1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 9:58 am May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Access restriction on private directory

Locking up a control panel

         

dstiles

9:14 pm on Sep 27, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



This and other sites have been running successfully for some time (see my previous postings re: apache and php). On the first site I wrote in an auth block on the cp folder and it worked fine. Subsequent to that I extended the included file use-setenv.conf, which contains pan-site global control of bots etc using setenv/require combinations. Since it was only me accessing the control panel, and I had a personal bypass, I didn't notice that the auth code no longer worked. In fact it was perversely brought to my attention by a client who received a 403 instead of a login form. And when I tried it, with my bypass IP removed, I could ALWAYS get into the CP.

Which points to the auth code failing - at least some of the time. Looking at the code, I would expect the auth section to always work for /cp regardless of any further code.

I tried switching the order of the <directory> blocks with no effect. When I commented out the include it worked correctly (for me - not contacted the client yet). I tried enclosing the include separately in its own <directory> tag but made no difference.

The included code is necessary for the public site and partially needed for the private part. I'm assuming something in it is over-riding the auth but I cannot see what, nor would I expect it to. Any ideas, please? 
<VirtualHost *:443>
 ServerAdmin alert@example.net
 ServerName www.example.co.uk
 DocumentRoot /srv/site
 Header edit Set-Cookie ^(.*)$ __Host-$1;HttpOnly;Secure;SameSite=Strict
 <Directory "/">
 AllowOverride None
 Require all denied
 </Directory>
 <Directory "/srv/site">
 DirectoryIndex index.php
 AllowOverride All
 Include /etc/apache2/use-setenv.conf
 </Directory>
 <Directory "/srv/site/cp">
 Require all denied
 Require ip (my IP) # always allow me access
 AuthType Basic
 AuthName "Restricted Access"
 AuthUserFile /home/apsec/apas
 Require user auth-user-name
 </Directory>
 SSLEngine on
 <FilesMatch "\.(php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 SetEnv nokeepalive ssl-unclean-shutdown
 Include/etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateFile /etc/letsencrypt/live/www.example.co.uk/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.example.co.uk/privkey.pem
</VirtualHost>

lucy24

9:57 pm on Sep 27, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



When I commented out the include it worked correctly (for me - not contacted the client yet).
Doesn't that point to the problem being something in the file-to-include (which I don’t see here)?

Why is the include in a <Directory> section? Does this directory follow different rules than the rest of the server? Also, are the authentication rules different for visitors to suchandsuch hostname than they would be if they were accessing the same physical directories under a different hostname?

Disclaimer: The one and only thing I know about Apache Includes is that MAMP won't do what I want it to do unless I put the vhosts stuff in the main config file instead of including it the way they tell you to.

I tried switching the order of the <directory> blocks with no effect.
:: detour to apache dot org to confirm that I remembered right ::
If multiple ... <Directory> sections match the directory (or one of its parents) containing a document, then the directives are applied in the order of shortest match first
It's always reassuring when Apache does what you expect it to do: The actual order of the <Directory> sections doesn’t matter; what matters is the length of the path (or depth of nesting). “This rules applies to /A, unless it is /A/B, which in turn can be overridden by specific rules for /A/B/C.”

dstiles

9:29 am on Sep 28, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Doesn't that point to the problem being something in the file-to-include (which I don’t see here)?

Yes, but shouldn't the login pre-empt any further code? That is what I expected.
Why is the include in a <Directory> section?

It doesn't work outside a directory or location tag (and a couple of others).
The directories are only relevant for this site.
The actual order of the <Directory> sections doesn’t matter

Which is, as you say, expected. Hmm.

Just found a gotcha in the included file. "If ME then let me in." Couldn't find it before - well, I was writing the above late at night (ok, not really a good excuse!).

Thanks for your time, Lucy. Helpful as ever. :)

Now to discover why the client could not get in.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 9:58 am May 1, 2026