apache2: why <LimitExcept> parameter results “deny not allowed here” error in virtualhost tag?
Solution 1
As long as your <LimitExcept>
block is within a context that's valid for the Allow
/Deny
directives, then it will work just fine.
If you try putting even a naked Deny
rule directly in the <VirtualHost>
context, you'll see that it's denied in the same way - <VirtualHost>
with a Deny
in it is not allowed, so neither adding a <LimitExcept>
between them.
But, the trick is that <LimitExcept>
, and some other block types like <IfModule>
, do not modify the context of a directive; you'll never see "limit" in the list of acceptable contexts in the documentation for a directive.
There's are only four contexts that can dictate whether a directive is allowed:
- server config
- virtual host
- directory (which includes
<Location>
and<Files>
type directives, too) - .htaccess
In the case of the mod_authz_host
directives (Order
, Allow
, and Deny
), they're allowed only in directory and htaccess contexts, so they'll always error when they're not in one.
In your case, there's no filesystem location for this reverse-proxy vhost, so you'll want to use a <Location>
block (which is a valid context for Allow
/Deny
because it's of the directory context type):
<Location />
Order allow,deny
Allow from all
<LimitExcept HEAD POST GET>
Deny from all
</LimitExcept>
</Location>
Oh, and get rid of that <Proxy *>
block, as it's not doing anything - the <Location>
takes precedence over it anyway, but it's in conflict with the <LimitExcept>
's restrictions.. so it makes me nervous.
Solution 2
The error message is saying that Deny
is not allowed in a <LimitExcept>
block.
From a different part of the docs: "The directives provided by mod_authz_host are used in <Directory>
, <Files>
, and <Location>
sections as well as .htaccess files".
Related videos on Youtube
destan
A full stack web developer with focus on Spring Boot/MVC, microservices and React Works at Kod Gemisi, a software company in Izmir/Turkey
Updated on September 18, 2022Comments
-
destan over 1 year
I have asked the same question to stackoverflow but then I thought it might be more related to here.
in apache's httpd.conf between
VirtualHost
tags I put<LimitExcept>
expression like follows:<VirtualHost *:80> ServerName geopreprod.xxx.com.tr <LimitExcept HEAD POST GET> Deny from all </LimitExcept> ProxyRequests Off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://XXXXXXXX... ProxyPassReverse / http://XXXXXXXX.... </VirtualHost>
and then apache web server fails to start by giving following error:
Syntax error on line 513 of XXXXX/httpd.conf: deny not allowed here
Although it says
<LimitExcept>
can be used inVirtualHost
tag in offical docs why do I get this error?in apache docs it says:
Context: server config, virtual host, directory, .htaccess
-
destan over 12 yearswould it behave like I expected if I put
<Directory>
in<VirtualHost>
and then put<LimitExcept>
in<Directory>
? -
Ladadadada over 12 yearsIf you still had a
Deny
inside the<LimitExcept>
, no. The problem is where you put theDeny
. -
destan over 12 yearsBut when I do like that the server starts without error. Do you think the limit restriction won't work?
-
ravi yarlagadda over 12 years@Ladadadada Actually it'll work when buried in a directory block (or a location block in this case, since there's no directory for a proxy config). See my answer.
-
Ladadadada over 12 yearsThat makes perfect sense.