Thanks! I had to make a slight adjustment to get it to work fully: <Location ~ /?WEB-INF/ > AllowOverride none deny from all </Location>
Now foo.mysite.com/WEB-INF/* and foo.mysite.com/another_context/WEB-INF/*are blocked. I did get this message on httpd shutdown and startup: [warn] Useless use of AllowOveride ... Removing it didn't seem to affect the behavior, not sure if I should still keep it in there. On Wed, Nov 25, 2009 at 1:07 PM, Tim Funk <funk...@apache.org> wrote: > Equally well > > <Location ~ /WEB-INF/ > > AllowOverride none > deny from all > </Location> > > The docs say AllowOverride is not allowed on regex's so I believe in > reality - this could be overridden with effort. > > -Tim > > > Pid wrote: > >> On 25/11/2009 16:47, Nikolay Diulgerov wrote: >> >>> Try >>> >>> <Location /myapp/WEB-INF> >>> >>> AllowOverride None >>> >>> deny from all >>> >>> </Location> >>> >> >> Probably a better solution would be: >> >> <LocationMatch /*/WEB-INF/> >> AllowOverride None >> deny from all >> </LocationMatch> >> >> <LocationMatch /*/META-INF/> >> AllowOverride None >> deny from all >> </LocationMatch> >> >> ... but we're really just guessing what config is already in place - maybe >> the mod_jk / mod_proxy config could be adjusted instead. >> >> Correcting a poor/broken config is a much better solution than attempting, >> blindly, to stick bandages on an unknown setup. >> >> >> p >> >> >> -----Original Message----- >>> From: Jonathan Mast [mailto:jhmast.develo...@gmail.com] >>> Sent: Wednesday, November 25, 2009 6:40 PM >>> To: Tomcat Users List; p...@pidster.com >>> Subject: Re: Preventing httpd from accessing WEB-INF contents >>> >>> yes I am keeping the all the web-app stuff in place. I don't have the >>> time >>> to re-architect my entire system to your suggested format. >>> >>> I really need to just prevent httpd from accessing anything with >>> "WEB-INF" >>> in the url. >>> >>> On Wed, Nov 25, 2009 at 11:21 AM, Pid<p...@pidster.com> wrote: >>> >>> On 25/11/2009 16:13, Jonathan Mast wrote: >>>> >>>> Can someone please provide the magical httpd config-cantation that will >>>>> block httpd from accessing anything in WEB-INF directories? >>>>> >>>>> I need something that will be apply globally and can't be overridden by >>>>> VirtualHost directives. I've dug around the httpd config documentation >>>>> and >>>>> I'm just not understanding it, everything I've tried just hasn't >>>>> worked. >>>>> >>>>> thanks >>>>> >>>>> httpd 2.2 >>>>> Tomcat 6.0 >>>>> >>>>> >>>>> At a guess, I'd say you've published, via HTTPD, the web application >>>> directory. >>>> >>>> This is one of the reasons we advise users not publish webapp >>>> directories >>>> via HTTPD. Using a separate webapps and document root is advisable. >>>> >>>> E.g. >>>> >>>> /path/to/site.com/httpdocs >>>> /path/to/site.com/httpdocs/index.html >>>> /path/to/site.com/httpdocs/images/ >>>> /path/to/site.com/httpdocs/scripts/ >>>> >>>> /path/to/site.com/webapps >>>> /path/to/site.com/webapps/ROOT >>>> /path/to/site.com/webapps/myapp >>>> >>>> >>>> If this isn't the case, you'll have to supply information about your >>>> >>> mod_jk >>> >>>> / mod_proxy config so we can see what you're doing. >>>> >>>> >>>> p >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
