>Number: 1069 >Category: config >Synopsis: Directory deny does not deny by ip >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Aug 28 10:50:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 and 1.2.0 >Environment: Running RedHat Linux 4.1, all current RedHat patches in place. Using current GCC from RedHat 4.1 release. >Description: We are running with the proxy and several options enabled. The Server is multi-homed and serves 5 ip addresses with 3 virtual hosts.
We also have modifications to the proxy routines in place, but they should not affect this (proxy_connect.c, proxy_ftp.c, proxy_http.c) as they validate a host a against an external list. Admittedly, I have not tried without these mods. The Directory deny command does not seem effective. We wish to limit access to some internal reference pages by IP, while allowing the rest to be open. I have configured with deny from all, then allows by specific IP's. It does not limit access at all to the host directories. I have tried simply deny all and no allows and access is still open. Appropriate portions of the access.conf: <Directory /home/httpd/html/local> Options Includes ExecCGI AllowOverride None order deny,allow deny from all allow from 209.69.34.130 allow from 209.69.34.136 allow from 209.69.34.130 allow from 209.69.34.136 allow from 209.69.34.135 allow from 209.69.34.140 allow from 209.69.34.141 </Directory> <Directory /home/httpd/html> Options Includes ExecCGI AllowOverride None order deny,allow deny from all allow from 209.69.34.130 allow from 209.69.34.136 allow from 209.69.34.135 allow from 209.69.34.140 allow from 209.69.34.141 </Directory> Have also tried the following with no success: <Directory /home/httpd/html> Options Includes ExecCGI AllowOverride None order deny,allow deny from all </Directory> Note on our modifications to mod_proxy: Just to explain why I don't believe this is at fault... I added a small piece of code immediately following the test for sites blocked. I will be submitting a suggestion for this in a moment. This code block opens a proxy request file and compares entries to determine if a site is listed. This allows us to build a large table of sites and deny and approve without restarting the server. It also always a deny/allow version of restriction for the proxy. If a line not matching the host as compared in the standard checking is not found in the text file, it calls proxyerror, else it continues normally. >How-To-Repeat: URL sample for the above config is http://main.ie-e.com/local/ >Fix: Sorry, no suggestions >Audit-Trail: >Unformatted:
