Order directive propagation

This is a discussion on Order directive propagation within the Apache Web Server forums, part of the Web Server and Related Forums category; Document root is set to /var/www. There I set subdirectory /var/www/alfa. Now I put in configuration: <...


Go Back   Usenet Forums > Web Server and Related Forums > Apache Web Server

Reload this Page Order directive propagation

FAQ Members List Calendar Search Today's Posts Mark Forums Read

 

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-15-2007
Leszek.Dubiel@dubielvitrum.pl
 
Posts: n/a
Default Order directive propagation

Document root is set to /var/www.
There I set subdirectory /var/www/alfa.

Now I put in configuration:

<Directory />
Options None
AllowOverride None
Order Allow,Deny
</Directory>

<Directory /var/www/alfa>
Allow from 192.168.0.10
</Directory>


When I ask for document http://myserver/alfa/index.html, Apache would
read directives for root direcotory, and then read from directory
"alfa", so it should read:

Order Allow,Deny
Allow from 192.168.0.10

But it allows everybody to read directory alfa! To make it work
correctly I have to put "Order Allow,Deny" into alfa, so the
configuration should look like this:


<Directory />
Options None
AllowOverride None
Order Allow,Deny
</Directory>

<Directory /var/www/alfa>
Order Allow,Deny
Allow from 192.168.0.10
</Directory>



Why this is so? Please help.
  #2 (permalink)  
Old 01-15-2007
shimmyshack
 
Posts: n/a
Default Re: Order directive propagation

Leszek.Dubiel@dubielvitrum.pl wrote:
> Document root is set to /var/www.
> There I set subdirectory /var/www/alfa.
>
> Now I put in configuration:
>
> <Directory />
> Options None
> AllowOverride None
> Order Allow,Deny
> </Directory>
>
> <Directory /var/www/alfa>
> Allow from 192.168.0.10
> </Directory>
>
>
> When I ask for document http://myserver/alfa/index.html, Apache would
> read directives for root direcotory, and then read from directory
> "alfa", so it should read:
>
> Order Allow,Deny
> Allow from 192.168.0.10
>
> But it allows everybody to read directory alfa! To make it work
> correctly I have to put "Order Allow,Deny" into alfa, so the
> configuration should look like this:
>
>
> <Directory />
> Options None
> AllowOverride None
> Order Allow,Deny
> </Directory>
>
> <Directory /var/www/alfa>
> Order Allow,Deny
> Allow from 192.168.0.10
> </Directory>
>
>
>
> Why this is so? Please help.

simple slip:


Order Allow,Deny
Deny from All

there are examples in the docs you can copy paste and modify to suit
  #3 (permalink)  
Old 01-16-2007
Leszek.Dubiel@dubielvitrum.pl
 
Posts: n/a
Default Re: Order directive propagation

> > Order Allow,Deny
> ></Directory>
>
> Order allow, deny without any 'deny' rules basically means 'allow from all',
> so you're just allowing everybody in and not blocking anybody.

Isn't this opposite -- the last one is default, so this should mean
"deny from all".
This is from
http://httpd.apache.org/docs/1.3/mod...ss.html#order:

"Allow,Deny
The Allow directives are evaluated before the Deny directives.
Access is denied by default. Any client which does not match an Allow
directive or does match a Deny directive will be denied access to the
server."

So I don't put andy Allow directives, nor any Deny directives, so every
client will be denied access.



> > "alfa", so it should read:
> >
> > Order Allow,Deny
> > Allow from 192.168.0.10
>
> No. It doesn't work like this.

If you know how it works, then _please_ explain. I thought that
directives made for parent directory also apply to child directories
(subdirectories). So when I say "Order allow,deny" for root directory
(/), this should also apply to subdirectory /var/www/alfa.

So why do I have to write "Order Allow,Deny" once again?


Thank you!
  #4 (permalink)  
Old 01-16-2007
shimmyshack
 
Posts: n/a
Default Re: Order directive propagation

Leszek.Dubiel@dubielvitrum.pl wrote:
> > > Order Allow,Deny
> > ></Directory>
> >
> > Order allow, deny without any 'deny' rules basically means 'allow from all',
> > so you're just allowing everybody in and not blocking anybody.
>
> Isn't this opposite -- the last one is default, so this should mean
> "deny from all".
> This is from
> http://httpd.apache.org/docs/1.3/mod...ss.html#order:
>
> "Allow,Deny
> The Allow directives are evaluated before the Deny directives.
> Access is denied by default. Any client which does not match an Allow
> directive or does match a Deny directive will be denied access to the
> server."
>
> So I don't put andy Allow directives, nor any Deny directives, so every
> client will be denied access.
>
>
>
> > > "alfa", so it should read:
> > >
> > > Order Allow,Deny
> > > Allow from 192.168.0.10
> >
> > No. It doesn't work like this.
>
> If you know how it works, then _please_ explain. I thought that
> directives made for parent directory also apply to child directories
> (subdirectories). So when I say "Order allow,deny" for root directory
> (/), this should also apply to subdirectory /var/www/alfa.
>
> So why do I have to write "Order Allow,Deny" once again?
>
>
> Thank you!


