control directive type 1)
AAA-control directive type 2
</Directory>
then the subdirectory subdir seems to inherit the AAA-control directive
type 1 from the parent, despite having another AAA-control directive of
its own. I cannot remember specifics, but I'm quite sure that I've seen
cases like that.
Now, in your Directory, you specify "AllowOverride All".
That seems to allow *any* kind of directive to be used in the .htaccess
file of your /protected location, including access-control directives.
Might it be that the absence of access-control directives in the
htaccess file overrides the earlier Directory-level specs ?
Or am I telling utter nonsense ?
Gurus, please ?
I propose a couple of experiments :
- what if you add Order, Allow and Deny directives in your htaccess file ?
- alternatively, leave the htaccess file as it is, but in your Directory
section, change the "AllowOverride All" into "AllowOverride FileInfo"
Steffen Neumann wrote:
Hi,
Just for the record, I worked around the problem
using a rewrite to a 404 page for the clients not allowed.
I'm still curious about the actual problem.
Anyone ? Do I need to provide some more details ?
Yours,
Steffen
On Tue, 2008-09-23 at 13:48 +0200, Steffen Neumann wrote:
Hi,
Securing a directory with Allow/Deny is supposedly
something very simple, yet I have tried for quote a while now,
and seek help on the list. This is the setup:
I have an apache 2.2.8 on ubuntu 8.04.1 64bit,
which is serving (and reverse proxying)
a number of pages/applications.
One of them is http://www/protected/, which is supposed
to be accessible only from our site and a small number
of collaborators. The <Directory> directives are below.
Despite Deny from all / Allow 192.168 it will still deliver content
happily to outsiders, as the log shows:
141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200 7675
"-" "Wget/1.11"
I thought from http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
that the Allow/Deny can only be overridden in .htaccess,
and I can't find any reference what other directives in the
other configuration files could interfere with these.
The /usr/lib/apache2/modules/mod_authz_host.so
is loaded on startup.
Any ideas ?
Thanks in advance,
Steffen
<Directory "/path/to/protected">
Order deny,allow
Allow from 192.168
Deny from all
AllowOverride All
Options -Indexes
</Directory>
JkMount /protected/jsp/* tomcat_worker
ScriptAlias /protected/cgi-bin/ /path/to/protected/cgi-bin/"
<Directory "/path/to/protected/cgi-bin">
Order deny,allow
Allow from 192.168
Deny from all
AddHandler cgi-script .cgi
Options +ExecCGI
</Directory>
In addition I have a file protected/.htaccess which does the rewriting
for the pages which moved to tomcat, handled by the JkMount (see below)
cat .htaccess
RewriteEngine on
RewriteRule ^Search.html$ jsp/Search.jsp
Although I can't see how this would interfere with allow/deny,
since the index.html is not covered by the rewriting.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
