Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

"Deny" directives silently ignored in config files

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


Matthieu.Moy at grenoble-inp

Apr 18, 2012, 1:07 AM

Post #1 of 12 (1115 views)
Permalink
"Deny" directives silently ignored in config files

Hi,

I have a server running Apache HTTPD 2.2.16, installed as Debian
package (Debian Squeeze).

Some time ago, "Deny from XXX" directives were correctly taken into
account, both in .htaccess files and in system-wide configuration files
(/etc/apache2/*). I noticed recently that it is no longer the case. I
suspect that this breakage occured when migrating the server from Debian
Lenny to Debian Squeeze, but I'm not sure.

According to "apachectl -t -D DUMP_PACKAGES", the module
authz_user_module is loaded (it says "(shared)").

I tried the following:

<Location /tmp/>
Order deny,allow
Deny from all
#RewriteEngine On
#RewriteRule . - [F]
</Location>

As it is, the location /tmp/ isn't denied. If I uncomment the Rewrite
rule, it is denied (hence, the config file is read, and the location is
properly specified).

This is a production server so I have limited testing possibilities. I
tried reproducing the problem on a test machine, with the same version
and a full copy of /etc/apache2/ (copied with "rsync -av", only modified
to replace the IP address and DNS name of the server), but the test
machine does not exhibit the problem. I did not copy the files in
DocumentRoot.

I saw nothing in the logs. access.log shows normal accesses (i.e. code
200), and error.log does not change while accessing the pages to be
denied. "apachectl graceful" does not display any warning.

Any idea on what's going on? Where to look for the error?

Thank you very much in advance,

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


ph1 at openstrike

Apr 18, 2012, 1:24 AM

Post #2 of 12 (1084 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

On Wed, Apr 18, 2012 at 10:07:56AM +0200, Matthieu Moy wrote:
> I tried the following:
>
> <Location /tmp/>
> Order deny,allow
> Deny from all
> #RewriteEngine On
> #RewriteRule . - [F]
> </Location>

If you use

Order allow,deny

instead the configuration should deny all requests explicitly. You might
also add

AllowOverride None

just to be really safe.

HTH,

Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107


Matthieu.Moy at grenoble-inp

Apr 18, 2012, 2:41 AM

Post #3 of 12 (1081 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

Pete Houston <ph1 [at] openstrike> writes:

> If you use
>
> Order allow,deny
>
> instead the configuration should deny all requests explicitly.

I tried both orders to be sure, and neither had any effect.

> You might also add
>
> AllowOverride None

I'll try that (I forgot to say that I do have a test virtualhost on
which I have the problem, so while breaking the whole configuration
isn't an option, I can try changing the configuration of this one).

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


Matthieu.Moy at grenoble-inp

Apr 19, 2012, 8:52 AM

Post #4 of 12 (1077 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

Matthieu Moy <Matthieu.Moy [at] grenoble-inp> writes:

>> You might also add
>>
>> AllowOverride None
>
> I'll try that

I did try, and it did not change the problem. Deny directives are still
ignored.

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


noel.butler at ausics

Apr 20, 2012, 12:59 AM

Post #5 of 12 (1075 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

On Wed, 2012-04-18 at 10:07 +0200, Matthieu Moy wrote:


> I tried the following:
>
> <Location /tmp/>
> Order deny,allow
> Deny from all
> #RewriteEngine On
> #RewriteRule . - [F]
> </Location>
>


It should work, but unless there's a special need, you should be using
directory not location,
for apache 2.2.22 and less:

<Directory /tmp>
Order Deny,Allow
Deny from all
</Directory>

Will work, you do not have a directory statement for /tmp already do
you? If so, is it before or after this location statement?
Attachments: signature.asc (0.48 KB)


Matthieu.Moy at grenoble-inp

Apr 20, 2012, 2:50 AM

Post #6 of 12 (1071 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

Noel Butler <noel.butler [at] ausics> writes:

> On Wed, 2012-04-18 at 10:07 +0200, Matthieu Moy wrote:
>
> I tried the following:
>
> <Location /tmp/>
> Order deny,allow
> Deny from all
> #RewriteEngine On
> #RewriteRule . - [F]
> </Location>
>
> It should work, but unless there's a special need, you should be using
> directory not location,

Right. I used Location because it was simpler, but after RTFM, I
understand why Directory is used more often.

> for apache 2.2.22 and less:
>
> <Directory /tmp>
> Order Deny,Allow
> Deny from all
> </Directory>
>
> Will work, you do not have a directory statement for /tmp already do you? If so, is it before or after this location statement?

I don't have another Directory statement for this particular directory,
but I do have others for parent directories. I tried putting my test
section at the beginning and end of the virtualhost declaration, and and
the beginning and end of /etc/apache2/apache2.conf, and neither of the 4
options worked.

