Trying to protect website with .htaccess

[vegomatic]

We have several websites setup on one server; each site is a name based virtual host. We want to limit access to these websites to a set of specific IP addresses. In researching this, it looks like .htaccess would be the easy, simple solution, but I cannot get it to work.

The first thing I did was allow overrides in one of the directories (for testing only; the plan is to have all three websites subject to the same IP verification) by putting the following ("changed 8/22") in httpd.conf:


# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
#
###################CHANGED 8/22######################
#
<Directory /var/

http://www/html/forums>

AllowOverride All
</Directory>

I then went to the /var/

http://www/html/forums

directory and created an .htaccess file with the following contents:

order deny,allow
deny from all
allow from 204.255.212.16

The IP address I am testing from is NOT the above address, so I should be blocked.

When I try to access the site, I get a "Fedora Test Page" with the following: "This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the web server installed at this site is working properly, but has not yet been configured"

...and a lot of other text.

Can anyone tell me where I'm going wrong? Every site that explains how to use .htaccess makes it sound like all you have to do is put the file in the directory you want protected and Boom! it works. I'm not having that kind of luck.

 

[vegomatic]

Followup.

The Apache error log shows the following when I try to access the site:
[Fri Aug 22 10:56:44 2008] [error] [client 204.255.212.17] client denied by server configuration: /var/

http://www/html/forums/upload/

Is this good? Bad? Indifferent?

 

[elgrandeperro]

What does access_log say? You should get a 403 Forbidden, the apache page seems to indicate you did not restart apache right, or perhaps the conf file is not the running one.

BTW, if there is no default index or a denial, instead of a simple 403 redhat displays error/noindex.html ( at least mine does, which is the Apache welcome page).

 

[vegomatic]

access_log shows this:
noc3.bcpl.net - - [22/Aug/2008:13:26:36 -0400] "GET / HTTP/1.1" 403 3918 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
noc3.bcpl.net - - [22/Aug/2008:13:26:36 -0400] "GET /icons/apache_pb2.gif HTTP/1.1" 304 - "

http://forums.bcpl.net/"

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
noc3.bcpl.net - - [22/Aug/2008:13:26:36 -0400] "GET /icons/poweredby.png HTTP/1.1" 304 - "

http://forums.bcpl.net/"

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

which doesn't seem very helpful to me, but I'm not particularly good at configuring Apache

 

[elgrandeperro]

Okay, I believe in the default configuration, a 403 error on the / will give you the apache test page. Check the file in conf.d, maybe welcome.conf. Comment out the lines in that file. reload, and you will get a 403 for / instead of the apache page.

 

[vegomatic]

Woohoo!
Beautiful, el grande! I commented out the lines in welcome.conf and when I tried to access my website I got the "Forbidden" page!

Thanks for your help. I would NEVER have thought to do that!