Hi. On the face of it, I do not understand it either.I have re-read the doc, and I believe your Order, Allow and Deny directives are correct for what you want to do.
The first thing maybe to check is if you don't by any chance have some <Location> sections that override your <Directory> section.
Also, I encountered lately a couple of cases where AAA-control directives seemed to be "inherited" from a wider context to a more narrow one, unless specifically overriden in the narrower context.
For example, if you have something like <Directory /var/www/dir> AAA-control directive type 1 </Directory> <Directory /var/www/dir1/subdir> (no AAA-control directive type 1) AAA-control directive type 2 </Directory>then the subdirectory subdir seems to inherit the AAA-control directive type 1 from the parent, despite having another AAA-control directive of its own. I cannot remember specifics, but I'm quite sure that I've seen cases like that.
Now, in your Directory, you specify "AllowOverride All".That seems to allow *any* kind of directive to be used in the .htaccess file of your /protected location, including access-control directives. Might it be that the absence of access-control directives in the htaccess file overrides the earlier Directory-level specs ?
Or am I telling utter nonsense ? Gurus, please ? I propose a couple of experiments : - what if you add Order, Allow and Deny directives in your htaccess file ?- alternatively, leave the htaccess file as it is, but in your Directory section, change the "AllowOverride All" into "AllowOverride FileInfo"
Steffen Neumann wrote:
Hi,Just for the record, I worked around the problem using a rewrite to a 404 page for the clients not allowed.I'm still curious about the actual problem. Anyone ? Do I need to provide some more details ?Yours, SteffenOn Tue, 2008-09-23 at 13:48 +0200, Steffen Neumann wrote:Hi,Securing a directory with Allow/Deny is supposedly something very simple, yet I have tried for quote a while now,and seek help on the list. This is the setup:I have an apache 2.2.8 on ubuntu 8.04.1 64bit, which is serving (and reverse proxying)a number of pages/applications.One of them is http://www/protected/, which is supposed to be accessible only from our site and a small number of collaborators. The <Directory> directives are below. Despite Deny from all / Allow 192.168 it will still deliver content happily to outsiders, as the log shows:141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200 7675 "-" "Wget/1.11" I thought from http://httpd.apache.org/docs/2.2/mod/mod_authz_host.htmlthat the Allow/Deny can only be overridden in .htaccess, and I can't find any reference what other directives in the other configuration files could interfere with these.The /usr/lib/apache2/modules/mod_authz_host.so is loaded on startup. Any ideas ?Thanks in advance, Steffen<Directory "/path/to/protected"> Order deny,allow Allow from 192.168 Deny from all AllowOverride All Options -Indexes </Directory> JkMount /protected/jsp/* tomcat_worker ScriptAlias /protected/cgi-bin/ /path/to/protected/cgi-bin/" <Directory "/path/to/protected/cgi-bin"> Order deny,allow Allow from 192.168 Deny from all AddHandler cgi-script .cgi Options +ExecCGI </Directory>In addition I have a file protected/.htaccess which does the rewriting for the pages which moved to tomcat, handled by the JkMount (see below)cat .htaccess RewriteEngine on RewriteRule ^Search.html$ jsp/Search.jsp Although I can't see how this would interfere with allow/deny, since the index.html is not covered by the rewriting.--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|