I cannot get allow and deny directives to work from an htaccess file within any directory in my web root. I am at a loss as to where I should look to configure this. I have checked the obvious (authz modules are loaded, allow overrides is set to all) Any ideas? Here are my configuration details.
I have an Apache 2.2 server running on RHEL. Within this server I have an IP based VirtualHost that is configured like where myipaddr and myserver are the actual IP address and host name respectively:
<VirtualHost myipaddr:80>
ServerName myserver
TransferLog /var/log/httpd/myserver.access
LogFormat loadbalanced
ErrorLog /var/log/httpd/myserver.error
DocumentRoot /var/www/myserver
<Directory /var/www/myserver>
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
I have tried more complex directives but even a simple .htaccess file that should deny everything has no effect.
Order deny,allow
Deny from all
It turns out the was a configuration file in /etc/httpd/conf.d that I did not realize was getting loaded and it was trumping the denies and allows within specific directories.
<Location />
Order allow,deny
Allow from all
<LimitExcept GET POST PUT DELETE>
Deny from all
</LimitExcept>
</Location>
Related
CONTEXT. I work on a server running Centos 8.3 with Apache 2.4.37.
In Apache's vhosts.conf configuration file I have this vhost for one of my websites:
<VirtualHost *:80>
ServerAdmin se#site.com
DocumentRoot /var/www/html/site
ServerName site.com
ErrorLog /var/log/httpd/admin-site.com-error_log
CustomLog /var/log/httpd/admin-site.com-access_log common
<Directory "/var/www/html/site">
Options SymLinksIfOwnerMatch
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
<Files ~ "test\.txt">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch "\.(txt|png)$">
Order Allow,Deny
Deny from all
</FilesMatch>
</VirtualHost>
I have these two different scenarios:
If in the DocumentRoot folder I put only static files (html, css, images, etc), the Files and FilesMatch directives work perfectly and the frontend looks excellent.
If I put a Ghost installation in the DocumentRoot folder, I necessarily have to add the following Proxy directives to the vhost. And when doing so, the frontend looks great too, but the Files and FilesMatch directives NOT work at all, i.e. the browser allows me to open site.com/test.txt and site.com /file.png, when they shouldn't open.
ProxyRequests off
ProxyPass / http://localhost:2368/
ProxyPassReverse / http://localhost:2368/
Any ideas how to get the Files and FilesMatch directives to work on my Ghost installation?
I already tried this:
For those thinking about .htaccess. If I activate AllowOverride so that the .htaccess is read: I already tried and the directives in the .htaccess don't work either.
For those thinking of Deny from all. I know Deny from all is for Apache 2.2, and for 2.4 Require all denied should be used. I have done tests and in my Apache 2.4 the Require does not work, it only works Deny from all.
I need some advice on how to properly setup the vhosts file directives preferably without changing the apache2.conf contents. This is for apache 2.4.
Currently, I get AH01797: client denied by server configuration probably caused by the Require all denied in the apache2.conf.
apache2.conf:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
Require all denied
</Directory>
vhosts file:
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName sub.example.com
ServerAlias sub.example.com
<Directory /var/www/sub.example.com>
AllowOverride None
Allow from all
Require all granted
</Directory>
</VirtualHost>
</IfModule>
Thank you!
UPDATE
Adding this to the apache2.conf works, it just doesn't work in vhosts file. Any idea why?
<Directory /var/www/sub.example.com>
AllowOverride None
Allow from all
Require all granted
</Directory>
In 2.4, you shouldn't use Order, Deny, or Allow at all. Purge them and replace with Require.
UPDATE Adding this to the apache2.conf works, it just doesn't work in vhosts file. Any idea why?
Maybe the vhosts file isn't included in your configuration, or mod_ssl is not loaded so the whole thing is commented out? The IfModule doesn't make much sense here.
In my Apache 2.4 VirtualHost configuration, I'd like to - by default - deny access to everything in the DocumentRoot that I do not enable explicitly. To that end, I have written:
DocumentRoot /var/www
<Directory "/var/www">
Require all denied
<Files "index.html">
Require all granted
</Files>
</Directory>
This enables direct access to http://myserver.example/index.html, but results in a 403 response for indirect access to http://myserver.example/.
