Re: Re: denying access to SSI fragments

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wednesday 06 April 2011 16:22:46 Eric Covener wrote:
> > Yes, but even with "file" the server will still "serve" those files and they must still be "accessable"
> > to HTTP/S requests -
> 
> It will serve them (outside of SSI) if you configure it to, but I
> don't see it as a requirement as it is with virtual.
> 

Yes, but if my $some_dir is outside of any <Directory ...>  I can't include it - the url gets prefixed with whatever <Directory > the document the user originally requested was in,
because EVERY page on my site uses relative URLs to access site pages - it so simplifies re-basing - and if it's inside a <Directory ...> ,  users can request it,  and you cannot create 
another Sub <Directory >  for it and then say 'deny from all' for that sub-directory  because then SSI includes are denied .  
So I create a handler :
   AddHandler ssi-fragment ".inc" ".ssi"
and
  <Directory "/var/www/my_site" ...> ...
  </Directory>
  Alias "include/" "/var/www/include/"
  <Directory "/var/www/include" ...>
   SetHandler ssi-fragment
   allow from all
  </Directory>
and my fragments are all named ".inc" ,  and ALL files under /var/www/include have the ".inc" extension ,
and "ssi-fragment" is a c shared-library module that determines if the request came from SSI or not; 
 if it did,  it completes the request, and if it did not, aborts the request with 403 (forbidden).
I still don't see how else to overcome this problem with apache's SSI.

All the best,
Jason

> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux