Put the Order, Allow, and Deny directives in a .htaccess file in *that* subdirectory, then.

Jim

Thanks JD.

How can I make sure that any IP addresses that start with "1.1" are covered? Would this be valid:

Order deny,allow
Deny from all
Allow from 1.1.0.0/48

Because when I do this, it gives me myself an access denied error!

Allow from 1.1
Allow from 1.1.0.0/16
Allow from 1.1.0.0/255.255.0.0

All three are equivalent, using the three different "address range" notations support by Apache mod_access [httpd.apache.org].

Jim

This doesn't work.

In my htaccess file, I have the following:

Order deny,allow
Deny from all
Allow from 202.156.14.0/24
Allow from 202.156.15.0/24
Allow from 120.50.40.30
Allow from 120.50.40.102

My IP is 202.156.14.** (which should be covered by the first line?) and this htaccess still gives me a 403 forbidden message. What's up?

[edited by: jdMorgan at 1:45 am (utc) on Mar 28, 2010]
[edit reason] Obfuscated personal IP address [/edit]

Nothing wrong with your code. Did you flush your browser cache before testing the new code?

You will also need to flush your cache if you use the same computer to check the code from a different IP address -- in either case, you don't want your browser to show you previously-cached server response codes and pages, as it will unless you set the server cache-control headers on 403 responses to make them uncacheable.

BTW, You can replace those first two "Allows" with

 Allow from 202.156.14.0/23 

just to save time and space...

If you use a custom 403 error document, you will also need to "Allow" it, regardless of the requesting IP address. Otherwise, a denied client will trigger another 403 when trying to fetch the 403 error page, which will in turn trigger a third 403, then a fourth, and so on. This is easily done with mod_setenvif and the "Allow from env=" syntax in mod_access.

Let's leave that 'til later, though, as it would be better to get your Deny working in a simple mode first, before adding more IP-address or filepath exceptions...

Jim

Yes, I have a custom 403 document. How should I allow it? With chmod? Thanks!

> it would be better to get your Deny working in a simple mode first, before adding more IP-address or filepath exceptions...

Do not add additional complications unless the 'simple' code works as desired. Doing so only results in more-complex and much longer debugging session -- for you and for the contributing members here.

The special handling for a custom 403 page is easily done with mod_setenvif and the "Allow from env=" syntax in mod_access. But it is important to keep things simple and to take one step at a time.

Jim

Thanks Jim.

So which one should I do: not have a "403' page? Sorry, we already have that and it's needed.

Now, with that in place, even if I try just one line of the allow/deny code as above, it dosnt work.

So where should I start. And what is "mod_access" -- a section in httpd.conf?

And what is "mod_access [httpd.apache.org]"

Please be clear. Does your basic mod_access allow/deny code work or not?

I will not discuss the custom 403 page until your mod_access allow/deny code problem is resolved. Doing so only makes the original problem more complex.

Simplify and get one thing working at a time, or you (and we) will end up spending a *lot* more time debugging. Personally, I do not have "a lot more time" to volunteer in support of inefficient debugging approaches, and that's why I request that you take this in steps.

If the basic access control is now working, then post your modified code for further discussion of the custom 403 page handling.

Thanks,
Jim

Sorry. I think I'm misunderstanding you.

I have put the code above in my .htaccess file. Is this "mod_access"? I have no clue what mod_access is.

If htaccess is mod_access, then yes that code is in there and it's not giving me a 500 internal server error or anything. Just giving me 403 even though my IP is in the .htaccess of the folder.

mod_access is an Apache module -- the one that interprets "Order, Allow, and Deny" directives.

Please refer to the Apache server "modules" documentation at Apache.org. A minimum familiarity with the terminology is required to make productive use of this forum.

The most likely problem is that you've got other code which does "allows and denys" and that this new code is "fighting" with it. A common problem is having one "chunk" of code that uses "Order Deny,Allow" and another that uses "Order Allow,Deny", and tries to apply them to the same set of HTTP request conditions." In this case, any "other code" that matches that description will have to be modified to use the "Deny,Allow" order, since the use of a custom 403 error document will require it.

Jim

Thanks for this jdm.

I have only one .htaccess, inside my folder that I wish to password protect. So not sure where the competing rules could be coming from.

Could it be from the overall httpd.conf setting in the server?

It could be. Unless you're seeing errors getting logged in your server error log file pointing to some specific problem, I'd be looking for even unlikely causes, because your code is trivial and appears to be quite valid. It should be working.

Jim