[Cialug] apache sibling <Directory> rights

Josh More jmore at starmind.org
Thu Nov 10 10:28:13 CST 2011


Just so I'm on the record as saying this... having a secure zone within an
unsecured zone is dependent entirely upon the mediation layers.  In other
words, the security is 100% reliant on the Apache user restriction model
having 0% exploitable bugs.

If /sekrit were moved outside of the Document Root, problems would be
dependent on Apache not having a bug in both the user restriction model AND
the location model... far more secure.  This is the way that is considered
"best practice" for people serving purchased content... so a bug won't
allow people direct access to the repository directory.  By having a
mediating proxy app that bridges to the secure location outside of the
document root, you gain an additional layer.

-Josh

On Thu, Nov 10, 2011 at 10:03 AM, Barry Von Ahsen <barry at vonahsen.com>wrote:

> well, I got it to work by requiring a specific user for /sekrit - not
> super elegant, but effective
>
>
> -barry
>
>
> On 11/10/2011 8:14 AM, Barry Von Ahsen wrote:
>
>> I've got the following <Directory> directives:
>>
>> <Directory /home/apache/>
>> EnableMMAP off
>> EnableSendfile off
>> </Directory>
>> <Directory /home/apache/sekrit/>
>> Order deny,allow
>> Deny from all
>> Allow from (lan)
>> </Directory>
>> <Directory /home/apache/*>
>> Order deny,allow
>> deny from all
>> Allow from (lan)
>> AuthUserFile (file)
>> AuthType basic
>> AuthName "who is it"
>> Require valid-user
>> Satisfy any
>> </Directory>
>>
>>
>> so I want /home/apache/sekrit to be LAN only, and /home/apache/anything
>> else to be basic authenticated, but I can only get it to do one or the
>> other - either sekrit is 403 and anything else is allowed
>> unauthenticated, or everything is available when authenticated,
>> including sekrit
>>
>> I've tried to put <Directory /sekrit> both first and second, thinking it
>> was processed in order, and also within the <VirtualHost>. I tried
>> <Directory sekrit> then <DirectoryMatch /home/apache/[^sekrit]>. I tried
>> the suggestions in apache.org/howto/auth and howto/access, and I tried
>> <Directory /home/apache/*> then more restrictive <Files sekrit> and
>> <Location sekrit> per
>> http://httpd.apache.org/docs/**2.2/sections.html#mergin<http://httpd.apache.org/docs/2.2/sections.html#mergin>and I've tried a
>> deny from all .htaccess in sekrit, and all fail (interestingly, allow
>> from all .htaccess served the pages even after a failed basic auth
>> instead of sending 401)
>>
>>
>> it seems like:
>> <Directory /home/apache/*>
>> require valid-user
>> </Directory>
>> <VirtualHost>
>> <Directory /home/apache/secret>
>> deny from all
>> </Directory>
>> </VirtualHost>
>> should do it (and the docs seem to say so)
>>
>>
>>
>> the easy thing to do is move /sekrit somewhere outside /home/apache, but
>> there's gotta be a way to do this
>>
>> -barry
>>
>>
>> ______________________________**_________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/**listinfo/cialug<http://cialug.org/mailman/listinfo/cialug>
>>
>
> ______________________________**_________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/**listinfo/cialug<http://cialug.org/mailman/listinfo/cialug>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20111110/96c741f8/attachment.html>


More information about the Cialug mailing list