On Thu, Mar 13, 2008 at 10:49:33AM +0000, Brett Parker wrote:
On 13 Mar 10:31, Chris G wrote:
I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
In my httpd.conf file I have:-
# # # Allow access to /var/www/html from LAN and work or with # password from elsewhere # <Directory /var/www/html> Order Deny,Allow Deny from all Allow from 192.168.1 193.128.168.194 84.45.228.40 Satisfy Any AuthType Basic AuthName "ISBD Home Server" AuthUserFile /etc/httpd/conf/passwd Require valid-user </Directory> # # # Deny access to xyz from anywhere except home systems # <Directory /var/www/html/info/xyz> Order Deny,Allow Deny from all Allow from 192.168.1 </Directory> # # # Allow access to /var/www/html/public from anywhere # <Directory /var/www/html/public> Order Deny,Allow Allow from All </Directory>What's happening is that when I try to access /var/www/html/info/xyz from outside the home LAN it's not denying access, it's asking for a username and password. I.e. the "Satisfy Any" section of the /var/www/html Directory is being acted on. How do I prevent this and totally deny access from outside to /var/www/html/info/xyz?
Taking a wild stab in the dark: * You have an ADSL/Cable Router
Yes
* You map ports on an external IP through to ports on the internal LAN
Yes
* Your apache log always logs external access as coming from the internal IP of the router
No
The <Directory /var/www/html> works perfectly as intended. Access from the local LAN, 193.128.168.194 and 84.45.228.40 is allowed without password. Access from elsewhere is allowed if you give a user name and password.
Here's the entry from my apapche access_log:-
193.128.168.194 - - [13/Mar/2008:10:28:19 +0000] "GET /info/xyz HTTP/1.0" 401 479 "-" "Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b"
Apache asks for a user name and password, apparently because of the Satisfy section for /var/www/html/info which isn't being overridden by the Deny in the /var/www/html/info/xyz section.
If that's the case, then you'll need to not allow from the routers IP.