Problems restricting access

Forum Moderators: phranque

Message Too Old, No Replies

Problems restricting access

default page inaccessible!

gianluigi zanettini

1:00 am on Jan 12, 2005 (gmt 0)

Hi all.

I'm trying to strenght up my apache webserver.

I want to protect the whole directory, except for the index.php file

I used this

DocumentRoot E:
<Directory />
AllowOverride None
</Directory>

<Directory E:>
Order deny,allow
deny from all

<Files index.php>
order allow,deny
allow from all
</Files>

<Files index.htm>
order allow,deny
allow from all
</Files>
</Directory>

<Directory E:\www>
allow from all
</Directory>

The problem is, if i open "http://webserver/index.php" everything is ok, but if I just open "http://webserver/" i get a "forbidden" message (yes, index.php is listed in DirectoryIndex"): any help?

Thanx!

jdMorgan

1:23 am on Jan 12, 2005 (gmt 0)

gianluigi,

Welcome to WebmasterWorld!

You may use only one "order" directive per container.

You can use SetEnvIf to set a variable if the index file is requested, and then test that variable in an "allow from" directive to override the "Deny".

Jim

gianluigi zanettini

8:05 am on Jan 12, 2005 (gmt 0)

Hi JD, first of all, thanks for your time, your help is very apreciated ;)

I modified my cfg as follow:

DocumentRoot E:
<Directory />
AllowOverride None
</Directory>

<Directory E:>
Order deny,allow
deny from all

<Files index.php>
allow from all
</Files>

<Files index.htm>
allow from all
</Files>
</Directory>

<Directory E:\www>
allow from all
</Directory>

But I still have the problem.

Could you explain a bit more (possibly with examples) the workaround you suggested? I'm pretty new to Apache and I can't understand what you said.

Thanks again!

jdMorgan

3:50 pm on Jan 12, 2005 (gmt 0)

OK, a quick example.

The first five lines set the environment variable "allowed_file" for any files which must always be allowed. The name of the variable is arbitrary; You can call it any name except for system-reserved names.

The variable is then tested in the "Allow from" directive below. Attempts to access any other resources will be denied.


SetEnvIf Request_URI "^/index\.htm$" allowed_file
SetEnvIf Request_URI "^/index\.php$" allowed_file
SetEnvIf Request_URI "^/40[0-9]error\.htm$" allowed_file
SetEnvIf Request_URI "^/robots\.txt$" allowed_file
SetEnvIf Request_URI "^/favicon\.ico$" allowed_file
#
<Directory E:>
Order Deny,Allow
Deny from All
Allow from allowed_file
</Directory>

See Apache mod_setenvif and mod_access for more information.

If you wish to use Allow and Deny, you cannot use AllowOverride None -- You must set AllowOverride Limit at minumim. See the Apache core AllowOverride documentation.

I have added three lines to the list of allowed files: robots.txt and favicon.ico will be requested whether you have those files on your site or not, and should be answered with a 404-Not Found if not present, rather than 403-Forbidden. If you use custom 401, 403 and 404 error pages, then you must allow them to be accessed, so I have also included the line that allows access to any page called "40<any digit>error.htm".

Jim

gianluigi zanettini

7:35 pm on Jan 12, 2005 (gmt 0)

I tried to use your posted cfg, but I'm experiecing tons of problems.

My config works perfect, except for the default page.

Any other hints?