RE: Apache issue

From: Alexander, David (David.Alexander_at_ladwp.com)
Date: 06/22/05

  • Next message: Alan Harrylal: "Re: Apache issue"
    Date: Wed, 22 Jun 2005 09:28:29 -0700
    To: <focus-linux@securityfocus.com>
    
    

    As I understand it, you're implicitly allowing access first, by the
    Order statement.

    Perhaps you should consider the following for your httpd.conf file:

    <Directory /www/html/directory/rzone>
        AllowOverride All
        Order Deny,Allow
        Deny from all
        Allow from 10.0.10
    </Directory>

    And the following for your .htaccess file:

    AuthType Basic
    AuthName "Welcome"
    AuthUserFile /www/html/directory/rzone/.htmdp
    <Limit GET POST>
            require valid-user
    </Limit>

    David Alexander
    Open Systems Technology - Information Technology Services
    Los Angeles Department of Water and Power
    david.alexander@ladwp.com
    213-367-3242 Work

    -----Original Message-----
    From: anita.salerno@talk21.com [mailto:anita.salerno@talk21.com]
    Sent: Wednesday, June 22, 2005 12:44 AM
    To:
    Subject: Apache issue

    Hello,
    I'm using Apache/2.0.52 on Fedora Core 3. I've copied the configuration
    file of the previous apache's version on a Redhat, as I do everytime
    when upgrading to a new version of Apache (I configured only the new
    httpd.conf manually), and now the problem is that none of the security
    measures is working, I'm bypassing all of them (.htaccess and ip list
    specification).

    The mod_access module is enabled.

    In my httpd.conf, I have:

    AllowOverride All

    <Directory /www/html/directory/rzone>
            Order Allow,Deny
            Allow from 10.0.10.
            Deny from all
    </Directory>

    My .htaccess is:
    AuthType Basic
    AuthName Welcome
    AuthUserFile /www/html/directory/rzone/.htmdp

    <Limit GET POST>
            require valid-user

            Order Allow,Deny
            Allow from 10.0.10.
            Deny from all
    </Limit>

    When I was desprate, I've configured the access file as follow:

    Order Allow,Deny
    Deny from all

    and I still have access to the web site.
     
    Any idea ?


  • Next message: Alan Harrylal: "Re: Apache issue"

    Relevant Pages

    • Re: Nimda + apache
      ... I think you'll find that the bit at the bottom of your apache .conf file was ... your Tomcat webapps directory. ... > AllowOverride None ... > deny from all ...
      (NT-Bugtraq)
    • Re: Another flaw in Apache?
      ... > that's the default configuration for user-writable directories), ... This is indeed the default configuration. ... provider will change it to AllowOverride All just because customers like to ... With about 10000 chacters and above: segfault. ...
      (Vuln-Dev)
    • server issues
      ... I am having a problem with my apache in freebsd. ... i set up two virtual hosts, ... AllowOverride None ...
      (freebsd-questions)
    • Re: [PHP] 500 server error
      ... Check Apache error_log to be sure, and ask on Apache mailing list... ... The purpose of AllowOverride in httpd.conf is to define what is ... If AllowOverride worked in .htaccess, then that gives the power to ... user can override what they are allowed to override and then override ...
      (php.general)
    • Re: htaccess + apache
      ... entering the ip's then restarting apache. ... file in the doc root that I can change. ... described in the Apache documentation for the Allow directive. ... See AllowOverride in the apache docs for more details. ...
      (Fedora)