[Tfug] The Apache security saga ALMOST done!

Matt Jacob matt at mattjacob.com
Wed Jul 8 15:16:00 MST 2009


On Wed, Jul 8, 2009 at 2:05 PM, Jim March<1.jim.march at gmail.com> wrote:
> 1 AuthType Basic
> 2 AuthName "Restricted Files"
> 3 # (Following line optional)
> 4 AuthBasicProvider file
> 5 AuthUserFile /usr/local/apache/passwd/passwords
> 6 Require user zmuser
> 7 # secure htaccess file
> 8 <Files .htaccess>
> 9 order allow,deny
> 10 deny from all
> 11 allow from 127.0.0.1
> 12 allow from 192.168.0.1/24
> 13 allow from [ip address of the Qwest router, with the router told to
> route IP stuff coming in there to the fixed IP addy of the camera
> server, 192.168.0.53]
> 14 </Files>

Here's what I'm confused about: all your access control rules are only
applying to files named .htaccess.

I think you're headed down the wrong path with the <Files> section.
Most out-of-the-box Apache configurations that I've seen over the past
7 years or so include something like this to block web-based access to
.htaccess files:

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

If you want to control access to all content, the more typical thing
to do is to put Allow/Deny rules in a <Directory> container (which is
what you're implicitly doing by using an .htaccess file). Also, if you
only want to allow a limited set of hosts/address, you want your Order
directive to look like this:

Order deny,allow
Deny from all
Allow from 68.67.66.65
Allow from 122.123.124.125
Allow from 4.5.6.7

Hope that helps!

Matt




More information about the tfug mailing list