How can I correct this behaviour?
Following the hint that I "did not explicitly allow /", resulting in it being forbidden set me on the right track to solve this.
Adding a LocationMatch directive that deals with the trailing slash exclusively results in the desired behaviour:
DocumentRoot /var/www
<Directory "/var/www/">
Require all denied
<Files "index.html">
Require all granted
</Files>
</Directory>
# Regex anchored at string beginning and end
# -> only matches "/"
<LocationMatch "^/$">
Require all granted
</LocationMatch>
Note that adding a <Files "/"> directive does not work, probably because the accessed resource is not really a file.
Neither is <Location /> the right thing, because it would be applied to the entire VirtualHost.
I have a web2py application run under Apache via mod_wsgi. How do I restrict access to the admin page (www.myapp.com/admin) based on source IP?
Ideally, I do it directly within Apache for two reasons: 1) I assume that Apache has more effective access to the source IP [citation needed] and 2) I don't feel like modifying the stock admin page in web2py to block specific IPs.
My (abridged) configuration looks something like this:
<VirtualHost *:80>
WSGIDaemonProcess web2py user=myapp group=myapp
WSGIProcessGroup web2py
WSGIScriptAlias / /home/myapp/myapp/wsgihandler.py
TimeOut 45
ServerName myapp.com
ServerAlias www.myapp.com
<Directory /home/myapp/myapp>
AllowOverride None
Order Allow,Deny
Deny from all
<Files wsgihandler.py>
Allow from all
</Files>
</Directory>
#======================================
# THIS IS WHAT I TRIED THAT DIDN'T WORK
<Directory /home/myapp/myapp/admin>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
#======================================
AliasMatch ^/static/(.*) \
/home/myapp/myapp/applications/myapp/static/$1
<Directory /home/myapp/myapp/applications/myapp/static/>
Options -Indexes
Order Allow,Deny
Allow from all
</Directory>
# HTTPS enforcement
# Out of convenience, forward /a* to https, covers /admin /appadmin and /a (front facing admin)
RedirectMatch ^/a(.*) https://myapp.com/a$1
RedirectMatch ^/c/(.*) https://myapp.com/c/$1
RedirectMatch ^/w/user/login(?:/(.*)|$) https://myapp.com/w/user/login/$1
RedirectMatch ^/w/user/register(?:/(.*)|$) https://myapp.com/w/user/register/$1
CustomLog /var/log/apache2/access.log common
ErrorLog /var/log/apache2/error.log
</VirtualHost>
Note that I have a similar VirtualHost for port 443. I just didn't include it for the sake of redundancy.
Normally, it is my understanding that I could use something like the directory notation to deny access to certain directories. However, the above didn't work and I wonder if it has to do with the WSGIScriptAlias directive.
Use:
<Location /admin>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>
I would like to serve multiple django apps using mod_wsgi including one at root. Currently my apache config looks like this:
WSGIScriptAlias /app1 /path/to/app1/wsgi.py
<Directory /path/to/app1>
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias /app2 /path/to/app2/wsgi.py
<Directory /path/to/app2>
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias / /path/to/main-app/wsgi.py
<Directory /path/to/main-app>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
If i switch that last directive to /main it works fine, but if i try to serve that last directive as written then apache searches for /app1/folder one in /folder1 and i get 500 errors for each of the first two directive. Is there a way too do this, outside of configuring app1.servername and app2.servername?
Do you really mean for /app2 to map to /path/to/app1/wsgi.py?
Other than that, there is nothing wrong with that Apache configuration snippet.
Make sure you are not wrongly setting FORCE_SCRIPT_NAME in your Django settings file.
Make sure you aren't use setdefault() in wsgi.py for Django to set DJANGO_SETTINGS_MODULE. See:
http://blog.dscpl.com.au/2012/10/requests-running-in-wrong-django.html