The following reply was made to PR config/1941; it has been noted by GNATS.
From: "Mike Brudenell" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Subject: Re: config/1941: AllowOverride ignored in <Directory ~ pattern>
and <DirectoryMatch pattern>
Date: Wed, 25 Mar 1998 17:51:06 +0000
Hmmm... I think I've just experienced a blinding flash of light that =
answers
my original problem/bug-report, so here's my confession. :-}
However I think there is still a problem lurking that I raised in a
subsequent follow-up message (see entry dated Mon 16 Mar 1998 in this
problem report within the bugs database). I mention this again, hopefully =
a
little more clearly, towards the end of this message.
Resum=E9
------
The difficulty I was having was in establishing a "default" environment
through the server's central configuration file whereby:
* The /htdocs/ tree was set to AllowOverride None
* Directories matching a certain pattern:
<DirectoryMatch "/^htdocs/.*\.ltd">
were set within this section to "Deny from all" and "AllowOverride
AuthConfig Limit"
This latter was to establish a "default" of no access to the contents of a
directory whose name ended ".ltd" UNLESS it contained an .htaccess file
specifically allowing access from particular sources.
In my bug report I claimed that although the <DirectoryMatch> section's
"Deny from all" was being honoured (tested by changing it to an "Allow =
from
all") the "AllowOverride" directive was apparently being ignored: the
.htaccess file was not being processed.
Changing to using an exactly specified name (using <Directory>) eliminated
the problem and allowed the .htaccess file to be obeyed.
The Explanation
---------------
The reason, of course, is "obvious" after the umpteenth re-reading of the
manual pages... Apache FIRST processes <Directory> and .htaccess files
(with the latter overriding the former) and THEN pattern matches set with
<DirectoryMatch>
I was attempting to do this:
1. Set up the "Deny from all" + "AllowOverride AuthConfig Limit" for
pattern-matched directories using <DirectoryMatch>
2. Later override this with settings from an .htaccess file (which is
now allowed to override courtesy of step 1 above).
In practice Apache reverses the order of this testing to become:
1. Ignore the .htacess file (because of the entire tree's
"AllowOverride
None" setting).
2. Process the pattern-match in the <DirectoryMatch> section and:
a) deny access from all sources
b) turn on the AllowOverride categories for .htaccess files
Of course (2b) in now too late as the .htaccess file processing step has
already passed! Hence access is denied: as I was seeing and tearing my =
hair
out over.
Personally I still find this ordering not terribly intuitive... I keep
thinking in terms of "use pattern-matches to establish general settings,
then override with specifics". This is the exact opposite of Apache's
interpretation for
<Directory> and <DirectoryMatch> directives. I suppose this is due to =
what
I think of as an "exact match" affecting not only that directory but also
all its subdirectories (hence is more of a prefix-match rather than an =
exact
match).
However as I said at the start I still think there's an oddity lurking...
But a Problem Remains?
---------------------
However the question I raised in a follow-up message (dated Mon, 16 Mar =
1998
in this problem report within the bugs database) still stands, I think...
Forgetting all about my <Directory> and <DirectoryMatch> stuff and
backtracking to basics...
* If I set "AllowOverride AuthConfig Limit" for the htdocs tree then an
.htaccess file somewhere in it containing:
allow from all
require group some-users
then a request for a document in the area is honoured (subject to
authentication).
* If I modify the .htaccess file to contain:
<FilesMatch "*">
allow from all
require group some-users
</FilesMatch>
then the .htaccess file is still (correctly) obeyed and the request =
for
a
document in the area is honoured (subject to authentication).
Now for the funny behaviour...
* If I instead set the htdocs tree to "AllowOverride Indexes" I would
expect
this to NOT allow the request at all (not even ask for athentication)
because an .htaccess file is supposed to only allow "allow" if and =
only
if
"AllowOverride Limit" is in force, (likewise "require" if and only if
"AllowOverride AuthConfig" is set).
But instead the request IS honoured (subject to authentication).
This suggests that setting "AllowOverride Indexes" for an area correctly
prevents "allow", "require", etc from working if they are "loose" within =
an
.htaccess file, *BUT* (surely wrongly?) allows them if they appear within =
a
<FilesMatch> section in the .htaccess file.
Doesn't this behaviour mean that users could still apply access =
restrictions
to items in an area even if the server administrator though they were
disabled because the "AuthConfig" and "Limit" categories were not included
in the AllowOverride directive?
Cheers,
Mike Brudenell
--
The Computing Service, University of York, Heslington, York, YO1 5DD, UK
Tel: +44-1904-433811 FAX: +44-1904-433740 http://www.york.ac.uk/~pmb1/
* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *
