On Thu, 13 Mar 2008 12:02:06 +0000 Chris G cl@isbd.net wrote:
On Thu, Mar 13, 2008 at 10:31:57AM +0000, Chris G wrote:
I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
[snip original question]
I now understand the problem a little better and the question *really* is:-
If I have password authenticated access to a directory of my web site how do I *prevent* access to a sub-directory of that directory (using apache directives, obviously I could just prevent apache accessing it by removing permissions).
Adding a "Deny all" directive to the sub-directory does *not* override password authenticated access which has been given by a "Require valid-user" directive in a directory above.
I have sort of got what I want by putting a "Require noOneWhoExists" directive for the sub-directory but I'd really prefer a way to disable the password authentication from happening at all so it just says access denied.
Chris,
Have you tried adding 'Satisfy All' to the '<Directory>' block controlling access to the sub-directory?
Looking at your original configuration it seems to me that the 'Satisfy any' setting is being inherited from the parent directory which means grant access without a username/password if the client matches the list in the 'Allow from' directory, otherwise ask for a password. In your test case the address is not in the 'Allow' list for that subdirectory so Apache does ask for a password.
With 'Satisfy all' in effect Apache should check the 'Allow from' list first and deny access if the client is not in the list. If the client is in the list then it will ask for a username/password.
HTH, Steve.