[PLUG] Apache Directory Directive

dan at fiddlers-green.info dan at fiddlers-green.info
Thu Apr 15 11:38:01 UTC 2004


Quoting Bill Barry <barryb at proaxis.com>:

> On Thu, Apr 15, 2004 at 01:59:53AM -0700, Jeme A Brelin wrote:
> > 
> > On Wed, 14 Apr 2004, Bill Barry wrote:
> > > That should be
> > > order allow,deny
> > > if you want deny to be the default. See
> > > http://httpd.apache.org/docs-2.0/mod/mod_access.html#order
> > 
> > You're misreading that, Bill.
> > 
> > Allow,Deny with his Deny and Allow directives will result in everyone but
> > that subnet getting access.
> > 
> > Deny is the default if you don't have a Deny directive with that order.
> > That just means "Deny for all" is implied and doesn't need explicit
> > statement.
> > 
> > >From the site you cite:
> >   In the following example, all hosts in the apache.org domain are allowed
> >   access; all other hosts are denied access.
> > 
> >     Order Deny,Allow
> >     Deny from all
> >     Allow from apache.org
> > 
> > This is exactly what he wants and it uses the order he's indicated.
> > 
> 
> Yes, I agree, that works . But from my reading this
> 
>    Order Allow, Deny
>    Allow from apache.org
> 
> also works. Am I wrong here?
> 
> Bill Barry
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 
I read it the same way Bill. The only difference is by default everyone will be
denied access in the example you cited. That's why they don't need the "Deny
from All" directive in the example on apache's website. In my setup I have "Deny
from All" which would then deny access to everyone, counteracting the default
access which is to allow everyone.

I've tried it both ways:
<Directory /var/webconfig/htdocs/reports/data>
    Options Indexes FollowSymLinks
    Order Allow,Deny
#    deny from all
    Allow From 192.168.2
</Directory>

and,

<Directory /var/webconfig/htdocs/reports/data>
    Options Indexes FollowSymLinks
    Order Deny,Allow
    deny from all
    Allow From 192.168.2
</Directory>

Both return a 403 when attempting to access a page that needs to read from the
reports/data directory. The only time it works is if I use Deny,Allow and
comment out the "Deny from All", which just means access is open to everyone
now. Since its the system stats and intrusion data reports on the gateway
server, that is probably bad security form.

Since its not taking either example above, there is something else that is
interfering with the directive. The directive is simple enough, which makes me
think I'm being stupid and missing something. I'm logged in as root into
webconfig, and it should be using that authentication when looking at the
directories. If it's using the server's process id, the server is allowed to
read or write to the directory as well.

Of course I can't be sure since ClarkConnect doesn't come out and state it, but
the webconfig server itself has got to be apache. The directives in the conf
file follow the apache conf file exactly. Although its possible they modified
the code, but it wouldn't make sense to me to ignore taking a specific ip
address/mask pair.

Dan H.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




More information about the PLUG mailing list