I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
In my httpd.conf file I have:-
# # # Allow access to /var/www/html from LAN and work or with # password from elsewhere # <Directory /var/www/html> Order Deny,Allow Deny from all Allow from 192.168.1 193.128.168.194 84.45.228.40 Satisfy Any AuthType Basic AuthName "ISBD Home Server" AuthUserFile /etc/httpd/conf/passwd Require valid-user </Directory> # # # Deny access to xyz from anywhere except home systems # <Directory /var/www/html/info/xyz> Order Deny,Allow Deny from all Allow from 192.168.1 </Directory> # # # Allow access to /var/www/html/public from anywhere # <Directory /var/www/html/public> Order Deny,Allow Allow from All </Directory>
What's happening is that when I try to access /var/www/html/info/xyz from outside the home LAN it's not denying access, it's asking for a username and password. I.e. the "Satisfy Any" section of the /var/www/html Directory is being acted on. How do I prevent this and totally deny access from outside to /var/www/html/info/xyz?
On 13 Mar 10:31, Chris G wrote:
I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
In my httpd.conf file I have:-
# # # Allow access to /var/www/html from LAN and work or with # password from elsewhere # <Directory /var/www/html> Order Deny,Allow Deny from all Allow from 192.168.1 193.128.168.194 84.45.228.40 Satisfy Any AuthType Basic AuthName "ISBD Home Server" AuthUserFile /etc/httpd/conf/passwd Require valid-user </Directory> # # # Deny access to xyz from anywhere except home systems # <Directory /var/www/html/info/xyz> Order Deny,Allow Deny from all Allow from 192.168.1 </Directory> # # # Allow access to /var/www/html/public from anywhere # <Directory /var/www/html/public> Order Deny,Allow Allow from All </Directory>What's happening is that when I try to access /var/www/html/info/xyz from outside the home LAN it's not denying access, it's asking for a username and password. I.e. the "Satisfy Any" section of the /var/www/html Directory is being acted on. How do I prevent this and totally deny access from outside to /var/www/html/info/xyz?
Taking a wild stab in the dark: * You have an ADSL/Cable Router * You map ports on an external IP through to ports on the internal LAN * Your apache log always logs external access as coming from the internal IP of the router
If that's the case, then you'll need to not allow from the routers IP.
Cheers,
On Thu, Mar 13, 2008 at 10:49:33AM +0000, Brett Parker wrote:
On 13 Mar 10:31, Chris G wrote:
I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
In my httpd.conf file I have:-
# # # Allow access to /var/www/html from LAN and work or with # password from elsewhere # <Directory /var/www/html> Order Deny,Allow Deny from all Allow from 192.168.1 193.128.168.194 84.45.228.40 Satisfy Any AuthType Basic AuthName "ISBD Home Server" AuthUserFile /etc/httpd/conf/passwd Require valid-user </Directory> # # # Deny access to xyz from anywhere except home systems # <Directory /var/www/html/info/xyz> Order Deny,Allow Deny from all Allow from 192.168.1 </Directory> # # # Allow access to /var/www/html/public from anywhere # <Directory /var/www/html/public> Order Deny,Allow Allow from All </Directory>What's happening is that when I try to access /var/www/html/info/xyz from outside the home LAN it's not denying access, it's asking for a username and password. I.e. the "Satisfy Any" section of the /var/www/html Directory is being acted on. How do I prevent this and totally deny access from outside to /var/www/html/info/xyz?
Taking a wild stab in the dark: * You have an ADSL/Cable Router
Yes
* You map ports on an external IP through to ports on the internal LAN
Yes
* Your apache log always logs external access as coming from the internal IP of the router
No
The <Directory /var/www/html> works perfectly as intended. Access from the local LAN, 193.128.168.194 and 84.45.228.40 is allowed without password. Access from elsewhere is allowed if you give a user name and password.
Here's the entry from my apapche access_log:-
193.128.168.194 - - [13/Mar/2008:10:28:19 +0000] "GET /info/xyz HTTP/1.0" 401 479 "-" "Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b"
Apache asks for a user name and password, apparently because of the Satisfy section for /var/www/html/info which isn't being overridden by the Deny in the /var/www/html/info/xyz section.
If that's the case, then you'll need to not allow from the routers IP.
On Thu, Mar 13, 2008 at 10:31:57AM +0000, Chris G wrote:
I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
[snip original question]
I now understand the problem a little better and the question *really* is:-
If I have password authenticated access to a directory of my web site how do I *prevent* access to a sub-directory of that directory (using apache directives, obviously I could just prevent apache accessing it by removing permissions).
Adding a "Deny all" directive to the sub-directory does *not* override password authenticated access which has been given by a "Require valid-user" directive in a directory above.
I have sort of got what I want by putting a "Require noOneWhoExists" directive for the sub-directory but I'd really prefer a way to disable the password authentication from happening at all so it just says access denied.
On Thu, 13 Mar 2008 12:02:06 +0000 Chris G cl@isbd.net wrote:
On Thu, Mar 13, 2008 at 10:31:57AM +0000, Chris G wrote:
I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
[snip original question]
I now understand the problem a little better and the question *really* is:-
If I have password authenticated access to a directory of my web site how do I *prevent* access to a sub-directory of that directory (using apache directives, obviously I could just prevent apache accessing it by removing permissions).Adding a "Deny all" directive to the sub-directory does *not* override password authenticated access which has been given by a "Require valid-user" directive in a directory above.
I have sort of got what I want by putting a "Require noOneWhoExists" directive for the sub-directory but I'd really prefer a way to disable the password authentication from happening at all so it just says access denied.
Chris,
Have you tried adding 'Satisfy All' to the '<Directory>' block controlling access to the sub-directory?
Looking at your original configuration it seems to me that the 'Satisfy any' setting is being inherited from the parent directory which means grant access without a username/password if the client matches the list in the 'Allow from' directory, otherwise ask for a password. In your test case the address is not in the 'Allow' list for that subdirectory so Apache does ask for a password.
With 'Satisfy all' in effect Apache should check the 'Allow from' list first and deny access if the client is not in the list. If the client is in the list then it will ask for a username/password.
HTH, Steve.
On Thu, Mar 20, 2008 at 12:45:20PM +0000, Steve Fosdick wrote:
On Thu, 13 Mar 2008 12:02:06 +0000 Chris G cl@isbd.net wrote:
On Thu, Mar 13, 2008 at 10:31:57AM +0000, Chris G wrote:
I'm trying to prevent outside access to a sub-directory of a directory which *does* allow outside access.
[snip original question]
I now understand the problem a little better and the question *really* is:-
If I have password authenticated access to a directory of my web site how do I *prevent* access to a sub-directory of that directory (using apache directives, obviously I could just prevent apache accessing it by removing permissions).Adding a "Deny all" directive to the sub-directory does *not* override password authenticated access which has been given by a "Require valid-user" directive in a directory above.
I have sort of got what I want by putting a "Require noOneWhoExists" directive for the sub-directory but I'd really prefer a way to disable the password authentication from happening at all so it just says access denied.
Chris,
Have you tried adding 'Satisfy All' to the '<Directory>' block controlling access to the sub-directory?
Looking at your original configuration it seems to me that the 'Satisfy any' setting is being inherited from the parent directory which means grant access without a username/password if the client matches the list in the 'Allow from' directory, otherwise ask for a password. In your test case the address is not in the 'Allow' list for that subdirectory so Apache does ask for a password.
With 'Satisfy all' in effect Apache should check the 'Allow from' list first and deny access if the client is not in the list. If the client is in the list then it will ask for a username/password.
That doesn't work, adding 'Satisfy All' means that the user has to be on the LAN *and* has to supply a valid user name and password.
-
Brett Parker -
Chris G -
Steve Fosdick