On Tue, Jul 13, 2010 at 3:27 PM, Joseph M. Morgan <josephmmor...@hotmail.com> wrote: > On 7/13/2010 9:03 AM, Tom Evans wrote: >> >> On Tue, Jul 13, 2010 at 1:13 PM, Joseph M. Morgan >> <josephmmor...@hotmail.com> wrote: >> >>> >>> This is an Apache 2.2 server running within a VM on CentOS. >>> >>> Both the authn_basic_module and the authn_host_module are loaded. >>> >>> I have the following directive: >>> >>> <Directory "/var/www/html"> >>> Order deny,allow >>> Deny from 221.192.0.0/14 >>> </Directory> >>> >>> Yet, today I see in my access logs: >>> >>> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET >>> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ...... >>> >>> Why didn't Apache block this? >>> >>> >>> >>> >> >> Are there other Deny/Allow blocks in your config that may be >> overriding this one? Does this request end up not being resolved to a >> on disk file, which would bypass the Directory block? >> >> Cheers >> >> Tom >> >> > > I have the<Files ~ "^\.ht"> and the directory "/var/www/cgi-bin" as deny > from all but it makes no sense those would allow anything, would they? > > The directories "var/www/error" and "var/www/icons" are Allow from all > > > Are you hinting that I need to add a<Files> with the deny?? >
<Directory> and <Files> blocks are applied when apache is planning to serve a file, which can be bypassed if it isn't strictly a file it is serving. For instance, proxying never ends up with apache looking at a file on disk, so with this config: DocumentRoot /var/empty <Directory /var/empty> Order allow,deny Deny from all </Directory> ProxyPass / http://app/ requests would always be allowed - everything goes thru proxy, not the file system. If you change from the <Directory> approach to the <Location> approach, does it then work correctly? IE, map out exclusions in URL space, not filesystem space. Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
