Apache virtual host permissions not working - apache

I need some help here my virtual hosts permissions appear not to be working.
For example site1.com and site2.com can access each others files and even create files!. I have tried to prevent this by having this in the apache2.conf file.
<Directory />
Options FollowSymLinks
Order deny,allow
Deny from all
</Directory>
And then in the virtual host file for site1 I have this
<Directory /var/www/site1.com/public_html>
Options indexes, FollowSymLinks
Order Allow,Deny
Allow from all
</Directory>
And for the virtual host ifle in site2 I have this
<Directory /var/www/site2.com/public_html>
Options indexes, FollowSymLinks
Order Allow,Deny
Allow from all
</Directory>
Can anyone help me with this please as its a big security issue?
What have I done wrong?
Thanks,
Dan

An Apache configuration doesn't have anything to do with who/what can create files in the filesystem, it only determines what this particular program (httpd) is willing to serve.

Related

How to properly set the allow and deny for apache 2.4 conf and vhosts

I need some advice on how to properly setup the vhosts file directives preferably without changing the apache2.conf contents. This is for apache 2.4.
Currently, I get AH01797: client denied by server configuration probably caused by the Require all denied in the apache2.conf.
apache2.conf:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
Require all denied
</Directory>
vhosts file:
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName sub.example.com
ServerAlias sub.example.com
<Directory /var/www/sub.example.com>
AllowOverride None
Allow from all
Require all granted
</Directory>
</VirtualHost>
</IfModule>
Thank you!
UPDATE
Adding this to the apache2.conf works, it just doesn't work in vhosts file. Any idea why?
<Directory /var/www/sub.example.com>
AllowOverride None
Allow from all
Require all granted
</Directory>
In 2.4, you shouldn't use Order, Deny, or Allow at all. Purge them and replace with Require.
UPDATE Adding this to the apache2.conf works, it just doesn't work in vhosts file. Any idea why?
Maybe the vhosts file isn't included in your configuration, or mod_ssl is not loaded so the whole thing is commented out? The IfModule doesn't make much sense here.

Restrict access to all folders but one to local ips using .htaccess

I just set up a web server and I'm having some trouble configuring my .htaccess to apply the restrictions I want.
Basically, I want everything on /var/www to be restricted to local ips but one folder, that should be publicly accessed. This is what I currently have in my .htaccess (located at /var/www/.htaccess) and it seems to be doing the opposite or something:
//Deny access to all directorys but 'pepephone'
<Directory /var/www>
Order deny,allow
deny from all
allow from 192.168.0.
<Directory /var/www/pepephone>
Order allow,deny
allow from all
<Directory>
<Directory>
What do I need to change to achive the result I want? Thanks in advance.
From: http://httpd.apache.org/docs/2.4/en/mod/core.html#directory
<Directory\> directives cannot nest, and cannot appear in a <Limit> or
<LimitExcept> section.
You should use:
//Deny access to all directorys but 'pepephone'
<Directory /var/www>
Order deny,allow
deny from all
allow from 192.168.0.
<Directory>
<Directory /var/www/pepephone>
Order allow,deny
allow from all
<Directory>
Found the answer.
First, as #nlu posted, you can't nest Directory tags. And second, the Directory tag is not allowed in .htaccess files, so I had to do it directly on the apache .conf files.
So this is what it ended up looking like (both files are in /etc/apache2/sites-enabled/ folder, included by apache2.conf. Note that this directives are each inside a <VirtualHost> tag:
000-default.conf
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride Limit
Order deny,allow
deny from all
allow from 192.168.0.
</Directory>
pepephone.conf
<Directory /var/www/pepephone/>
Options Indexes FollowSymLinks MultiViews
Order allow,deny
allow from all
</Directory>

Block access from IP address in Apache2

I have an apache2 server, serving a website from the following directory /var/www/
I'm trying restrict this website to all but 2 ip addresses
I've put the code below in the security file located on my linux
server directory:
etc/apache2/conf.d/security
<Directory /var/www/>
Order allow,deny
#Allow from IPADDRESS1
Allow from IPADRESS2
</Directory>
1) Why can I access the website from IPADDRESS1 when it's commented out?
2) Is this the section of the apache2 documentation that deals with this?
I think you need to specify to deny all other connections. I.E:
<Directory /var/www/>
Order allow,deny
#Allow from 192.168.1.4
Allow from 149.254
Deny from all
</Directory>

404 Error on Certain Pages Using SSL

I'm trying to enable ssl on my wordpress site and am running into a bit of difficulty. I've enabled ssl admin through the wordpress ssl plugin (well reviewed) and also required ssl for a couple other pages. The administration panel works well with https as does the homepage and a couple other pages. However on many of them, namely pages that I've dynamically generated with a php plugin that I wrote, I get a 404 error:
Not Found
The requested URL /create/5 was not found on this server.
Apache/2.2.22 (Ubuntu) Server at upsmart.com Port 443
Approaches that havent worked so far include:
I've enabled mod-rewrite on the server, I've tried changing the site url in the dashboard to explicitly be https:// and I've scanned the php for hard-coded instances of http://
Really scratching my head on this one so any ideas would be appreciated.
For reference I'm using Apache on Ubuntu 12.04.
Update!
I checked my Apache error log and came out with the following message:
File does not exist: /home/user/www/create
My reaction upon seeing that is "Well of course it doesn't. If I'm trying to get it to get it to http://example.com/create/ why would it be reading that as ~/www/create?
Please allow me to blush a little; the update I gave to the question above allowed me to take a guess at the issue but I'll put it down in case anyone else runs into the problem.
I found that I had only half-configured the file /etc/apache2/sites-enabled/default-ssl.
The file began as follows:
ServerAdmin webmaster#localhost
DocumentRoot /home/sam/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/sam/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
The issue was that the second AllowOverride needed to be changed from none to all. So that it would look like this.
ServerAdmin webmaster#localhost
DocumentRoot /home/sam/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/sam/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
Mind you: This must be configured for ssl even if you have configured this for other sites-enabled like 000-default.
There's no difference between the configurations.

Why does Apache serve different directories when accessed from different machines?

I'm trying to configure Apache on OS X 10.8.2 so that the default "system" site is accessible from other machines, while the "user" site is not. In httpd.confI have
DocumentRoot "/Library/WebServer/Documents"
<Directory />
Options -FollowSymLinks -MultiViews
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory "/Library/WebServer/Documents">
Options Indexes -FollowSymLinks -MultiViews
AllowOverride None
Order deny,allow
Allow from all
</Directory>
and in ME.conf I have
<Directory "/Users/ME/Sites">
Options Indexes -FollowSymLinks -MultiViews
AllowOverride None
Order deny,allow
Deny from all
Allow from localhost
</Directory>
This behaves as intended when accessed from the hosting machine: http://localhost/~ME/ maps to /Users/ME/Sites and http://localhost maps to /Library/WebServer/Documents. But when I acces the hostng machine from a different machine, http://hostingmachine doesn't work, and http://hostingmachine/~ME/ maps to /Library/WebServer/Documents. What have I done to deserve that? Is there a way to do what I'm trying to do, or at least something close?