Matthieu Moy <matthieu....@grenoble-inp.fr> writes: > I have a server running Apache HTTPD 2.2.16, installed as Debian > package (Debian Squeeze). > > Some time ago, "Deny from XXX" directives were correctly taken into > account, both in .htaccess files and in system-wide configuration files > (/etc/apache2/*). I noticed recently that it is no longer the case.
I did find the guilty lines in the configuration file: <Location /> Deny from <some IP address to blacklist> </Location> (found by restarting from a /etc/apache2 as installed by Debian, which didn't have the problem, and adding patch hunks between my old config directory and the Debian one, playing with "git stash -p") The explanation is: http://httpd.apache.org/docs/2.2/sections.html "The order of merging is: <Directory> (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding <Directory>) <DirectoryMatch> (and <Directory ~>) <Files> and <FilesMatch> done simultaneously <Location> and <LocationMatch> done simultaneously" and what I did not understand was that a Deny directive will override the whole configuration done previously, hence the Deny in a <Location> was overriding everything done in .htaccess and <Directory> sections. I removed this line, and everything is fine now. We'll use iptables next time we want to blacklist an IP ... I'm keeping the details of the problem for the record: > I suspect that this breakage occured when migrating the server from > Debian Lenny to Debian Squeeze, but I'm not sure. > > According to "apachectl -t -D DUMP_PACKAGES", the module > authz_user_module is loaded (it says "(shared)"). > > I tried the following: > > <Location /tmp/> > Order deny,allow > Deny from all > #RewriteEngine On > #RewriteRule . - [F] > </Location> > > As it is, the location /tmp/ isn't denied. If I uncomment the Rewrite > rule, it is denied (hence, the config file is read, and the location is > properly specified). > > This is a production server so I have limited testing possibilities (but > I do have a test virtualhost on which the problem occurs). I tried > reproducing the problem on a test machine, with the same version and a > full copy of /etc/apache2/ (copied with "rsync -av", only modified to > replace the IP address and DNS name of the server), but the test machine > does not exhibit the problem. I did not copy the files in DocumentRoot. > > I tried disabling .htaccess files on the server, in case the problem > would be caused by a .htaccess file, but the problem is still there. > > I saw nothing in the logs. access.log shows normal accesses (i.e. code > 200), and error.log does not change while accessing the pages to be > denied. "apachectl graceful" does not display any warning. > > Any idea on what's going on? Where to look for the error? > > Thank you very much in advance, > > (please, keep me Cc-ed, I'm not subscribed) -- Matthieu Moy http://www-verimag.imag.fr/~moy/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/vpqr4v2eek8....@bauges.imag.fr