>Number: 3277 >Category: general >Synopsis: <LocationMatch> not being overridden by <VirtualHost> >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Oct 22 20:50:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 w/mod_perl 1.16 >Environment: Linux 2.0.34 -- gcc 2.7.2.3 >Description: To start -- Apache and mod_perl are all compiled statically including Apache modules.
I read the "sections.html" thoroughly and came to the conclusion that <LocationMatch> was overridden by <VirtualHost>. Scenario: -------- srm.conf -------- Alias /protect /usr/local/protect ScriptAlias /cgi-protect/ /usr/protect/cgi-protect-me <LocationMatch "/(protect.*|cgi-protect.*)"> order deny,allow deny from all </LocationMatch> ---------- httpd.conf ---------- <VirtualHost xxx.xxx.xxx.xxx:xx> blah blah blah <LocationMatch "/(protect.*|cgi-protect.*)"> AuthDBMUserFile /home/www/customer/.www_pwd AuthName "Protect_Me" AuthType Basic require user user_name </LocationMatch> Now whenever I goto http://www.customer.com/protect I get a forbidden response, yet the explanation of the sections says that the VirtualHost should override the server config. Am I misinterpreting something? >How-To-Repeat: no url to use. I hope the above scenario is enough to understand the problem. >Fix: To fix my situation -- I remove the <LocationMatch> from the srm.conf file. I have /protect in the server Alias directive. This leads to an unpleasent side-effect of any customer being able to type http://www.customer21.com/protect http://www.customer34.com/protect etc.... and not getting asked for authentication, unless I go through every VirtualHost and add the <LocationMatch> directive. I set this as serious, as it should work as per documented. Thank you for such a wonderful HTTPD server, and to NCSA for getting the ball rolling. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
