Require all denied has no effect. Require all allowed, works
See the upgrade guide with examples on the Require Directive: https://httpd.apache.org/docs/trunk/en/upgrading.html
-
Deny from allis nowRequire all denied -
Allow from allis nowRequire all granted
Plot twist: Apache 2.4 doesn't grant access to any directory by default and the order of evaluation has changed.
It was commonplace to block access to the filesystem in apache 2.2, with a Directory / + Require all denied as you wrote. It should be removed now. It will backfire if it ever supersedes permissions in subdirectories.
See the documentation on merging authentication restrictions. It gets insanely complicated in practice. https://httpd.apache.org/docs/trunk/en/mod/mod_authz_core.html#authmerging
The Require all granted in /app is evaluated before the Require all denied in the /app/lib subdirectory. It looks like apache grants access upon meeting the first allowing rule so it's allowed. The whole tree got opened by the directive on the parent and there is not a lot you can do against that.
My advise is to not mix public and private content. It's completely unmanageable in practice. If it's served, it's meant to be served.
Related videos on Youtube
17 : 59
07 : 18
06 : 44
09 : 11
15 : 21
28 : 52
08 : 47
18 : 33
02 : 27
Kraang Prime
Updated on September 18, 2022Comments
-
Kraang Prime almost 2 years
I have a website structure setup as follows, which I am trying to organize access levels for each but without specifying
<Directory>as that requires the structure to be fixed (aka, if i copy this to a different site, into a subfolder, it would require editing of all .htaccess to the new location).- /app/ - allow all, deny config/etc
- /app/templates/ - deny all
- /app/templates/mytheme/ - allow all for images, javascript, css, fonts only
- /app/lib/ - deny all
I have tried implementing Apache2.4's new(ish) directive scheme:
/etc/apache2/conf-enabled/security.conf
... more stuff above ... <Directory /> AllowOverride All Require all denied </Directory> ... more stuff below ...And adding
Require all allowedto.htaccessin the root of the application, while addingRequire all deniedto.htaccessin the folders I wish to deny access to.The problem is
Require all deniedseems to do absolutely nothing. I have seen reference to using themod_auth_compator whichever library, but it appears to only be required for older versions of apache (v2.3).I am using Apache 2.4 on Debian 8.
Previously, I would supply :
Order Allow, Deny Deny from allAnd then drop the following in folders which require access :
Allow from all.. and where I need to allow only specific file type access,
<FilesMatch "\.(jpg|jpeg|gif|png|bmp|svg|css|less|sass|scss|js|ttf|woff|woff2|eot)$"> Allow from all </FilesMatch>According to apache's documentation, unexpected results may arise from mixing old and new declarations, and as such, I am only using new declarations. There are no stray
.htaccessfiles or*.conffiles loaded using the old declaration format for permissions - so this should work ?Given the folder structure I laid out, and what is loaded in '/etc/apache2/conf-enabled/security.conf' (as that is where the "root" declaration is for AllowOverride [it doesn't seem to function when specifying
AllowOverride Allinside the same format of declaration in the websites conf ( 000-default.conf )], could someone give some guidance or preferably a working solution to this problem.-
Colt about 8 yearsNOTE:
Require all allowed(copied from your question) is not proper 2.4. Should beRequire all granted -
MrWhite about 8 yearsAlthough
Require all allowedwould result in a 500 error, so I guess that must be a typo? (Or the code isn't being processed which could also explain why it "seems to do absolutely nothing?) -
Kraang Prime about 8 yearssorry, was exhausted when i wrote this. it was require all granted. since it's been a few days, i will test
require all grantedto see if i was also sleepy when playing with .htaccess. UPDATE: Yup, I was sleepy.Require all grantedworks perfectly. TY so much :)
