Directory Restriction

[axman505]

Here is my setup. I Have allowoveride set to authconfig indexes limit

The web root file carries a .htaccess file that reads the following:

Order Deny,Allow
Deny from All
Allow from 192.168.0
AuthType Basic
AuthName "Axman's Website"
AuthUserFile /var/

http://www/.htpasswd

require valid-user
Satisfy Any

Now my challenge is that I want to restrict access from certain folders to only local and not over the internet. I have added rules such as to the httpd.conf:

<Location /manual/*>
Order Deny,Allow
Deny from all
Allow from 192.168.0
AllowOverride None
</Location>

The rule works fine when the .htaccess file is removed. How do I set everything to make it work for me?

 

[fluid11]

I just moved recently (back to NY) and don't have any of my books or computers with me until the moving company gets here, but I'll try and help you in the meantime.

One thing I don't understand is that you want to restrict access to only certain folders on your LAN, but you are doing that in both the .htaccess file and in the Location container. It doesn't look like you are allowing anybody from the internet to connect anywhere.

What happens if you use a <Limit> container instead of a <Location>? <Limit> containers are the narrowest scopes and override all previous settings.

Also, what does your <Directory /> container look like?


ChrisP ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

<Directory &quot;/var/

http://www/html&quot;>

Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig Indexes Limit
Order allow,deny
Allow from all
</Directory>


THe way i have it set up, i have a password required for anyone to look at the website, but i still only want certain folders to be accessed locally.

 

[fluid11]

I take it replacing the <Location> with <Limit> didn't work? ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

right .. replacing location with limit didn't only not work, it didnt allow httpd to start.

if i remove the .htaccess file, the location directive works and it does block all outside access to the folder. So it is just a matter of setting it up so the .htaccess doesnt override my rules for that directory.

 

[fluid11]

This is from Apache's website...

&quot;The <Location> directive provides for access control by URL. It is comparable to the <Directory> directive, and should be matched with a </Location> directive. Directives that apply to the URL given should be listed between them. <Location> sections are processed in the order they appear in the configuration file, after the <Directory> sections and .htaccess files are read.&quot;

I also read that you can't use Directory and Location containers inside one another if you are doing that.

The AllowOverride directive doesn't work in a <Location> container -->

AllowOverride Directive
Description: Types of directives that are allowed in .htaccess files
Syntax: AllowOverride All|None|directive-type [directive-type] ...
Default: AllowOverride All
Context: directory


ChrisP

------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[fluid11]

I'm still a little confused on how you have your httpd.conf set up. By default, you are telling Apache to use the .htaccess file on all folders. The .htaccess file is requiring a username/password to access anything on the site, and only allows access to local users. I don't see anywhere where Internet users can access your site. The idea behind your <Location> container was that you only wanted to allow access to local users (again), but you didn't want to require a password for that folder.

When I use mod_auth, I usually do something like this...

<Directory />
Order deny,allow
Options -Indexes FollowSymLinks
AllowOverride None
Deny from all
</Directory>


<Directory &quot;/

http://www/somecompany&quot;>

Options -Indexes FollowSymLinks
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Alias /staff/ &quot;/

http://www/somecompany/staff/&quot;

<Location /staff/>
AuthName &quot;My Company's Employees&quot;
AuthType Basic
AuthUserFile /

http://www/htpassword/.members

require valid-user
</Location>


Basically, I disallow access to everyone by default and only open it up where needed. Then I use Location containers to specify when I want to use password protected access.


ChrisP ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

I have a .htaccess file int he root web directory which allows local access to the website, and allows interent access via username and password

 

[fluid11]

Oh, the .htaccess file you showed us seems like to me that it only allows local access and requires a username for everybody.

Order Deny,Allow
Deny from All
Allow from 192.168.0
AuthType Basic
AuthName &quot;Axman's Website&quot;
AuthUserFile /var/

http://www/.htpasswd

require valid-user
Satisfy Any

'Deny From All' then 'Allow from 192.168.0' will only allow local access and then 'require valid-user' will require those people to enter a username/password. I don't see how an Internet user could get in.

ChrisP ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

the &quot;allow from 192.168.0&quot; allows automatic authentication to the website without having the need to enter in a password from the local lan. any users accessing the site from outside 192.168.0 need to enter a valid username and password to access the site.

 

[fluid11]

Oh, I see. The &quot;satisfy any&quot; will allow either method. What if you did something like this...

<Directory &quot;/var/

http://www/html/manual&quot;>

AllowOverride None
Order Deny,Allow
Deny from all
Allow from 192.168.0
Satisfy all
</Directory>


ChrisP

------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

i tried that .. bur since i have the allowoverride Limit set in the directory container, the .htaccess file overrides that, hence my problem.

 

[fluid11]

I really don't understand why the above doesn't work. Did you restart Apache after you tried it? A narrower scope will override any previous settings. This is how its normally done. AllowOverride can be turned on or off for any directory or subdirectory.

If the above really doesn't work for whatever reason, what if you did an 'AllowOverride None' in the first <Directory /> container and then used 'AllowOverride AuthConfig' only where needed in separate Directory containers?

If your still having a problem after this, I have a good Apache book that I should have back in a few days that will help us fix it. The moving company should be here by Friday. I don't even have a Linux box right now

Let us know if you fix it before then.

ChrisP ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

I added this tot he httpd.conf

<Directory /var/

http://www/html/manual/>

Order Deny,Allow
Deny from All
AllowOverride None
</Directory>

and now when i access it locally, instead of just working, it pops up the password box, and still works upon the entereting of a valid password.

This confuses me, i dont understand why it is asking for the password. It almost like the .htaccess will override anything.

 

[axman505]

Is there a way i can add the directory restriction directives to the .htaccess file instead of placing them in the httpd.conf??

I think this would solve my problem

 

[fluid11]

I still don't have any of my books or Linux boxes to test anything on (the moving company will be here tomorrow), but if you could use 'AuthType None' in the directories that are for local only, then that would solve your problem. I'm not sure if that is a valid directive though. Try it and let us know.


ChrisP

------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

<Directory &quot;/var/

http://www/html/manual/&quot;>

Options -AuthConfig
Order Deny,Allow
Deny from All
AllowOverride None
</Directory>

That didnt work, its not a valid directive

 

[fluid11]

Don't use it with Options. Use it on a blank line like you did in the .htaccess file. Like I said before, I don't know if None is a valid directive for AuthConfig, but give it a try. I'll have my books and Linux computers tomorrow so hopefully I can give you some better answers then. ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says &quot;Mark this post as a helpful/expert post&quot;.

 

[axman505]

that didnt work either .. so i guess we will just have to hold out for the books.