RE: Apache issue

From: Alexander, David (David.Alexander_at_ladwp.com)
Date: 06/22/05

Next message: Alan Harrylal: "Re: Apache issue"

Previous message: Jan Ciesko (UNI): "generalInfo"
Maybe in reply to: anita.salerno_at_talk21.com: "Apache issue"
Next in thread: Derick Anderson: "RE: Apache issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 Jun 2005 09:28:29 -0700
To: <focus-linux@securityfocus.com>

As I understand it, you're implicitly allowing access first, by the
Order statement.

Perhaps you should consider the following for your httpd.conf file:

<Directory /www/html/directory/rzone>
    AllowOverride All
    Order Deny,Allow
    Deny from all
    Allow from 10.0.10
</Directory>

And the following for your .htaccess file:

AuthType Basic
AuthName "Welcome"
AuthUserFile /www/html/directory/rzone/.htmdp
<Limit GET POST>
require valid-user
</Limit>

David Alexander
Open Systems Technology - Information Technology Services
Los Angeles Department of Water and Power
david.alexander@ladwp.com
213-367-3242 Work

-----Original Message-----
From: anita.salerno@talk21.com [mailto:anita.salerno@talk21.com]
Sent: Wednesday, June 22, 2005 12:44 AM
To:
Subject: Apache issue

Hello,
I'm using Apache/2.0.52 on Fedora Core 3. I've copied the configuration
file of the previous apache's version on a Redhat, as I do everytime
when upgrading to a new version of Apache (I configured only the new
httpd.conf manually), and now the problem is that none of the security
measures is working, I'm bypassing all of them (.htaccess and ip list
specification).

The mod_access module is enabled.

In my httpd.conf, I have:

AllowOverride All

<Directory /www/html/directory/rzone>
        Order Allow,Deny
        Allow from 10.0.10.
        Deny from all
</Directory>

My .htaccess is:
AuthType Basic
AuthName Welcome
AuthUserFile /www/html/directory/rzone/.htmdp

<Limit GET POST>
require valid-user

        Order Allow,Deny
        Allow from 10.0.10.
        Deny from all
</Limit>

When I was desprate, I've configured the access file as follow:

Order Allow,Deny
Deny from all

and I still have access to the web site.

Any idea ?

Next message: Alan Harrylal: "Re: Apache issue"

Previous message: Jan Ciesko (UNI): "generalInfo"
Maybe in reply to: anita.salerno_at_talk21.com: "Apache issue"
Next in thread: Derick Anderson: "RE: Apache issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Nimda + apache
... I think you'll find that the bit at the bottom of your apache .conf file was ... your Tomcat webapps directory. ... > AllowOverride None ... > deny from all ...
(NT-Bugtraq)
Re: Another flaw in Apache?
... > that's the default configuration for user-writable directories), ... This is indeed the default configuration. ... provider will change it to AllowOverride All just because customers like to ... With about 10000 chacters and above: segfault. ...
(Vuln-Dev)
server issues
... I am having a problem with my apache in freebsd. ... i set up two virtual hosts, ... AllowOverride None ...
(freebsd-questions)
Re: [PHP] 500 server error
... Check Apache error_log to be sure, and ask on Apache mailing list... ... The purpose of AllowOverride in httpd.conf is to define what is ... If AllowOverride worked in .htaccess, then that gives the power to ... user can override what they are allowed to override and then override ...
(php.general)
Re: htaccess + apache
... entering the ip's then restarting apache. ... file in the doc root that I can change. ... described in the Apache documentation for the Allow directive. ... See AllowOverride in the apache docs for more details. ...
(Fedora)