On 10 Jun 2013, at 14:35, Eric Covener <[email protected]> wrote:
> I'd like to add an immutable Forbid directive to the core and use it in some
> places in the default configuration instead of "require all denied".
>
> http://people.apache.org/~covener/forbid.diff
>
> This protects from a broad <Location or <If being added that supercedes
> Directory/Files.
>
> I thought someone might object to the duplication w/ AAA or the presence in
> the core, so opting for RTC.
Just a comment: other places that do broadly similar things often have a “deny
by default” philosophy. I like this approach.
Obviously this isn't going to please admins with existing configurations, so is
there a way to design the mechanism so it's still possible to get something
more strict than we have at the moment?
In terms of directives, this could look like:
<Directory />
# For example, insiset that exemptions must be defined in the same place as
the Forbid is set.
Forbid
ForbidExemption /srv/web /nfs/foo/bar
</Directory>
# Require HTTPS except from IPv4 localhost
<If "%{REQUEST_SCHEME} != HTTPS && (! -R 127.0.0.0/8 ) ">
# Expression evaluation doesn't need exemptions
Forbid
</Directory>
--
Tim Bannister – [email protected]
