[Apache] "Deny" directives silently ignored in config files
Hi,
I have a server running Apache HTTPD 2.2.16, installed as Debian
package (Debian Squeeze).
Some time ago, "Deny from XXX" directives were correctly taken into
account, both in .htaccess files and in system-wide configuration files
(/etc/apache2/*). I noticed recently that it is no longer the case. I
suspect that this breakage occured when migrating the server from Debian
Lenny to Debian Squeeze, but I'm not sure.
According to "apachectl -t -D DUMP_PACKAGES", the module
authz_user_module is loaded (it says "(shared)").
I tried the following:
<Location /tmp/>
Order deny,allow
Deny from all
#RewriteEngine On
#RewriteRule . - [F]
</Location>
As it is, the location /tmp/ isn't denied. If I uncomment the Rewrite
rule, it is denied (hence, the config file is read, and the location is
properly specified).
This is a production server so I have limited testing possibilities (but
I do have a test virtualhost on which the problem occurs). I tried
reproducing the problem on a test machine, with the same version and a
full copy of /etc/apache2/ (copied with "rsync -av", only modified to
replace the IP address and DNS name of the server), but the test machine
does not exhibit the problem. I did not copy the files in DocumentRoot.
I tried disabling .htaccess files on the server, in case the problem
would be caused by a .htaccess file, but the problem is still there.
I saw nothing in the logs. access.log shows normal accesses (i.e. code
200), and error.log does not change while accessing the pages to be
denied. "apachectl graceful" does not display any warning.
Any idea on what's going on? Where to look for the error?
Thank you very much in advance,
(please, keep me Cc-ed, I'm not subscribed)
--
Matthieu Moy
http://www-verimag.imag.fr/~moy/
Reply to: