Re: Help with mod_authz_host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jul 13, 2010 at 3:27 PM, Joseph M. Morgan
<josephmmorgan@xxxxxxxxxxx> wrote:
> On 7/13/2010 9:03 AM, Tom Evans wrote:
>>
>> On Tue, Jul 13, 2010 at 1:13 PM, Joseph M. Morgan
>> <josephmmorgan@xxxxxxxxxxx>  wrote:
>>
>>>
>>> This is an Apache 2.2 server running within a VM on CentOS.
>>>
>>> Both the authn_basic_module and the authn_host_module are loaded.
>>>
>>> I have the following directive:
>>>
>>> <Directory "/var/www/html">
>>>    Order deny,allow
>>>    Deny from 221.192.0.0/14
>>> </Directory>
>>>
>>> Yet, today I see in my access logs:
>>>
>>> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET
>>> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
>>>
>>> Why didn't Apache block this?
>>>
>>>
>>>
>>>
>>
>> Are there other Deny/Allow blocks in your config that may be
>> overriding this one? Does this request end up not being resolved to a
>> on disk file, which would bypass the Directory block?
>>
>> Cheers
>>
>> Tom
>>
>>
>
> I have the<Files ~ "^\.ht">   and the directory "/var/www/cgi-bin"  as deny
> from all but it makes no sense those would allow anything, would they?
>
> The directories "var/www/error" and "var/www/icons" are Allow from all
>
>
> Are you hinting that I need to add a<Files>  with the deny??
>

<Directory> and <Files> blocks are applied when apache is planning to
serve a file, which can be bypassed if it isn't strictly a file it is
serving.

For instance, proxying never ends up with apache looking at a file on
disk, so with this config:

DocumentRoot /var/empty
<Directory /var/empty>
  Order allow,deny
  Deny from all
</Directory>
ProxyPass / http://app/

requests would always be allowed - everything goes thru proxy, not the
file system.

If you change from the <Directory> approach to the <Location>
approach, does it then work correctly? IE, map out exclusions in URL
space, not filesystem space.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux