To serve files, I set up a readonly WebDAV with Apache2 serving from davs://dav.example.com/. However, I want a subdirectory (davs://dav.example.com/uploads/) that is writable by the logged in user.
To make my site readonly, I used the following:
...
<Directory /var/www/dav>
Options +Indexes
DAV On
Order allow,deny
AuthType Basic
AuthName "Not for public access! Login only"
AuthUserFile /var/www/htpasswd
<Limit GET OPTIONS PROPFIND>
Require valid-user
Deny from all
</Limit>
<Limit PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require host dav.example.com
Deny from all
</Limit>
Satisfy Any
</Directory>
...
I've tried making <Directory /var/www/dav/upload>, copying the <Limit PUT... with Require valid-user in it, but that didn't work. When creating a file in the /upload/ dir, the server responded with a 500 error.
Is this possible? I have access to the site.conf file.
Make a <Directory /var/www/dav/upload> block with this in it:
<LimitExcept GET OPTIONS PROPFIND PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require valid-user
Deny from all
</LimitExcept>
This also works in .htaccess files, if needed.
Related
I would like to reroute my apache to a different system folder.
Currently I have this setting
<VirtualHost *:443>
ServerName blaah.com
SSLCertificateFile /etc/ssl/certs/blaah.crt
SSLCertificateKeyFile /etc/ssl/private/blaah.key
SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
DocumentRoot /var/www/blaah
Alias /webalizer /var/www/webalizer
<Directory /var/www/webalizer>
Allow from 192.168.0.0/16
Deny from all
AuthType Basic
AuthName webalizer
AuthUserFile /var/www/webalizer/.htpasswd
Require valid-user
</Directory>
ProxyPass /gogs http://127.0.0.1:3000
<LocationMatch "^/blaah/blaah/">
Deny from all
</LocationMatch>
<LocationMatch "^/maintenance">
Allow from IP
Deny from all
</LocationMatch>
</VirtualHost>
So basically when going to servername blaah.com you get directed to a service.
Now I want to do a maintenance on that service, that means I have to reroute them.
But I want to test out that endpoint, so when you write blaah.com/maintenance (the last Location Match should cover that) you get directed to /var/www/maintenance. That folder holds a single index.html that tells you that an maintenance is underway. How can I accomplish that?
In nginx I would do multiple locations and then change document root and tryfiles.
Figured it out.
Used
Alias /maintenance /var/www/maintenance
<Directory /var/www/maintenance">
Allow from IP
</Directory>
I have password protected my webpage in Linux Mint by using mod_auth_form in apache2 with the configuration in /etc/apache2/apache2.conf:
<Directory "/var/www/html">
AuthFormProvider file
AuthType form
AuthName "Reserved Area"
Session On
SessionCookieName session path=/
require valid-user
AuthFormLoginRequiredLocation "http://localhost/login.php"
# This is the login page
ErrorDocument 401 /login.php
# This is the file containing users login data
AuthUserFile /var/www/html/users/users
</Directory>
When an unauthorized user tries to access something on the webpage he will be redirected to the login page "login.php", however he won't have access to this page either so I tried adding:
<Location /var/www/html/login.php>
Order Allow,Deny
Allow from all
</Location>
But the problem remains and it just tries to redirect to the login page infinitely. What would enable a user to access only the login page but not anything else on the site?
I found that if I replaced
<Location /var/www/html/login.php>
Order Allow,Deny
Allow from all
</Location>
with
<Directory /var/www/html/login>
Options Indexes
AllowOverride None
Require all granted
</Directory>
and added a folder /var/www/html/login where I placed everything that had to do with the login page it started working. I never figured out why Location didn't work to give access to the login.php file.
I also removed the line
AuthFormLoginRequiredLocation "http://localhost/login.php
as it wasn't needed.
The line:
ErrorDocument 401 /login.php
was also changed to:
ErrorDocument 401 /login/login.php
I am getting the below error when I am accessing the web interface of nagios.
Forbidden
You don't have permission to access /nagios/ on this server.
Apache/2.2.15 (Red Hat) Server at localhost Port 80
Please help me .. I am working from one week still not resolved.
Couple of places to visit in the configuration files.
check your /etc/httpd/conf.d/nagios.conf file , if the option for SSL is turned on ,try disabling it
then
restart httpd service.
below is the sample entry from the file /etc/httpd/conf.d/nagios.conf
ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi"
<Directory "/usr/lib64/nagios/cgi">
#SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Alias /nagios "/usr/share/nagios"
<Directory "/usr/share/nagios">
#SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
I'm new to Apache. Following a tutorial, I am trying to set an alias in Apache to look and serve files from a folder (project). Other than htdocs, this was my code to create alias:
<IfModule alias_module>
Alias /project/ "C:/project/"
Alias /project "C:/project"
</IfModule>
<Directory "C:/project">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
This doesn't work and when I type localhost/project/ in browser, the browser throws access forbidden.
How do I work around it?
You'll have to change your security settings on C:\xampp\apache\conf\httpd.conf
The directory diretive must be on this file or it will always show the forbidden error.
In my Apache configuration, I first deny access to the entire filesystem:
<Directory />
Require all denied
</Directory>
Then, in the configuration for each virtual host, I allow unrestricted access:
<VirtualHost ...>
<Directory /var/www/example.com/>
Require all granted
</Directory>
</VirtualHost>
Or require authenticated access:
<VirtualHost ...>
<Directory /var/www/example.com/>
AuthType Basic
AuthName "example.com"
AuthUserFile htpasswd
Require valid-user
</Directory>
</VirtualHost>
I noticed in the Apache documentation that:
For content that lives in the filesystem, use <Directory> and <Files>. An exception is <Location />, which is an easy way to apply a configuration to the entire server.
And I wondered whether using <Location /> might be a way to require authenticated access for a particular virtual host:
<VirtualHost ...>
<Location />
AuthType Basic
AuthName "example.com"
AuthUserFile htpasswd
Require valid-user
</Location>
</VirtualHost>
But the Apache documentation states that:
<Location> directives should not be used to control access to filesystem locations.
Which led me to wonder whether should not was a recommendation for <Location> directives in general, and whether in certain situations a <Location /> directive in particular may be used as an exception to allow access, or in other words, can the Apache <Location> directive be safely used to configure access to a server?
No. Also from the Apache documentation:
Pay particular attention to the interactions of Location and Directory directives; for instance, even if <Directory /> denies access, a <Location /> directive might overturn it.
My understanding is that because any <Location> directive could potentially overturn any <Directory> directive[1], the least restrictive <Location> directive must not be less restrictive than the most restrictive <Directory> directive across the entire server.
Starting with a sensible <Directory /> default of Require all denied and following the above rule would require any <Location> directive to not be less restrictive than Require all denied, which would of course make it impossible to access the server at all.
Note also that the purpose of the <Location> directive is to configure resources which reside outside of the filesystem.
Bottom line is that for any requests which might touch the filesystem, for any <Location> directives which might apply to any of those requests, the applicable <Location> directives must not include the Require statement.[2]
[1]: For example, using symbolic links.
[2]: It is possible to use filesystem permissions or tools like apparmor to mitigate the security hole opened by including a Require statement in certain <Location> directives, but remember the principle of Defense In Depth.