[Cialug] apache sibling <Directory> rights
Barry Von Ahsen
barry at vonahsen.com
Thu Nov 10 08:14:08 CST 2011
I've got the following <Directory> directives:
<Directory /home/apache/>
EnableMMAP off
EnableSendfile off
</Directory>
<Directory /home/apache/sekrit/>
Order deny,allow
Deny from all
Allow from (lan)
</Directory>
<Directory /home/apache/*>
Order deny,allow
deny from all
Allow from (lan)
AuthUserFile (file)
AuthType basic
AuthName "who is it"
Require valid-user
Satisfy any
</Directory>
so I want /home/apache/sekrit to be LAN only, and /home/apache/anything
else to be basic authenticated, but I can only get it to do one or the
other - either sekrit is 403 and anything else is allowed
unauthenticated, or everything is available when authenticated,
including sekrit
I've tried to put <Directory /sekrit> both first and second, thinking it
was processed in order, and also within the <VirtualHost>. I tried
<Directory sekrit> then <DirectoryMatch /home/apache/[^sekrit]>. I
tried the suggestions in apache.org/howto/auth and howto/access, and I
tried <Directory /home/apache/*> then more restrictive <Files sekrit>
and <Location sekrit> per
http://httpd.apache.org/docs/2.2/sections.html#mergin and I've tried a
deny from all .htaccess in sekrit, and all fail (interestingly, allow
from all .htaccess served the pages even after a failed basic auth
instead of sending 401)
it seems like:
<Directory /home/apache/*>
require valid-user
</Directory>
<VirtualHost>
<Directory /home/apache/secret>
deny from all
</Directory>
</VirtualHost>
should do it (and the docs seem to say so)
the easy thing to do is move /sekrit somewhere outside /home/apache, but
there's gotta be a way to do this
-barry
More information about the Cialug
mailing list