Re: [users@httpd] Directory/Virtualhost & ACLs.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 24 Jul 2006, Joshua Slive wrote:


On 7/24/06, Chris Johnson <johnson@xxxxxxxxxxxxxxxxxxx> wrote:

      Hey all,

      Have a messy config question here.

      Directory and Virtualhost seem to fire up what amounts to their
own ACLs, i.e. order, allow and deny.  We just got hit last week by an
autamate that probed the server, found some  forms and then submited a
bunch of them.  Obviously we would very much like to block this
sillyness whenever possible.

      I can set up an order/allow/deny set easily enough.  The problem
comes when you're running a few Directory blocks as well as
virtualhosts.  It gets really messy chasing down every ACL to update
them.

      The first obvious solution is a common include file included in
each directory or virtualhost block where needed.  That way everything
is in one file and it's easy to main the ACL.

      But this sort of thing must be pretty common these days.

      So, first question.  Do Directory and Virtualhost blocks have
their own ACLs?  Seem to from where I'm sitting.


They do, but they will inherit from the parent context when nothing is
specified.
See:
http://httpd.apache.org/docs/2.2/sections.html#mergin



      Second.  Is there any other/better way to deal with this
annoyance?  What do ohers do?


Use Order/Allow/Deny directives only where you need to change the
permissions applied to a parent context.  Otherwise, leave them out.
Excuse me, I shave asked the following. Should this be true for Apache 1.3 as well? Because I'm not seeing it. 

--------------------------------------------------------------------------------
Chris Johnson               |Internet: johnson@xxxxxxxxxxxxxxxxxxx
Systems Administrator       |Web:      http://www.nmr.mgh.harvard.edu/~johnson
NMR Center                  |Voice:    617.726.0949
Mass. General Hospital      |FAX:      617.726.7422
149 (2301) 13th Street |God must love stupid people. She keeps making Charlestown, MA., 02129 USA |them in such horrifyingly large numbers. Me 
--------------------------------------------------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux