Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: thelma@×××××××××××.com
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] apache 2.4 - deny access to directory
Date: Mon, 30 Nov 2020 20:07:13
Message-Id: df10f26d-5b0a-2dd8-78f8-432757c47caf@sys-concept.com
In Reply to: Re: [gentoo-user] apache 2.4 - deny access to directory by Michael
1 On 11/30/2020 12:43 PM, Michael wrote:
2 > I don't have time to look into this in much detail, or test it, but see
3 > comments below.
4 >
5 > On Monday, 30 November 2020 18:09:52 GMT thelma@×××××××××××.com wrote:
6 >> On 11/30/2020 05:34 AM, Michael wrote:
7 >>> On Sunday, 29 November 2020 18:22:09 GMT thelma@×××××××××××.com wrote:
8 >>>> Thelma
9 >>>>
10 >>>> On 11/29/2020 03:22 AM, Michael wrote:
11 >>>>> On Sunday, 29 November 2020 07:30:16 GMT thelma@×××××××××××.com wrote:
12 >>>>>> I'm trying to deny access to all except specific IP address in a
13 >>>>>> directory, just testing it.
14 >>>>>>
15 >>>>>> In modules.d/00_default_settings.conf
16 >>>>>>
17 >>>>>> <Directory "/var/www/localhost/htdocs">
18 >>>>>>
19 >>>>>> Options MultiViews
20 >>>>>> AllowOverride All
21 >>>>>> Require all granted
22 >>>>>>
23 >>>>>> </Directory>
24 >>>>>>
25 >>>>>> in admin/.htaccess
26 >>>>>>
27 >>>>>> <RequireAll>
28 >>>>>>
29 >>>>>> Require all denied
30 >>>>>> Require ip 10.0.0.100
31 >>>>>>
32 >>>>>> </RequireAll>
33 >>>>>>
34 >>>>>> My IP is 10.0.0.112 and I can still access the server /admin directory
35 >>>>>>
36 >>>>>> What am I missing?
37 >>>>>
38 >>>>> In apache 2.4 the access control syntax has changed. The RequireAll
39 >>>>> directive means *all* authorisation directives within it must succeed.
40 >>>>>
41 >>>>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
42 >>>>>
43 >>>>> What happens if you just remove the first line, "Require all denied"?
44 >>>>
45 >>>> As you suggested I have:
46 >>>> in admin/.htaccess
47 >>>>
48 >>>> <RequireAll>
49 >>>>
50 >>>> Require ip 10.0.0.100
51 >>>>
52 >>>> </RequireAll>
53 >>>>
54 >>>> My IP is: 10.0.0.112 and it still allow me to access it. I know apache
55 >>>> 2.4 is reading the file as the the below direcive works.
56 >>>
57 >>> I've tested different RequireAll directives in a .htaccess file and with
58 >>> otherwise default apache settings I can confirm:
59 >>>
60 >>> This is correct:
61 >>> =========================
62 >>> <RequireAll>
63 >>>
64 >>> Require ip 10.0.0.100
65 >>>
66 >>> </RequireAll>
67 >>> =========================
68 >>> will only allow visitors from 10.0.0.100 to access the directory content.
69 >>>
70 >>> This is also correct:
71 >>> =========================
72 >>> <RequireAll>
73 >>>
74 >>> Require all granted
75 >>> Require ip 10.0.0.100
76 >>>
77 >>> </RequireAll>
78 >>> =========================
79 >>> will only allow visitors from 10.0.0.100 to access the directory content.
80 >>>
81 >>> Finally, this won't work:
82 >>> =========================
83 >>> <RequireAll>
84 >>>
85 >>> Require all denied
86 >>> Require ip 10.0.0.100
87 >>>
88 >>> </RequireAll>
89 >>> =========================
90 >>> because it returns 403 for all clients irrespective of IP address, since
91 >>> both subdirectives must be correct for the RequireAll to be true.
92 >>>
93 >>> I notice you have 'Options MultiViews' in your modules.d/
94 >>> 00_default_settings.conf, which will parse paths to find and serve any
95 >>> file
96 >>> requested by the client even if the URL is not complete. It might be this
97 >>> conflicts with your .htaccess within admin/ subdirectory, but I'm not
98 >>> sure.
99 >>> Something in apache logs may shed light in this.
100 >>>
101 >>>> AuthName "restricted stuff"
102 >>>> AuthType Basic
103 >>>> AuthUserFile "/etc/apache2/users"
104 >>>> require user webmaster
105 >>>>
106 >>>> I've tried adding
107 >>>> RewriteEngine on
108 >>>>
109 >>>> With it, I can not login at all (access denied) regardless of IP.
110 >>>
111 >>> With apache 2.4 a new <If> directive was added to perform conditional
112 >>> checks and replace/augment many of the mod_rewrite functionalities. I
113 >>> don't know how you have structured your RewriteCond and RewriteRule, but
114 >>> obviously they don't work as intended if they totally block access.
115 >>>
116 >>> You could check conflicting rules between your apache config and any
117 >>> .htaccess directives, or any loose and contradictory .htaccess files in
118 >>> higher subdirectories.
119 >>
120 >> Here is complete file: modules.d/00_default_settings.conf
121 >> I've removed 'Options MultiViews' but it disn't help.
122 >>
123 >> Timeout 300
124 >> KeepAlive On
125 >> MaxKeepAliveRequests 100
126 >> KeepAliveTimeout 15
127 >> UseCanonicalName Off
128 >> AccessFileName .htaccess
129 >> ServerTokens Prod
130 >> TraceEnable off
131 >> ServerSignature Off
132 >> HostnameLookups Off
133 >> EnableMMAP On
134 >> EnableSendfile Off
135 >> FileETag MTime Size
136 >> ContentDigest Off
137 >> ErrorLog /var/log/apache2/error_log
138 >> LogLevel warn
139 >>
140 >> <Directory />
141 >> Options FollowSymLinks
142 >> AllowOverride None
143 >> Require all denied
144 >> </Directory>
145 >>
146 >> <Directory "/var/www/localhost/htdocs">
147 >> AllowOverride All
148 >> Require all granted
149 >> </Directory>
150 >>
151 >> <IfModule dir_module>
152 >> DirectoryIndex index.html index.html.var
153 >> </IfModule>
154 >>
155 >> <FilesMatch "^\.ht">
156 >> Require all denied
157 >> </FilesMatch>
158 >>
159 >> The server root .htaccess is empty
160 >> In server root/admin/.htaccess
161 >>
162 >> <RequireAll>
163 >> Require ip 10.0.0.100
164 >> </RequireAll>
165 >
166 > Hmm ... as I understand it the <RequireAll> directive is evaluated to make an
167 > authorisation decision, before the authentication directive below. If the
168 > authorisation fails, because you're not connecting from ip 10.0.0.100, then I
169 > would assume apache should return 403 and stop processing further directives.
170 > However, from what you say it does not do this. :-/
171 >
172 > I wonder if you add 'AuthMerging And' above your authentication directives
173 > below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user
174 > webmaster' should succeed before access to /admin is allowed.
175 >
176 >> AuthName "restricted stuff"
177 >> AuthType Basic
178 >> AuthUserFile "/etc/apache2/users"
179 >> require user webmaster
180 >>
181 >> My IP is 10.0.0.109 so I should be denied access to admin/index.php but
182 >> I'm able to view it/access it.
183 >> It seems to me it is reading .htaccess file as "AuthType Basic" work, it
184 >> is asking me for a password. but "Require ip" doesn't work. Because my
185 >> IP is 10.0.0.109 apache should deny me access with "access denied.
186 >
187 >
188 > Something else to try instead of <RequireAll>, in case it makes a difference.
189 > Does it work as intended if you replace <RequireAll> with a filesystem
190 > container:
191 >
192 > <Directory "/var/www/localhost/htdocs/*/admin">
193 > Require ip 10.0.0.100
194 > </Directory>
195 >
196 > Or, if this is a set of pages dynamically generated by php, rather than a
197 > static file within the admin directory, use a webspace container:
198 >
199 > <Location "*/admin">
200 > Require ip blah
201 > </Location>
202
203 Thank for looking into it and input.
204 I must be missing someting because if I use in .htaccess file direcive:
205 <Directory "/var/www/localhost/htdocs/*/admin"> or
206 <Location "*/admin">
207
208 In both cases I get an error from Apache:
209
210 [client 10.0.0.109] /var/www/localhost/htdocs/catalog/admin/.htaccess: <Directory not allowed here
211 [client 10.0.0.109 /var/www/localhost/htdocs/catalog/admin/.htaccess: <Location not allowed here

Replies

Subject Author
Re: [gentoo-user] apache 2.4 - deny access to directory Michael <confabulate@××××××××.com>
Report Message
Find on MARC Find on Google Groups