On Mon, 7 Jul 2008, Rob wrote:
Just wanted to ask you if this looks right before i actually post it live on the production server This is what the Directory Part of the conf file looks like. # Security Over PHPmyAdmin <Directory "/var/www/html/phpmyadmin"> Options Indexes Includes FollowSymLinks AllowOverride None AuthName "Login" AuthType Basic AuthUserFile /var/.htpasswd require valid-user </Directory> <Directory /> Options FollowSymLinks AllowOverride All </Directory> I will change it to this: # Security Over PHPmyAdmin <Directory "/var/www/html/phpmyadmin"> Options Indexes Includes FollowSymLinks AllowOverride None AuthName "Login" AuthType Basic AuthUserFile /var/.htpasswd require valid-user </Directory> <Directory /> Options FollowSymLinks AllowOverride None Order Deny,Allow Deny from all </Directory> <Directory "/var/www/mysite"> AllowOverride None Order Deny,Allow Allow from 127.0.0.1 </Directory> is this all right ? Do i have to change any thing else ? i have other sites on here which i dont want blocked, just that one site in that directory. My Virtual Hosts look like this if it matters:
#mysite
<VirtualHost 172.16.23.1:80>
ServerName mysite.co.nz
RewriteEngine on
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://www.mysite.co.nz/$1 [NE,R]
</VirtualHost>
<VirtualHost 172.16.23.1:80>
ServerAdmin developer@xxxxxxxxxxxx
DocumentRoot /var/www/html/mysite
ServerName www.mysite.co.nz
</VirtualHost>
OK, since, to keep the server secure, you default to 'deny all' so when you use other vhosts, you need to implicitly give them an allow.
What I've done to reduce dramatically the size of my vhosts.conf files is/var/www = our overall web root, so because I've set " / " as deny all I have
set:
<Directory "/var/www">
AllowOverride None
Order Deny,Allow
Allow from all
</Directory>
NOTE: You also need to do same for the ERROR alias...
<Directory "/usr/local/apache/error">
Order deny,allow
Allow from all
...other options
So general hosts are unrestricted.... Addin that in httpd.conf will ensure
of it...
But vhost restrictions will of course over-ride it, so they will get all sites, but when they hit your
<Directory "/var/www/mysite"> AllowOverride None Order Deny,Allow Allow from 127.0.0.1 </Directory>no-one but localhost will get it... and ... when they hit phpadmin, it will want user/pass in AuthUserFile /var/.htpasswd , but you dont want that? So all you do is add in IP's you want to permit, separated by a single space. I'm not sure on the limit of this, when we ran the old phpbb2 (the one any 10yo knows how to abuse) we had an extensive list of ranges, allowing only APNIC IP ranges to access it. Since our phpmyadmins are accessed by a myriad of people, I use MySQL database with user/pass access, much less hassle <G>
Also is it possible to choose where the blocked people go ? at the moment they load the fedora test page, i would like to inform them with a message why they arent seeing the site properly.
Sure is, you can do this in the respective protected directory statements, use...ErrorDocument 401 /error/reject-site.com.html (can call it anything you want, but if you adda few I suggest you call it simple linked names so you dont confuse it with apaches required error files if your looking in a hurry.
-- Cheers Res --- Usenet policy, and why I might ignore you --- 1/ GoogleGroups are UDP'd on my nntp server. If you use them, don't waste your time or energy replying to me. 2/ If only cleanfeed filtered out trolls as well as spam, usenet would be a nicer place. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|