Config file "Deny" directives cached? - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Config file "Deny" directives cached?

cedilla

7:57 pm on Apr 18, 2008 (gmt 0)

10+ Year Member

I have been experimenting with putting "Deny" directives into one of the configuration files in my server's hierarchy. My experiments involve either putting "Deny"s directly into the config file, or into an "Include"d file. The IP I am using for the experiments is my own IP.

The problem is that once I have conducted such a experiment I seem to be basically unable to REVERT the "Deny". I have tried removing the "Deny" or replacing it with an "Accept" - always, of course, restarting Apache after making any change. But Apache seems to remember that I have been denied access, and keeps denying. The only remedy I have found was to put an "accept" for my IP into the .htaccess file for the given directory - but the remedy only lasts while the "accept" is in the .htaccess file. When I take it out, Apache reverts to its remembered "deny" behaviour.

I have not been successful at finding any clue about this behaviour on the Web. Can anybody please explain the mechanism behind what I am seeing, and advise me what to do to make Apache forget these experimetal "Deny"s?

By the way, my server is under Plesk. Does that matter, or is the behaviour I am seeing standard?

Many thanks in advance.

jdMorgan

2:19 am on Apr 19, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

This is your browser cache in action. Flush your browser cache completely when testing server-side code.

You may wish to mark your custom 403 error page as non-cacheable, or set a short expiry time on it as well.

Jim

cedilla

5:50 pm on Apr 19, 2008 (gmt 0)

10+ Year Member

No, it cannot be my browser cache, and not just because I flush it, but because the webserver logs do show my IP as being rejected. And given the behavior I described, how could it be simply my browser cache? The behavior, to recap, is as follows:

- I put a "Deny" in the Apache config file. Result: I get denied.
- I eliminate the "Deny" from the Apache config file. Result: I am still denied. (So far, it could have been the browser cache.)
- I put an explicit "Accept" in the .htaccess file. Result: I get accepted.
- I remove the "Accept" from the .htaccess file. Result: back to being denied.

I don't see how these last two events - and especially going back to the "deny" response after eliminating the "accept" from .htaccess) could have anything to do with simply the browser cache. Obviously, Apache somewhere *remembers* the earlier configuration-level deny.

Any thoughts that anybody could offer?

jdMorgan

7:36 pm on Apr 19, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

"Accept" isn't a valid directive, so for the sake of clarity, you're using "Deny from" and Allow from," right?

Since HTTP is a stateless protocol, there is no built-in function in Apache that "remembers" anything about previous client requests. It actually takes a lot of work to make the server act like it remembers things: Client-side cookies and server-side session-state scripts, for example.

If you're restarting your server and still seeing all of your requests in the log files, then I don't know why you're seeing this behaviour.

Jim

cedilla

11:07 pm on Apr 19, 2008 (gmt 0)

10+ Year Member

Yes, sorry, I meant "Allow from" everywhere where I said "Accept".

But note that this problem, and my question, has nothing to do with "remembering" previous client requests. What Apache seems to be remembering is previous directives in its configuration files. I don't think this has anything to do with statelessness or statefulness.

cedilla