FAQ
Hi,

I have a server running Apache HTTPD 2.2.16, installed as Debian
package (Debian Squeeze).

Some time ago, "Deny from XXX" directives were correctly taken into
account, both in .htaccess files and in system-wide configuration files
(/etc/apache2/*). I noticed recently that it is no longer the case. I
suspect that this breakage occured when migrating the server from Debian
Lenny to Debian Squeeze, but I'm not sure.

According to "apachectl -t -D DUMP_PACKAGES", the module
authz_user_module is loaded (it says "(shared)").

I tried the following:

<Location /tmp/>
Order deny,allow
Deny from all
#RewriteEngine On
#RewriteRule . - [F]
</Location>

As it is, the location /tmp/ isn't denied. If I uncomment the Rewrite
rule, it is denied (hence, the config file is read, and the location is
properly specified).

This is a production server so I have limited testing possibilities. I
tried reproducing the problem on a test machine, with the same version
and a full copy of /etc/apache2/ (copied with "rsync -av", only modified
to replace the IP address and DNS name of the server), but the test
machine does not exhibit the problem. I did not copy the files in
DocumentRoot.

I saw nothing in the logs. access.log shows normal accesses (i.e. code
200), and error.log does not change while accessing the pages to be
denied. "apachectl graceful" does not display any warning.

Any idea on what's going on? Where to look for the error?

Thank you very much in advance,

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Search Discussions

  • Pete Houston at Apr 18, 2012 at 8:25 am

    On Wed, Apr 18, 2012 at 10:07:56AM +0200, Matthieu Moy wrote:
    I tried the following:

    <Location /tmp/>
    Order deny,allow
    Deny from all
    #RewriteEngine On
    #RewriteRule . - [F]
    </Location>
    If you use

    Order allow,deny

    instead the configuration should deny all requests explicitly. You might
    also add

    AllowOverride None

    just to be really safe.

    HTH,

    Pete
    --
    Openstrike - improving business through open source
    http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
  • Matthieu Moy at Apr 18, 2012 at 9:41 am

    Pete Houston writes:

    If you use

    Order allow,deny

    instead the configuration should deny all requests explicitly.
    I tried both orders to be sure, and neither had any effect.
    You might also add

    AllowOverride None
    I'll try that (I forgot to say that I do have a test virtualhost on
    which I have the problem, so while breaking the whole configuration
    isn't an option, I can try changing the configuration of this one).

    --
    Matthieu Moy
    http://www-verimag.imag.fr/~moy/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Matthieu Moy at Apr 19, 2012 at 3:53 pm

    Matthieu Moy writes:

    You might also add

    AllowOverride None
    I'll try that
    I did try, and it did not change the problem. Deny directives are still
    ignored.

    --
    Matthieu Moy
    http://www-verimag.imag.fr/~moy/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Noel Butler at Apr 20, 2012 at 8:00 am

    On Wed, 2012-04-18 at 10:07 +0200, Matthieu Moy wrote:


    I tried the following:

    <Location /tmp/>
    Order deny,allow
    Deny from all
    #RewriteEngine On
    #RewriteRule . - [F]
    </Location>

    It should work, but unless there's a special need, you should be using
    directory not location,
    for apache 2.2.22 and less:

    <Directory /tmp>
    Order Deny,Allow
    Deny from all
    </Directory>

    Will work, you do not have a directory statement for /tmp already do
    you? If so, is it before or after this location statement?
  • Matthieu Moy at Apr 20, 2012 at 9:52 am

    Noel Butler writes:

    On Wed, 2012-04-18 at 10:07 +0200, Matthieu Moy wrote:

    I tried the following:

    <Location /tmp/>
    Order deny,allow
    Deny from all
    #RewriteEngine On
    #RewriteRule . - [F]
    </Location>

    It should work, but unless there's a special need, you should be using
    directory not location,
    Right. I used Location because it was simpler, but after RTFM, I
    understand why Directory is used more often.
    for apache 2.2.22 and less:

    <Directory /tmp>
    Order Deny,Allow
    Deny from all
    </Directory>

    Will work, you do not have a directory statement for /tmp already do you? If so, is it before or after this location statement?
    I don't have another Directory statement for this particular directory,
    but I do have others for parent directories. I tried putting my test
    section at the beginning and end of the virtualhost declaration, and and
    the beginning and end of /etc/apache2/apache2.conf, and neither of the 4
    options worked.

    --
    Matthieu Moy
    http://www-verimag.imag.fr/~moy/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Noel Butler at Apr 21, 2012 at 2:10 am

    On Fri, 2012-04-20 at 11:50 +0200, Matthieu Moy wrote:

    Noel Butler <noel.butler@ausics.net> writes:
    On Wed, 2012-04-18 at 10:07 +0200, Matthieu Moy wrote:

    I tried the following:

    <Location /tmp/>
    Order deny,allow
    Deny from all
    #RewriteEngine On
    #RewriteRule . - [F]
    </Location>

    It should work, but unless there's a special need, you should be using
    directory not location,
    Right. I used Location because it was simpler, but after RTFM, I
    understand why Directory is used more often.

    Right, so have you changed it to Directory and does it now work?

    If not, I suggest this is a debian issue and should be taken up with its
    package maintainer, as with an apache.org release, even of such an old
    version that you are using, these directives did work correctly.

    Cheers
  • Matthieu Moy at Apr 23, 2012 at 7:04 am

    Noel Butler writes:

    Right, so have you changed it to Directory and does it now work?
    I tried <Directory>, and it did not work. Anyway, the "RewriteRule . -
    [F]" did work in the same place, so the <Directory>/<Location> are
    taken into account, it's really about the "Deny from all".

    Thanks anyway,

    --
    Matthieu Moy
    http://www-verimag.imag.fr/~moy/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Noel Butler at Apr 24, 2012 at 11:38 am

    On Mon, 2012-04-23 at 09:04 +0200, Matthieu Moy wrote:

    Noel Butler <noel.butler@ausics.net> writes:
    Right, so have you changed it to Directory and does it now work?
    I tried <Directory>, and it did not work. -

    You definitely have something broken then if Deny does not work in a
    Directory statement

    For 2.2...

    <Directory /> <-- Default for everything on filesystem, which
    would include /tmp
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

    <Directory "/var/www/html">
    Order Deny,Allow
    Allow from all
    </Directory>


    Which of course has all changed with 2.4, but I wont confuse you with
    those :)
  • Matthieu Moy at Apr 26, 2012 at 2:26 pm

    Noel Butler writes:

    On Mon, 2012-04-23 at 09:04 +0200, Matthieu Moy wrote:

    Noel Butler <noel.butler@ausics.net> writes:
    Right, so have you changed it to Directory and does it now work?
    I tried <Directory>, and it did not work. -

    You definitely have something broken then if Deny does not work in a Directory statement
    I found the guilty line in the configuration, but I still don't
    understand what's going on.

    I had this at the end of /etc/apache2/apache2.conf:

    <Location />
    Deny from <some IP address to blacklist>
    </Location>

    Removing these lines solves the issue: other Deny directives (in
    /etc/apache2 and in .htaccesses) are now taken into account.

    I still have two problems (much less serious) :

    1) I'd like to understand what was going on. From my understanding, the
    line above shouldn't have disabled other "Deny from" directives. Since
    <Location> are taken into account after <Directory>, I'd understand that
    a "Order" directive could be problematic, but not how a <Location> can
    be so.

    2) If possible, I'd like to have a way to blacklist IPs without
    breaking everything else. That's secondary since the server can also use
    iptables rules for blacklisting.

    I tried several variants, like using <Directory> instead of <Location
    />, adding Order allow,deny before the Deny. With <Directory>, it works
    essentially as I'd have expected: <Directory /> is ineffective since it
    is overridden by more precise <Directory /www/.../> directives. It works
    if I apply it to subdirectories of the DocumentRoot, but that's not
    really conveinient.

    Thanks,

    --
    Matthieu Moy
    http://www-verimag.imag.fr/~moy/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Eric Covener at Apr 26, 2012 at 2:34 pm

    1) I'd like to understand what was going on. From my understanding, the
    line above shouldn't have disabled other "Deny from" directives. Since
    <Location> are taken into account after <Directory>, I'd understand that
    a "Order" directive could be problematic, but not how a <Location> can
    be so.
    The directives from mod_authz_host, like Order/Allow/Deny, are not
    merged from one configuration section to another.

    They're replaced.

    In 2.4, you can ask for them to be merged.

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Matthieu Moy at Apr 30, 2012 at 2:41 pm

    Eric Covener writes:

    1) I'd like to understand what was going on. From my understanding, the
    line above shouldn't have disabled other "Deny from" directives. Since
    <Location> are taken into account after <Directory>, I'd understand that
    a "Order" directive could be problematic, but not how a <Location> can
    be so.
    The directives from mod_authz_host, like Order/Allow/Deny, are not
    merged from one configuration section to another.

    They're replaced.
    Thanks a lot, I guess this explains everything.

    --
    Matthieu Moy
    http://www-verimag.imag.fr/~moy/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedApr 18, '12 at 8:08a
activeApr 30, '12 at 2:41p
posts12
users4
websitehttpd.apache.org
irc#httpd

People

Translate

site design / logo © 2022 Grokbase