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


noel.butler at ausics

Apr 20, 2012, 7:09 PM

Post #7 of 12 (1067 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

On Fri, 2012-04-20 at 11:50 +0200, Matthieu Moy wrote:

> Noel Butler <noel.butler [at] ausics> writes:
>
> > On Wed, 2012-04-18 at 10:07 +0200, Matthieu Moy wrote:
> >
> > I tried the following:
> >
> > <Location /tmp/>
> > Order deny,allow
> > Deny from all
> > #RewriteEngine On
> > #RewriteRule . - [F]
> > </Location>
> >
> > It should work, but unless there's a special need, you should be using
> > directory not location,
>
> Right. I used Location because it was simpler, but after RTFM, I
> understand why Directory is used more often.
>


Right, so have you changed it to Directory and does it now work?

If not, I suggest this is a debian issue and should be taken up with its
package maintainer, as with an apache.org release, even of such an old
version that you are using, these directives did work correctly.

Cheers
Attachments: signature.asc (0.48 KB)


Matthieu.Moy at grenoble-inp

Apr 23, 2012, 12:04 AM

Post #8 of 12 (1057 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

Noel Butler <noel.butler [at] ausics> writes:

> Right, so have you changed it to Directory and does it now work?

I tried <Directory>, and it did not work. Anyway, the "RewriteRule . -
[F]" did work in the same place, so the <Directory>/<Location> are
taken into account, it's really about the "Deny from all".

Thanks anyway,

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


noel.butler at ausics

Apr 24, 2012, 4:37 AM

Post #9 of 12 (1042 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

On Mon, 2012-04-23 at 09:04 +0200, Matthieu Moy wrote:

> Noel Butler <noel.butler [at] ausics> writes:
>
> > Right, so have you changed it to Directory and does it now work?
>
> I tried <Directory>, and it did not work. -


You definitely have something broken then if Deny does not work in a
Directory statement

For 2.2...

<Directory /> <-- Default for everything on filesystem, which
would include /tmp
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<Directory "/var/www/html">
Order Deny,Allow
Allow from all
</Directory>


Which of course has all changed with 2.4, but I wont confuse you with
those :)
Attachments: face-smile.png (0.85 KB)
  signature.asc (0.48 KB)


Matthieu.Moy at grenoble-inp

Apr 26, 2012, 7:25 AM

Post #10 of 12 (1023 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

Noel Butler <noel.butler [at] ausics> writes:

> On Mon, 2012-04-23 at 09:04 +0200, Matthieu Moy wrote:
>
> Noel Butler <noel.butler [at] ausics> writes:
>
> > Right, so have you changed it to Directory and does it now work?
>
> I tried <Directory>, and it did not work. -
>
> You definitely have something broken then if Deny does not work in a Directory statement

I found the guilty line in the configuration, but I still don't
understand what's going on.

I had this at the end of /etc/apache2/apache2.conf:

<Location />
Deny from <some IP address to blacklist>
</Location>

Removing these lines solves the issue: other Deny directives (in
/etc/apache2 and in .htaccesses) are now taken into account.

I still have two problems (much less serious) :

1) I'd like to understand what was going on. From my understanding, the
line above shouldn't have disabled other "Deny from" directives. Since
<Location> are taken into account after <Directory>, I'd understand that
a "Order" directive could be problematic, but not how a <Location> can
be so.

2) If possible, I'd like to have a way to blacklist IPs without
breaking everything else. That's secondary since the server can also use
iptables rules for blacklisting.

I tried several variants, like using <Directory> instead of <Location
/>, adding Order allow,deny before the Deny. With <Directory>, it works
essentially as I'd have expected: <Directory /> is ineffective since it
is overridden by more precise <Directory /www/.../> directives. It works
if I apply it to subdirectories of the DocumentRoot, but that's not
really conveinient.

Thanks,

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Apr 26, 2012, 7:33 AM

Post #11 of 12 (1029 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

> 1) I'd like to understand what was going on. From my understanding, the
> line above shouldn't have disabled other "Deny from" directives. Since
> <Location> are taken into account after <Directory>, I'd understand that
> a "Order" directive could be problematic, but not how a <Location> can
> be so.

The directives from mod_authz_host, like Order/Allow/Deny, are not
merged from one configuration section to another.

They're replaced.

In 2.4, you can ask for them to be merged.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


Matthieu.Moy at grenoble-inp

Apr 30, 2012, 7:40 AM

Post #12 of 12 (1002 views)
Permalink
Re: "Deny" directives silently ignored in config files [In reply to]

Eric Covener <covener [at] gmail> writes:

>> 1) I'd like to understand what was going on. From my understanding, the
>> line above shouldn't have disabled other "Deny from" directives. Since
>> <Location> are taken into account after <Directory>, I'd understand that
>> a "Order" directive could be problematic, but not how a <Location> can
>> be so.
>
> The directives from mod_authz_host, like Order/Allow/Deny, are not
> merged from one configuration section to another.
>
> They're replaced.

Thanks a lot, I guess this explains everything.

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.