>>> On Mon, Jul 24, 2006 at 9:02 AM, in message <[EMAIL PROTECTED]>,
Ruediger Pluem <[EMAIL PROTECTED]> wrote:
> Having added the following to my virtual host
>
> <location />
> reject ip 127.0.0.1
> </location>
>
> results in a 401 response and the following entries in the error_log
>
> [Mon Jul 24 16:56:03 2006] [error] [client 127.0.0.1] user (null):
> authorization
> failure for "/":
> [Mon Jul 24 16:56:03 2006] [error] [client 127.0.0.1] need AuthType to note
> auth
> failure: /
>
>
> Either I did the configuration wrong or the result is wrong. I think I
> should
> get a 403 response instead and the message in the log should be something
> like
>
> [Mon Jul 24 16:47:49 2006] [error] [client 127.0.0.1] client denied by
> server
> configuration: /usr/src/apache/apache_2.0.x/htd
> ocs/zw/formtest.html
>
>
>
> Regards
>
> RĂ¼diger
Well, I think that the following patch in mod_authz_core.c fixes the problem
that you are looking at:
@@ -628,16 +633,25 @@
switch (auth_result) {
case AUTHZ_DENIED:
+ case AUTHZ_NEUTRAL:
/* XXX If the deprecated Satisfy directive is set to anything
but ANY a failure in access control or authz will cause
an HTTP_UNAUTHORIZED. Just the if statement
should be removed in 3.0 when the Satisfy directive
goes away. */
if (!note || (ap_satisfies(r) != SATISFY_ANY) || (note[0] ==
'N')) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "user %s: authorization failure for \"%s\":
",
- r->user, r->uri);
- return_code = HTTP_UNAUTHORIZED;
+ if (r->ap_auth_type == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "client denied by server configuration:
%s",
+ r->filename);
+ return_code = HTTP_FORBIDDEN;
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "user %s: authorization failure for
\"%s\": ",
+ r->user, r->uri);
+ return_code = HTTP_UNAUTHORIZED;
+ }
}
else {
return_code = DECLINED;
However, this brings up the question, what does "reject" actually mean?
"Require" means that if true then authorization is granted otherwise
authorization is denied. "Reject" obviously means that if true, then
authorization is denied but it does not necessarily mean the opposite. So in
the case that you defined:
> <location />
> reject ip 127.0.0.1
> </location>
obviously if the request is coming from 127.0.0.1 then the request is denied.
But if the request comes from some other ip address, is authorization
automatically granted? I don't think it is. There still needs to be a
"Require" statement in the configuration somewhere.
Brad
