Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Michael <confabulate@××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] apache 2.4 - deny access to directory
Date: Mon, 30 Nov 2020 19:43:45
Message-Id: 3342730.iIbC2pHGDl@lenovo.localdomain
In Reply to: [gentoo-user] apache 2.4 - deny access to directory by thelma@sys-concept.com
1 I don't have time to look into this in much detail, or test it, but see
2 comments below.
3
4 On Monday, 30 November 2020 18:09:52 GMT thelma@×××××××××××.com wrote:
5 > On 11/30/2020 05:34 AM, Michael wrote:
6 > > On Sunday, 29 November 2020 18:22:09 GMT thelma@×××××××××××.com wrote:
7 > >> Thelma
8 > >>
9 > >> On 11/29/2020 03:22 AM, Michael wrote:
10 > >>> On Sunday, 29 November 2020 07:30:16 GMT thelma@×××××××××××.com wrote:
11 > >>>> I'm trying to deny access to all except specific IP address in a
12 > >>>> directory, just testing it.
13 > >>>>
14 > >>>> In modules.d/00_default_settings.conf
15 > >>>>
16 > >>>> <Directory "/var/www/localhost/htdocs">
17 > >>>>
18 > >>>> Options MultiViews
19 > >>>> AllowOverride All
20 > >>>> Require all granted
21 > >>>>
22 > >>>> </Directory>
23 > >>>>
24 > >>>> in admin/.htaccess
25 > >>>>
26 > >>>> <RequireAll>
27 > >>>>
28 > >>>> Require all denied
29 > >>>> Require ip 10.0.0.100
30 > >>>>
31 > >>>> </RequireAll>
32 > >>>>
33 > >>>> My IP is 10.0.0.112 and I can still access the server /admin directory
34 > >>>>
35 > >>>> What am I missing?
36 > >>>
37 > >>> In apache 2.4 the access control syntax has changed. The RequireAll
38 > >>> directive means *all* authorisation directives within it must succeed.
39 > >>>
40 > >>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
41 > >>>
42 > >>> What happens if you just remove the first line, "Require all denied"?
43 > >>
44 > >> As you suggested I have:
45 > >> in admin/.htaccess
46 > >>
47 > >> <RequireAll>
48 > >>
49 > >> Require ip 10.0.0.100
50 > >>
51 > >> </RequireAll>
52 > >>
53 > >> My IP is: 10.0.0.112 and it still allow me to access it. I know apache
54 > >> 2.4 is reading the file as the the below direcive works.
55 > >
56 > > I've tested different RequireAll directives in a .htaccess file and with
57 > > otherwise default apache settings I can confirm:
58 > >
59 > > This is correct:
60 > > =========================
61 > > <RequireAll>
62 > >
63 > > Require ip 10.0.0.100
64 > >
65 > > </RequireAll>
66 > > =========================
67 > > will only allow visitors from 10.0.0.100 to access the directory content.
68 > >
69 > > This is also correct:
70 > > =========================
71 > > <RequireAll>
72 > >
73 > > Require all granted
74 > > Require ip 10.0.0.100
75 > >
76 > > </RequireAll>
77 > > =========================
78 > > will only allow visitors from 10.0.0.100 to access the directory content.
79 > >
80 > > Finally, this won't work:
81 > > =========================
82 > > <RequireAll>
83 > >
84 > > Require all denied
85 > > Require ip 10.0.0.100
86 > >
87 > > </RequireAll>
88 > > =========================
89 > > because it returns 403 for all clients irrespective of IP address, since
90 > > both subdirectives must be correct for the RequireAll to be true.
91 > >
92 > > I notice you have 'Options MultiViews' in your modules.d/
93 > > 00_default_settings.conf, which will parse paths to find and serve any
94 > > file
95 > > requested by the client even if the URL is not complete. It might be this
96 > > conflicts with your .htaccess within admin/ subdirectory, but I'm not
97 > > sure.
98 > > Something in apache logs may shed light in this.
99 > >
100 > >> AuthName "restricted stuff"
101 > >> AuthType Basic
102 > >> AuthUserFile "/etc/apache2/users"
103 > >> require user webmaster
104 > >>
105 > >> I've tried adding
106 > >> RewriteEngine on
107 > >>
108 > >> With it, I can not login at all (access denied) regardless of IP.
109 > >
110 > > With apache 2.4 a new <If> directive was added to perform conditional
111 > > checks and replace/augment many of the mod_rewrite functionalities. I
112 > > don't know how you have structured your RewriteCond and RewriteRule, but
113 > > obviously they don't work as intended if they totally block access.
114 > >
115 > > You could check conflicting rules between your apache config and any
116 > > .htaccess directives, or any loose and contradictory .htaccess files in
117 > > higher subdirectories.
118 >
119 > Here is complete file: modules.d/00_default_settings.conf
120 > I've removed 'Options MultiViews' but it disn't help.
121 >
122 > Timeout 300
123 > KeepAlive On
124 > MaxKeepAliveRequests 100
125 > KeepAliveTimeout 15
126 > UseCanonicalName Off
127 > AccessFileName .htaccess
128 > ServerTokens Prod
129 > TraceEnable off
130 > ServerSignature Off
131 > HostnameLookups Off
132 > EnableMMAP On
133 > EnableSendfile Off
134 > FileETag MTime Size
135 > ContentDigest Off
136 > ErrorLog /var/log/apache2/error_log
137 > LogLevel warn
138 >
139 > <Directory />
140 > Options FollowSymLinks
141 > AllowOverride None
142 > Require all denied
143 > </Directory>
144 >
145 > <Directory "/var/www/localhost/htdocs">
146 > AllowOverride All
147 > Require all granted
148 > </Directory>
149 >
150 > <IfModule dir_module>
151 > DirectoryIndex index.html index.html.var
152 > </IfModule>
153 >
154 > <FilesMatch "^\.ht">
155 > Require all denied
156 > </FilesMatch>
157 >
158 > The server root .htaccess is empty
159 > In server root/admin/.htaccess
160 >
161 > <RequireAll>
162 > Require ip 10.0.0.100
163 > </RequireAll>
164
165 Hmm ... as I understand it the <RequireAll> directive is evaluated to make an
166 authorisation decision, before the authentication directive below. If the
167 authorisation fails, because you're not connecting from ip 10.0.0.100, then I
168 would assume apache should return 403 and stop processing further directives.
169 However, from what you say it does not do this. :-/
170
171 I wonder if you add 'AuthMerging And' above your authentication directives
172 below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user
173 webmaster' should succeed before access to /admin is allowed.
174
175 > AuthName "restricted stuff"
176 > AuthType Basic
177 > AuthUserFile "/etc/apache2/users"
178 > require user webmaster
179 >
180 > My IP is 10.0.0.109 so I should be denied access to admin/index.php but
181 > I'm able to view it/access it.
182 > It seems to me it is reading .htaccess file as "AuthType Basic" work, it
183 > is asking me for a password. but "Require ip" doesn't work. Because my
184 > IP is 10.0.0.109 apache should deny me access with "access denied.
185
186
187 Something else to try instead of <RequireAll>, in case it makes a difference.
188 Does it work as intended if you replace <RequireAll> with a filesystem
189 container:
190
191 <Directory "/var/www/localhost/htdocs/*/admin">
192 Require ip 10.0.0.100
193 </Directory>
194
195 Or, if this is a set of pages dynamically generated by php, rather than a
196 static file within the admin directory, use a webspace container:
197
198 <Location "*/admin">
199 Require ip blah
200 </Location>
201
202
203 > It is strange as the directive: "DirectoryIndex index.html
204 > index.html.var" does not include "index.php" and I'm able to access this
205 > file "admin/index.php"
206 > so the index.php must be define somewhere else. Most likely via httpd.conf:
207 >
208 > httpd.conf:75:LoadModule autoindex_module modules/mod_autoindex.so (but
209 > this is a binary file, can not read it).
210
211 The index.php is defined by /etc/apache2/modules.d/70_mod_php.conf.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] apache 2.4 - deny access to directory thelma@×××××××××××.com
Report Message
Find on MARC Find on Google Groups