Re: [Apache] "Deny" directives silently ignored in config files [SOLVED]

To: debian-user@lists.debian.org
Subject: Re: [Apache] "Deny" directives silently ignored in config files [SOLVED]
From: Matthieu Moy <Matthieu.Moy@grenoble-inp.fr>
Date: Wed, 02 May 2012 18:24:39 +0200
Message-id: <[🔎] vpqr4v2eek8.fsf@bauges.imag.fr>
In-reply-to: <vpqobqng1p6.fsf@bauges.imag.fr> (Matthieu Moy's message of "Thu, 19 Apr 2012 17:51:01 +0200")
References: <vpqobqng1p6.fsf@bauges.imag.fr>

Matthieu Moy <Matthieu.Moy@grenoble-inp.fr> writes:

> I have a server running Apache HTTPD 2.2.16, installed as Debian
> package (Debian Squeeze).
>
> Some time ago, "Deny from XXX" directives were correctly taken into
> account, both in .htaccess files and in system-wide configuration files
> (/etc/apache2/*). I noticed recently that it is no longer the case.

I did find the guilty lines in the configuration file:

<Location />
     Deny from <some IP address to blacklist>
</Location>

(found by restarting from a /etc/apache2 as installed by Debian, which
didn't have the problem, and adding patch hunks between my old config
directory and the Debian one, playing with "git stash -p")

The explanation is:

http://httpd.apache.org/docs/2.2/sections.html
"The order of merging is:

    <Directory> (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding <Directory>)
    <DirectoryMatch> (and <Directory ~>)
    <Files> and <FilesMatch> done simultaneously
    <Location> and <LocationMatch> done simultaneously"

and what I did not understand was that a Deny directive will override
the whole configuration done previously, hence the Deny in a <Location>
was overriding everything done in .htaccess and <Directory> sections.

I removed this line, and everything is fine now. We'll use iptables next
time we want to blacklist an IP ...

I'm keeping the details of the problem for the record:

> I suspect that this breakage occured when migrating the server from
> Debian Lenny to Debian Squeeze, but I'm not sure.
>
> According to "apachectl -t -D DUMP_PACKAGES", the module
> authz_user_module is loaded (it says "(shared)").
>
> I tried the following:
>
> <Location /tmp/>
> Order deny,allow
> Deny from all
> #RewriteEngine On
> #RewriteRule . - [F]
> </Location>
>
> As it is, the location /tmp/ isn't denied. If I uncomment the Rewrite
> rule, it is denied (hence, the config file is read, and the location is
> properly specified).
>
> This is a production server so I have limited testing possibilities (but
> I do have a test virtualhost on which the problem occurs). I tried
> reproducing the problem on a test machine, with the same version and a
> full copy of /etc/apache2/ (copied with "rsync -av", only modified to
> replace the IP address and DNS name of the server), but the test machine
> does not exhibit the problem. I did not copy the files in DocumentRoot.
>
> I tried disabling .htaccess files on the server, in case the problem
> would be caused by a .htaccess file, but the problem is still there.
>
> I saw nothing in the logs. access.log shows normal accesses (i.e. code
> 200), and error.log does not change while accessing the pages to be
> denied. "apachectl graceful" does not display any warning.
>
> Any idea on what's going on? Where to look for the error?
>
> Thank you very much in advance,
>
> (please, keep me Cc-ed, I'm not subscribed)

-- 
Matthieu Moy
http://www-verimag.imag.fr/~moy/

Reply to:

Prev by Date: Re: Exim panics
Next by Date: debian on aacraid controller. - getting lots of errors.
Previous by thread: Re: *URGENT* plz need help system not booting after "lvresize" command
Next by thread: debian on aacraid controller. - getting lots of errors.
Index(es):
- Date
- Thread