Received: (qmail 11178 invoked by uid 2012); 17 Jun 1999 22:20:58 -0000 Message-Id: <19990617222058.11177.qmail@hyperreal.org> Date: 17 Jun 1999 22:20:58 -0000 From: Tammy McKean Reply-To: tammy@synchronis.com To: apbugs@hyperreal.org Subject: Deny directive not denying access X-Send-Pr-Version: 3.2 >Number: 4602 >Category: mod_access >Synopsis: Deny directive not denying access >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Jun 17 15:30:00 PDT 1999 >Last-Modified: Wed Aug 4 14:28:08 PDT 1999 >Originator: tammy@synchronis.com >Organization: >Release: 1.3.6 >Environment: Linux myhost 2.0.36 #1 Thu Jan 14 12:38:58 PST 1999 i686 unknown >Description: I have some summaries from newsgroups where this has been posted without successful resolution: > Hi All: > > I run Apache 1.36 on a Slackware 4.0 Linux kernel 2.2.9 and > virtually host 5 personal sites - just for fun stuff. > > I made an entry in the httpd.conf file to deny access to the > anonymizer.com service that a local hostile hacker was using > to hide his identity. > > Here is my entry with the commented text removed: > > > Options Indexes FollowSymLinks > AllowOverride None > Order allow,deny > Allow from all > Deny from 209.75.196. > > > According to my understanding, this should deny access to > anyone originating from the anonymizer.com site. > > The problem is it doesn't block anything. > > Everything else appears to function as advertised. > > Is the Apache feature broken? > > Best regards, > > Brian Subject: Deny Directive Not Working! Date: Thu, 17 Jun 1999 20:51:42 GMT From: Tammy Organization: Cyberverse, Inc. Newsgroups: comp.infosystems.www.servers.unix Hi, I'm implementing the Deny directive like so: Order deny,allow Deny from .whatever.com 207.171.231.230 Allow from all in my httpd.conf, yet access is NOT denied to the specified domain or ip. I tested this by putting in my own ip and testing from my box via Netscape and telnet. I put the Deny in a Directory container and in a Directory container inside a VirtualHost - still neither works. This seems like it should be REALLY SIMPLE... what am I missing here?! Deny is an Access Handler, I don't reference any other Access Handlers so nothing should be short-circuiting the call to mod_access. Any insight GREATLY appreciated (it's always the 'simple' things that kill me). thanks, -tm -- tammy@synchronis.com >How-To-Repeat: Create Deny directives in httpd.conf and restart the server. Request the denied content from the denied host/ip. I have repeated on this Linux 5.2 using apache 1.3.4 and 1.3.6. >Fix: >Audit-Trail: State-Changed-From-To: open-feedback State-Changed-By: rederpj@raleigh.ibm.com State-Changed-When: Wed Aug 4 12:51:34 PDT 1999 State-Changed-Why: I have worked to verify this PR. The first quoted part (from Brian) should work as specified (and in fact does work correctly for me on version 1.3.7-dev). The second part (from Tammy, the PR's submitter) should behave excactly as it does. Beacuse the Order is specified as "deny,allow" the allow clause is processed last. The text in the Deny clause will do nothing since the last thing evaluated is "Allow from All". To fix this you should change the Order to "allow,deny". So, in summary, Tammy should change the Order to "allow,deny" and Brian should try again with a more recent version. Please reply if these are fixed. Severity-Changed-From-To: serious-non-critical Severity-Changed-By: rederpj@raleigh.ibm.com Severity-Changed-When: Wed Aug 4 12:51:34 PDT 1999 State-Changed-From-To: feedback-closed State-Changed-By: rederpj@raleigh.ibm.com State-Changed-When: Wed Aug 4 14:28:08 PDT 1999 State-Changed-Why: Tammy has indicated that this PR can be closed. >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]