So you are using Apache 1.3?

Look at your config

<Directory />
Options None
AllowOverride None
Order Allow,Deny
</Directory>

<Directory /var/www/alfa>
Allow from 192.168.0.10
</Directory>

in /var/www/alfa why do you expect Apache to understand the Allow line
without specifying the context?
It should be
<Directory /var/www/alfa>
Order Allow,Deny
Allow from 192.168.0.10
</Directory>

Regardless of what is going on in other directives you do need to have

Order Allow,Deny
or

Order Deny,Allow
before either an

Allow from
or
Deny from

statement, if you think the docs say otherwise please quote the section
so we can all learn.

So your first config wouldnt work simply because it doesnt make sense
to Apache. The seconds does work, first you ban everyone from your
entire server and then ban everyone again from the directory
/var/www/alfa allowing only 192.168.0.10.

This is not the normal state of things, rather there is an extra step.
Banning everyone from /
Allowing everyone to access /var/www
Banning everyone from /var/www/alfa
Allowing 192.168.0.10 into /var/www/alfa

so if you can access any part of your server at all whether you are
0.10 or not then there is likely to be a further o
Order
directive somewhere in your conf file that probably applies to
/var/www.
The order of the allow,deny or deny,allow in this statement matters as
it might override to order directive for /

(see here for ideas of how the directives are merged:
http://httpd.apache.org/docs/2.2/en/...ns.html#mergin)

Once again the more simple thing to do is to specific up front who has
permission and not just leave it to the
order allow,deny

so personally I would have
directory /
order deny, allow
deny from all

directory /var/www
order deny, allow
allow from all

directory /var/www/alfa
order deny,allow
deny from all
allow from 192.168.0.10

and if you really DO intend to make access to yuor entire server
impossible you dont need the /var/www rule, however if that were the
case you wouldnt be asking how to only allow 0.10 into alfa so your
whole problem seems a little confused to me.
good luck
  #5 (permalink)  
Old 01-16-2007
Leszek.Dubiel@dubielvitrum.pl
 
Posts: n/a
Default Re: Order directive propagation
Thank you for writing me so many lines of explanation. Now I
understand, that if i put "Order xxx,yyy" it doesn't make sense unless
I put any "Allow..." or "Deny...". My problem is solved, but below I
try to respond to your post.



> <Directory /var/www/alfa>
> Allow from 192.168.0.10
> </Directory>
>
> in /var/www/alfa why do you expect Apache to understand the Allow line
> without specifying the context?

Because I thought that directive "Order Allow,Deny" is propagated
(inherited) from root directory ("/").



> Regardless of what is going on in other directives you do need to have
> Order Allow,Deny
> or
> Order Deny,Allow
> before either an
> Allow from
> or
> Deny from

Thank you, thank you. Now that's clear.



> if you think the docs say otherwise please quote the section
> so we can all learn.

So this is a quotation:

"The Order directive controls the default access state and the order in
which Allow and Deny directives are evaluated.

Allow,Deny
The Allow directives are evaluated before the Deny directives.
Access is denied by default. Any client which does not match an Allow
directive or does match a Deny directive will be denied access to the
server."


This is how I understood that:

-- directive "Order Allow,Deny" does TWO things -- (1) sets default
behaviour and (2) sets the processing order of "Allow" and "Deny"
directives

-- if I put only "Order Allow,Deny" (only == no Allow nor Deny
directives) then "access will be denied by deafult" -- denied to all,
because no directives "Allow" and "Deny" would be processed, and "Order
...." directive would only set default behaviour

-- but if I put some Allow or Deny directives together with "Order
Allow,Deny" directive, then directives "Allow..." and "Deny..." will be
evaluated in proper order (allows first, denies after) and if they
don't bring solution access will be denied


For example:

<Directory /var/www/testit>
Order Allow,Deny
</Directory>

All hosts would be denied access to "/var/www/testit" directory,
because deny is default behaviour.
 

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 02:14 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0