LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache2 > "order allow,deny" to allow subdirectories (http://www.linuxquestions.org/questions/linux-server-73/apache2-order-allow-deny-to-allow-subdirectories-584832/)

cbonar 09-15-2007 07:28 AM

[solved] Apache2 > "order allow,deny" to allow subdirectories
 
Hello,

I want to restrict my web root and allow some subdirectories like /public/, with apache2.

From http://httpd.apache.org/docs/2.2/mod...html#directory :

Code:

Note that the default Apache access for <Directory /> is Allow from All.
This means that Apache will serve any file mapped from an URL.
It is recommended that you change this with a block such as

<Directory />
Order Deny,Allow
Deny from All
</Directory>

and then override this for directories you want accessible.

Ok, but how to do it ?
The following is not working, I've no access at / nor /public/ ("client denied by server configuration: /var/www/public/").

Code:

DocumentRoot /var/www/

<Directory />
  Options FollowSymLinks MultiViews
  Order Deny,Allow
  Deny from all
</Directory>

<Directory /public/>
  Order Allow,Deny
  Allow from all
</Directory>

The following is giving me access to both / and /public/, but I don't want that :

Code:

DocumentRoot /var/www/

<Directory />
  Options FollowSymLinks MultiViews
</Directory>

<Directory /public/>
  Order Allow,Deny
  Allow from all
</Directory>


andyccn 09-15-2007 11:53 AM

Directory / - refers to your file-system's root, not the web-root.

So what you're saying is, the web-server cannot access the root of the file-system and anything under it - /.
Then what you have is another directive saying:

Code:

<Directory /var/www>
Order Allow,Deny
Allow from all
Options ....
</Directory>

This is a safe guard for anyone that tries to use Apache to "break-out" of the /var/www directory to serve other files.
The <Directory /var/www> overrides the safe guard on / to allow public HTML to be served.

On my server, I have:

Code:

<Directory />
Order deny,allow
Deny fromall
</Directory>

<Directory /var/www/*>
Order allow,deny
allow from all
</Directory>

so anything under /var/www is allowed to be served by the web-server.

cbonar 09-15-2007 01:12 PM

Thanks a lot, I understand my mistake now : I was thinking that the DocumentRoot directive was prepended to the path in the <Directory> ones.

linuxjamil 09-17-2007 09:47 PM

<Directory>
 
yo you there?Dear
Seeing your problem definition i looked into my httpd.conf file running on Fedora 5 saw


<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>


Nothing like Allow from All




Would u plz describe me what are AllowOverride All and OPtions FolllowSymLikns means.

Thanking You
Subrun

linuxjamil 09-17-2007 10:03 PM

What I realized
 
yo you there?On my server, I have:

Code:

<Directory />
Order deny,allow
Deny fromall
</Directory>

<Directory /var/www/*>
Order allow,deny
allow from all
</Directory>

so anything under /var/www is allowed to be served by the web-server.----------------------------------above statement means that /, which is the root file-system of a linux system there(on /) no access will be given. And any directory afterwards /var/www/* will get access to serve html pages. Is it right plz say as I am conceptually very weak in Apache.

Plz say my assumtion is right or wrong.

cbonar 09-18-2007 07:34 AM

Quote:

Originally Posted by linuxjamil (Post 2895281)
yo you there?On my server, I have:

Code:

<Directory />
Order deny,allow
Deny fromall
</Directory>

<Directory /var/www/*>
Order allow,deny
allow from all
</Directory>

so anything under /var/www is allowed to be served by the web-server.----------------------------------above statement means that /, which is the root file-system of a linux system there(on /) no access will be given. And any directory afterwards /var/www/* will get access to serve html pages. Is it right plz say as I am conceptually very weak in Apache.

Plz say my assumtion is right or wrong.

Yes this is the way I now understand it too (and as a matter of fact this is the way it's working).

About AllowOverride, I don't use it but you can find the documentation here : http://httpd.apache.org/docs/2.2/mod...#allowoverride.

About FollowSymLinks, this is an option that allows the server to follow symbolic links on the filesystem. You can also find the definition here : http://httpd.apache.org/docs/2.2/mod/core.html#options

andyccn 09-18-2007 07:34 AM

Yes, you're correct.
This is so people cannot try and use Apache to serve files it shouldn't.

The "Order allow,deny", "allow from all", "deny from all" are security options to restrict access to certain files/folders based on IP addresses and domain name. "all" is a synonym for "everybody."

So saying:

Order allow,deny
deny from all

means no-one is allowed to see the content in the given directory.

I'd check out the default httpd.conf file and the Apache documentation, as you really should be denying access to anything but the Apache www directory.

As a polite side-note, "yo you there? Dear" is not a great way to greet people in English. "Hi" will simply do fine.

linuxjamil 09-19-2007 01:17 PM

Sorry
 
yo you there?Dear

Thank u for your mail . But I am sorry for extra strings which is automatically going with every messages.

cbonar 09-19-2007 02:02 PM

LOL, What is it ? A plugin for Firefox ?

sandeshsk007 10-26-2007 12:34 PM

I have the same question but i want to restrict access to a particular page in the website based on the domain.
I tried changing the <Directory ...> directive but in vain.
Could you guys help me out in this regard.
Have been stuck in this for a very long time.

Thanks
Sandesh

cbonar 10-26-2007 01:14 PM

For files, you should look at the <Files> directive.

andyccn 10-26-2007 03:07 PM

Restricting by domain is not always reliable, as it uses a reverse lookup on the client's IP address. "Dynamic" IP addresses such as that of dial-up and ADSL providers will resolve to that of the ISP, whatever the forward-lookup of a domain resolves to.

sandeshsk007 10-26-2007 03:59 PM

I want to actually allow access to a $$$$$$.html page for users from only a certain domain, and want to deny all other users.Now i think i have made it more clear.


Regards
Sandesh

cbonar 10-27-2007 04:08 PM

Try something like this (change the parameters in bold) :

Code:

<Directory /var/www/yourdirectory/>
    Order Deny,Allow
    Allow from all
    <Files $$$$$$.html>
        Deny from all
        Allow from yourdomain.com
    </Files>
</Directory>

I haven't tested it but if you look at http://httpd.apache.org/docs/2.2/howto/access.html I'm sure you'll have all required informations.


All times are GMT -5. The time now is 01:54 AM.