Re: Preventing httpd from accessing WEB-INF contents
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonathan, On 11/25/2009 11:13 AM, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? Directory /path/to/webapp/WEB-INF Order deny,allow Deny from all /Directory I need something that will be apply globally How about: DirectoryMatch .*/WEB-INF Order deny,allow Deny from all /DirectoryMatch and can't be overridden by VirtualHost directives This might not be possible. Any part of httpd.conf can override any other part, I think. You can make it so that .htaccess files can't override the Order and Deny directives, though. Note that you'll probably want to protect META-INF as well. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksUNy8ACgkQ9CaO5/Lv0PAvNwCgr1MuY9z65FqtjckGGJqftmDO CBgAniX+ta69krZ8mEQ6mVmW42/GBUMI =vCxT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Preventing httpd from accessing WEB-INF contents
Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0
Re: Preventing httpd from accessing WEB-INF contents
On 25/11/2009 16:13, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0 At a guess, I'd say you've published, via HTTPD, the web application directory. This is one of the reasons we advise users not publish webapp directories via HTTPD. Using a separate webapps and document root is advisable. E.g. /path/to/site.com/httpdocs /path/to/site.com/httpdocs/index.html /path/to/site.com/httpdocs/images/ /path/to/site.com/httpdocs/scripts/ /path/to/site.com/webapps /path/to/site.com/webapps/ROOT /path/to/site.com/webapps/myapp If this isn't the case, you'll have to supply information about your mod_jk / mod_proxy config so we can see what you're doing. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
yes I am keeping the all the web-app stuff in place. I don't have the time to re-architect my entire system to your suggested format. I really need to just prevent httpd from accessing anything with WEB-INF in the url. On Wed, Nov 25, 2009 at 11:21 AM, Pid p...@pidster.com wrote: On 25/11/2009 16:13, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0 At a guess, I'd say you've published, via HTTPD, the web application directory. This is one of the reasons we advise users not publish webapp directories via HTTPD. Using a separate webapps and document root is advisable. E.g. /path/to/site.com/httpdocs /path/to/site.com/httpdocs/index.html /path/to/site.com/httpdocs/images/ /path/to/site.com/httpdocs/scripts/ /path/to/site.com/webapps /path/to/site.com/webapps/ROOT /path/to/site.com/webapps/myapp If this isn't the case, you'll have to supply information about your mod_jk / mod_proxy config so we can see what you're doing. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Am Wed, 25 Nov 2009 11:13:19 -0500 schrieb Jonathan Mast jhmast.develo...@gmail.com: I need something that will be apply globally and can't be overridden by VirtualHost directives. Why don't you use a standard like Location/Order/Deny/Allow in the vhosts config to deny access to WEB-INF, etc.? Individual config-files for Apache's vhosts are still part of the Apache-config and you can insert in it whatever you like to control (or crash!) Apache as a whole. Because of this I would never give the Tomcat-User (e.g. our developers) direct access to the vhost's config-files. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
On 25/11/2009 16:47, Nikolay Diulgerov wrote: Try Location /myapp/WEB-INF AllowOverride None deny from all /Location Probably a better solution would be: LocationMatch /*/WEB-INF/ AllowOverride None deny from all /LocationMatch LocationMatch /*/META-INF/ AllowOverride None deny from all /LocationMatch ... but we're really just guessing what config is already in place - maybe the mod_jk / mod_proxy config could be adjusted instead. Correcting a poor/broken config is a much better solution than attempting, blindly, to stick bandages on an unknown setup. p -Original Message- From: Jonathan Mast [mailto:jhmast.develo...@gmail.com] Sent: Wednesday, November 25, 2009 6:40 PM To: Tomcat Users List; p...@pidster.com Subject: Re: Preventing httpd from accessing WEB-INF contents yes I am keeping the all the web-app stuff in place. I don't have the time to re-architect my entire system to your suggested format. I really need to just prevent httpd from accessing anything with WEB-INF in the url. On Wed, Nov 25, 2009 at 11:21 AM, Pidp...@pidster.com wrote: On 25/11/2009 16:13, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0 At a guess, I'd say you've published, via HTTPD, the web application directory. This is one of the reasons we advise users not publish webapp directories via HTTPD. Using a separate webapps and document root is advisable. E.g. /path/to/site.com/httpdocs /path/to/site.com/httpdocs/index.html /path/to/site.com/httpdocs/images/ /path/to/site.com/httpdocs/scripts/ /path/to/site.com/webapps /path/to/site.com/webapps/ROOT /path/to/site.com/webapps/myapp If this isn't the case, you'll have to supply information about your mod_jk / mod_proxy config so we can see what you're doing. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
My understanding of Location directives is that cannot be used with regex and if not then thats not what I'm looking for. I have multiple contexts underneath multiple (virtual) hosts. I need a VirtualHost level directive that will block any attempts to access */WEB-INF/* on that host. Adding a new Location directive to httpd.conf for each context would be alot of work and something that would be easy to forget to do. On Wed, Nov 25, 2009 at 11:48 AM, Tobias Crefeld t...@cataneo.eu wrote: Am Wed, 25 Nov 2009 11:13:19 -0500 schrieb Jonathan Mast jhmast.develo...@gmail.com: I need something that will be apply globally and can't be overridden by VirtualHost directives. Why don't you use a standard like Location/Order/Deny/Allow in the vhosts config to deny access to WEB-INF, etc.? Individual config-files for Apache's vhosts are still part of the Apache-config and you can insert in it whatever you like to control (or crash!) Apache as a whole. Because of this I would never give the Tomcat-User (e.g. our developers) direct access to the vhost's config-files. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Equally well Location ~ /WEB-INF/ AllowOverride none deny from all /Location The docs say AllowOverride is not allowed on regex's so I believe in reality - this could be overridden with effort. -Tim Pid wrote: On 25/11/2009 16:47, Nikolay Diulgerov wrote: Try Location /myapp/WEB-INF AllowOverride None deny from all /Location Probably a better solution would be: LocationMatch /*/WEB-INF/ AllowOverride None deny from all /LocationMatch LocationMatch /*/META-INF/ AllowOverride None deny from all /LocationMatch ... but we're really just guessing what config is already in place - maybe the mod_jk / mod_proxy config could be adjusted instead. Correcting a poor/broken config is a much better solution than attempting, blindly, to stick bandages on an unknown setup. p -Original Message- From: Jonathan Mast [mailto:jhmast.develo...@gmail.com] Sent: Wednesday, November 25, 2009 6:40 PM To: Tomcat Users List; p...@pidster.com Subject: Re: Preventing httpd from accessing WEB-INF contents yes I am keeping the all the web-app stuff in place. I don't have the time to re-architect my entire system to your suggested format. I really need to just prevent httpd from accessing anything with WEB-INF in the url. On Wed, Nov 25, 2009 at 11:21 AM, Pidp...@pidster.com wrote: On 25/11/2009 16:13, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0 At a guess, I'd say you've published, via HTTPD, the web application directory. This is one of the reasons we advise users not publish webapp directories via HTTPD. Using a separate webapps and document root is advisable. E.g. /path/to/site.com/httpdocs /path/to/site.com/httpdocs/index.html /path/to/site.com/httpdocs/images/ /path/to/site.com/httpdocs/scripts/ /path/to/site.com/webapps /path/to/site.com/webapps/ROOT /path/to/site.com/webapps/myapp If this isn't the case, you'll have to supply information about your mod_jk / mod_proxy config so we can see what you're doing. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
On 25/11/2009 18:07, Tim Funk wrote: Equally well Location ~ /WEB-INF/ AllowOverride none deny from all /Location The docs say AllowOverride is not allowed on regex's so I believe in reality - this could be overridden with effort. In that case a standard include containing the config for each virtual host, might be an improvement, and lower maintenance. Presumably the only way to be sure, is to not publish the directory in the first place then? p -Tim Pid wrote: On 25/11/2009 16:47, Nikolay Diulgerov wrote: Try Location /myapp/WEB-INF AllowOverride None deny from all /Location Probably a better solution would be: LocationMatch /*/WEB-INF/ AllowOverride None deny from all /LocationMatch LocationMatch /*/META-INF/ AllowOverride None deny from all /LocationMatch ... but we're really just guessing what config is already in place - maybe the mod_jk / mod_proxy config could be adjusted instead. Correcting a poor/broken config is a much better solution than attempting, blindly, to stick bandages on an unknown setup. p -Original Message- From: Jonathan Mast [mailto:jhmast.develo...@gmail.com] Sent: Wednesday, November 25, 2009 6:40 PM To: Tomcat Users List; p...@pidster.com Subject: Re: Preventing httpd from accessing WEB-INF contents yes I am keeping the all the web-app stuff in place. I don't have the time to re-architect my entire system to your suggested format. I really need to just prevent httpd from accessing anything with WEB-INF in the url. On Wed, Nov 25, 2009 at 11:21 AM, Pidp...@pidster.com wrote: On 25/11/2009 16:13, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0 At a guess, I'd say you've published, via HTTPD, the web application directory. This is one of the reasons we advise users not publish webapp directories via HTTPD. Using a separate webapps and document root is advisable. E.g. /path/to/site.com/httpdocs /path/to/site.com/httpdocs/index.html /path/to/site.com/httpdocs/images/ /path/to/site.com/httpdocs/scripts/ /path/to/site.com/webapps /path/to/site.com/webapps/ROOT /path/to/site.com/webapps/myapp If this isn't the case, you'll have to supply information about your mod_jk / mod_proxy config so we can see what you're doing. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Thanks! I had to make a slight adjustment to get it to work fully: Location ~ /?WEB-INF/ AllowOverride none deny from all /Location Now foo.mysite.com/WEB-INF/* and foo.mysite.com/another_context/WEB-INF/*are blocked. I did get this message on httpd shutdown and startup: [warn] Useless use of AllowOveride ... Removing it didn't seem to affect the behavior, not sure if I should still keep it in there. On Wed, Nov 25, 2009 at 1:07 PM, Tim Funk funk...@apache.org wrote: Equally well Location ~ /WEB-INF/ AllowOverride none deny from all /Location The docs say AllowOverride is not allowed on regex's so I believe in reality - this could be overridden with effort. -Tim Pid wrote: On 25/11/2009 16:47, Nikolay Diulgerov wrote: Try Location /myapp/WEB-INF AllowOverride None deny from all /Location Probably a better solution would be: LocationMatch /*/WEB-INF/ AllowOverride None deny from all /LocationMatch LocationMatch /*/META-INF/ AllowOverride None deny from all /LocationMatch ... but we're really just guessing what config is already in place - maybe the mod_jk / mod_proxy config could be adjusted instead. Correcting a poor/broken config is a much better solution than attempting, blindly, to stick bandages on an unknown setup. p -Original Message- From: Jonathan Mast [mailto:jhmast.develo...@gmail.com] Sent: Wednesday, November 25, 2009 6:40 PM To: Tomcat Users List; p...@pidster.com Subject: Re: Preventing httpd from accessing WEB-INF contents yes I am keeping the all the web-app stuff in place. I don't have the time to re-architect my entire system to your suggested format. I really need to just prevent httpd from accessing anything with WEB-INF in the url. On Wed, Nov 25, 2009 at 11:21 AM, Pidp...@pidster.com wrote: On 25/11/2009 16:13, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0 At a guess, I'd say you've published, via HTTPD, the web application directory. This is one of the reasons we advise users not publish webapp directories via HTTPD. Using a separate webapps and document root is advisable. E.g. /path/to/site.com/httpdocs /path/to/site.com/httpdocs/index.html /path/to/site.com/httpdocs/images/ /path/to/site.com/httpdocs/scripts/ /path/to/site.com/webapps /path/to/site.com/webapps/ROOT /path/to/site.com/webapps/myapp If this isn't the case, you'll have to supply information about your mod_jk / mod_proxy config so we can see what you're doing. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Jonathan Mast wrote: My understanding of Location directives is that cannot be used with regex and if not then thats not what I'm looking for. Then your understanding of Location directives is wrong. Why don't you look up the original article ? http://httpd.apache.org/docs/2.2/mod/core.html#location (and LocationMatch) I have multiple contexts underneath multiple (virtual) hosts. I need a VirtualHost level directive that will block any attempts to access */WEB-INF/* on that host. Adding a new Location directive to httpd.conf for each context would be alot of work and something that would be easy to forget to do. Well, /you/ are the one who created the mess in the first place, so don't complain at us. ;-) A tip (also in the Apache documentation, about VirtualHost) : Generally speaking, configuration directives you use in the main part of the Apache server config (by this meaning what is outside of a VirtualHost../VirtualHost block), is inherited by all VirtualHost sections, and acts as a default unless specifically overridden inside the VirtualHost sections. In other words, if you use a LocationMatch section in the main configuration, it will carry over to all VirtualHosts. Note that I'm leaving something here to figure out by yourself, not that you would get rusty or lazy or so. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
You're right I did misunderstand the Location directive. Its at the top of the config file now, working fine :) On Wed, Nov 25, 2009 at 1:31 PM, André Warnier a...@ice-sa.com wrote: Jonathan Mast wrote: My understanding of Location directives is that cannot be used with regex and if not then thats not what I'm looking for. Then your understanding of Location directives is wrong. Why don't you look up the original article ? http://httpd.apache.org/docs/2.2/mod/core.html#location (and LocationMatch) I have multiple contexts underneath multiple (virtual) hosts. I need a VirtualHost level directive that will block any attempts to access */WEB-INF/* on that host. Adding a new Location directive to httpd.conf for each context would be alot of work and something that would be easy to forget to do. Well, /you/ are the one who created the mess in the first place, so don't complain at us. ;-) A tip (also in the Apache documentation, about VirtualHost) : Generally speaking, configuration directives you use in the main part of the Apache server config (by this meaning what is outside of a VirtualHost../VirtualHost block), is inherited by all VirtualHost sections, and acts as a default unless specifically overridden inside the VirtualHost sections. In other words, if you use a LocationMatch section in the main configuration, it will carry over to all VirtualHosts. Note that I'm leaving something here to figure out by yourself, not that you would get rusty or lazy or so. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
