From apwww@hyperreal.org Thu Sep 11 16:48:08 1997 Received: (from apwww@localhost) by hyperreal.org (8.8.5/8.8.5) id QAA01833; Thu, 11 Sep 1997 16:48:08 -0700 (PDT) Message-Id: <199709112348.QAA01833@hyperreal.org> Date: Thu, 11 Sep 1997 16:48:08 -0700 (PDT) From: Dennis Baughn Reply-To: dbaughn@cadence.com To: apbugs@hyperreal.org Subject: access.conf seems to be ignored X-Send-Pr-Version: 3.2 >Number: 1124 >Category: config >Synopsis: access.conf seems to be ignored >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Sep 11 16:50:37 1997 >Last-Modified: Thu Sep 11 17:54:31 PDT 1997 >Originator: dbaughn@cadence.com >Organization: >Release: 1.2.0 >Environment: SunOS timecard 5.5.1 Generic_103640-03 sun4u sparc SUNW,Ultra-2 timecard:/opt/local/etc/apache_1.2.0/conf > ls -l total 80 -rw-rw-rw- 1 4002 staff 2484 Sep 11 16:29 access.conf -rw-rw-r-- 1 4002 staff 2141 Mar 31 16:52 access.conf-dist -rw-rw-rw- 1 4002 staff 2138 Sep 8 16:42 access.old -rw-rw-rw- 1 4002 staff 6416 Sep 8 19:02 httpd.conf -rw-rw-r-- 1 4002 staff 6442 May 4 13:18 httpd.conf-dist -rw-rw-r-- 1 4002 staff 2394 Sep 8 16:46 mime.types -rw-rw-rw- 1 4002 staff 6803 Sep 11 12:10 srm.conf -rw-rw-r-- 1 4002 staff 6786 May 7 12:21 srm.conf-dist contents of srm.conf: DocumentRoot /usr/local/etc/httpd/htdocs # UserDir: The name of the directory which is appended onto a user's home # directory if a ~user request is recieved. UserDir public_html # DirectoryIndex: Name of the file or files to use as a pre-written HTML # directory index. Separate multiple entries with spaces. DirectoryIndex index.html index.htm index.cgi # FancyIndexing is whether you want fancy directory indexing or standard FancyIndexing on # AddIcon tells the server which icon to show for different files or filename # extensions AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .texAddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ # DefaultIcon is which icon to show for files which do not have an icon # explicitly set. DefaultIcon /icons/unknown.gif # AddDescription allows you to place a short description after a file in # server-generated indexes. # Format: AddDescription "description" filename # ReadmeName is the name of the README file the server will look for by # default. Format: ReadmeName name # # The server will first look for name.html, include it if found, and it will # then look for name and include it as plaintext if found. # # HeaderName is the name of a file which should be prepended to # directory indexes. ReadmeName README HeaderName HEADER # IndexIgnore is a set of filenames which directory indexing should ignore # Format: IndexIgnore name1 name2... IndexIgnore */.??* *~ *# */HEADER* */README* */RCS # AccessFileName: The name of the file to look for in each directory # for access control information. AccessFileName .htaccess # DefaultType is the default MIME type for documents which the server # cannot find the type of from filename extensions. DefaultType text/plain # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress # information on the fly. Note: Not all browsers support this. AddEncoding x-compress Z AddEncoding x-gzip gz # AddLanguage allows you to specify the language of a document. You can # then use content negotiation to give a browser a file in a language # it can understand. Note that the suffix does not have to be the same # as the language keyword --- those with documents in Polish (whose # net-standard language code is pl) may wish to use "AddLanguage pl .po" # to avoid the ambiguity with the common suffix for perl scripts. AddLanguage en .en AddLanguage fr .fr AddLanguage de .de AddLanguage da .da AddLanguage el .el AddLanguage it .it # LanguagePriority allows you to give precedence to some languages # in case of a tie during content negotiation. # Just list the languages in decreasing order of preference. LanguagePriority en fr de # Redirect allows you to tell clients about documents which used to exist in # your server's namespace, but do not anymore. This allows you to tell the # clients where to look for the relocated document. # Format: Redirect fakename url # Aliases: Add here as many aliases as you need (with no limit). The format is # Alias fakename realname # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this # example. Alias /icons/ /opt/local/etc/httpd/icons/ # ScriptAlias: This controls which directories contain server scripts. # Format: ScriptAlias fakename realname ScriptAlias /cgi-bin/ /opt/local/etc/httpd/cgi-bin/ # If you want to use server side includes, or CGI outside # ScriptAliased directories, uncomment the following lines. # AddType allows you to tweak mime.types without actually editing it, or to # make certain files to be certain types. # Format: AddType type/subtype ext1 # AddHandler allows you to map certain file extensions to "handlers", # actions unrelated to filetype. These can be either built into the server # or added with the Action command (see below) # Format: AddHandler action-name ext1 # To use CGI scripts: #AddHandler cgi-script .cgi # To use server-parsed HTML files #AddType text/html .shtml #AddHandler server-parsed .shtml # Uncomment the following line to enable Apache's send-asis HTTP file # feature #AddHandler send-as-is asis # If you wish to use server-parsed imagemap files, use #AddHandler imap-file map # To enable type maps, you might want to use #AddHandler type-map var # Action lets you define media types that will execute a script whenever # a matching file is called. This eliminates the need for repeated URL # pathnames for oft-used CGI file processors. # Format: Action media/type /cgi-script/location # Format: Action handler-name /cgi-script/location # MetaDir: specifies the name of the directory in which Apache can find # meta information files. These files contain additional HTTP headers # to include when sending the document #MetaDir .web # MetaSuffix: specifies the file name suffix for the file containing the # meta information. #MetaSuffix .meta # Customizable error response (Apache style) # these come in three flavors # # 1) plain text #ErrorDocument 500 "The server made a boo boo. # n.b. the (") marks it as text, it does not get output # # 2) local redirects #ErrorDocument 404 /missing.html # to redirect to local url /missing.html #ErrorDocument 404 /cgi-bin/missing_handler.pl # n.b. can redirect to a script or a document using server-side-includes. # # 3) external redirects #ErrorDocument 402 http://some.other_server.com/subscription_info.html # Contents of httpd.conf: # This is the main server configuration file. See URL http://www.apache.org/# for instructions.# Do NOT simply read the instructions in here without understanding # what they do, if you are unsure consult the online docs. You have been # warned. # Originally by Rob McCool # ServerType is either inetd, or standalone. ServerType standalone # If you are running from inetd, go to "ServerAdmin". # Port: The port the standalone listens to. For ports < 1023, you will # need httpd to be run as root initially. Port 80 # HostnameLookups: Log the names of clients or just their IP numbers # e.g. www.apache.org (on) or 204.62.129.132 (off)HostnameLookups on # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # User/Group: The name (or #number) of the user/group to run httpd as. # On SCO (ODT 3) use User nouser and Group nogroup # On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. User nobody Group nobody #-1 #The following directive disables keepalives and HTTP header flushes for # Netscape 2.x and browsers which spoof it. There are known problems with # these BrowserMatch Mozilla/2 nokeepalive # ServerAdmin: Your address, where problems with the server should be # e-mailed. ServerAdmin webcoordinator@cadence.com # ServerRoot: The directory the server's config, error, and log files # are kept in ServerRoot /opt/local/etc/httpd # BindAddress: You can support virtual hosts with this option. This option # is used to tell the server which IP address to listen to. It can either # contain "*", an IP address, or a fully qualified Internet domain name.# See also the VirtualHost directive. #BindAddress * # ErrorLog: The location of the error log file. If this does not start # with /, ServerRoot is prepended to it. ErrorLog logs/error_log # TransferLog: The location of the transfer log file. If this does not # start with /, ServerRoot is prepended to it. TransferLog logs/access_log # PidFile: The file the server should log its pid toPidFile logs/httpd.pid # ScoreBoardFile: File used to store internal server process information. # Not all architectures require this. But if yours does (you'll know because # this file is created when you run Apache) then you *must* ensure that # no two invocations of Apache share the same scoreboard file.ScoreBoardFile logs/apache_status # ServerName allows you to set a host name which is sent back to clients for # your server if it's different than the one the program would get (i.e. use # "www" instead of the host's real name). # # Note: You cannot just invent host names and hope they work. The name you # define here must be a valid DNS name for your host. If you don't understand # this, ask your network administrator. ServerName timecard.cadence.com #CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each # document that was negotiated on the basis of content. This asks proxy # servers not to cache the document. Uncommenting the following line disables # this behavior, and proxies will be allowed to cache the documents. #CacheNegotiatedDocs # Timeout: The number of seconds before receives and sends time out Timeout 300 # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. KeepAlive On # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We reccomend you leave this number high, for maximum performance. MaxKeepAliveRequests 100 # KeepAliveTimeout: Number of seconds to wait for the next request KeepAliveTimeout 15 # Server-pool size regulation. Rather than making you guess how many # server processes you need, Apache dynamically adapts to the load it # sees --- that is, it tries to maintain enough server processes to # handle the current load, plus a few spare servers to handle transient# load spikes (e.g., multiple simultaneous requests # from a single Netscape browser). # It does this by periodically checking how many servers are waiting # for a request. If there are fewer than MinSpareServers, it creates # a new spare. If there are more than MaxSpareServers, some of the# spares die off. These values are probably OK for most sites --- MinSpareServers 5 MaxSpareServers 250 # Number of servers to start --- should be a reasonable ballpark figure. StartServers 5 # Limit on total number of servers running, i.e., limit on the number # of clients who can simultaneously connect --- if this limit is ever # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW. # It is intended mainly as a brake to keep a runaway server from taking# Unix with it as it spirals down... MaxClients 250 #MaxClients 150 # MaxRequestsPerChild: the number of requests each child process is # allowed to process before the child dies. # The child will exit so as to avoid problems after prolonged use when # Apache (and maybe the libraries it uses) leak. On most systems, this # isn't really needed, but a few (such as Solaris) do have notable leaks # in the libraries. MaxRequestsPerChild 30 # Proxy Server directives. Uncomment the following line to # enable the proxy server: #ProxyRequests On # To enable the cache as well, edit and uncomment the following lines: #CacheRoot /usr/local/etc/httpd/proxy #CacheSize 5 #CacheGcInterval 4 #CacheMaxExpire 24 #CacheLastModifiedFactor 0.1 #CacheDefaultExpire 1 #NoCache a_domain.com another_domain.edu joes.garage_sale.com # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the VirtualHost command #Listen 3000 #Listen 12.34.56.78:80 # VirtualHost: Allows the daemon to respond to requests for more than one # server address, if your server machine is configured to accept IP packets # for multiple addresses. This can be accomplished with the ifconfig # alias flag, or through kernel patches like VIF. # Any httpd.conf or srm.conf directive may go into a VirtualHost command.# See alto the BindAddress entry. # #ServerAdmin webmaster@host.some_domain.com #DocumentRoot /www/docs/host.some_domain.com #ServerName host.some_domain.com #ErrorLog logs/host.some_domain.com-error_log #TransferLog logs/host.some_domain.com-access_log # >Description: According to the below entries in my access.conf: # Options Indexes FollowSymLinks Options None AllowOverride None order deny,allow deny from all allow from all AllowOverride None Options Indexes order allow,deny allow from all deny from all order deny,allow deny from all allow from all require valid-user AuthUserFile /opt/local/etc/httpd/passwd/passwd AuthName Timecard AuthType Basic Users should be able to: Get denied complete access to the websites document root (http://timecard/) Get into and able to view the index of http://timecard/cgi-bin directory Get prompted for a password authentication for http://timecard/test/ But instead what happens: Every yahoo gets complete, non-authenticated access to http://timecard/test and access to http://timecard Browsing access to http://timecard/cgi-bin/ is forbidden. It is almost as if the access.conf file is completely ignored. >How-To-Repeat: Unfortunately, http://timecard is on a non-accessable intranet. >Fix: I've been pulling my hair out. I copied these conf files from another apache 1.2.0 server. User authentication worked just AOK for that one. The ownership of the conf files was set at root/other on that other server, but I tried that as well. I must have some sort of setting or flag somewhere that basically tells apache to forget about the access.conf file. %0 >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Thu Sep 11 17:54:31 PDT 1997 State-Changed-Why: This is a configuration question, not a bug report. We can not help all 600,000 Apache users configure their system. Please ask on the comp.infosystems.www.servers.unix newsgroup, as directed in the instructions. Briefly, you have many configuration errors. Some of them: - you refer to /opt in some places and /usr in others - you say "deny from all" then "allow from all". With the order deny,allow, that means everyone gets access. - you can't do directory indexes for ScriptAliased directories; even if you could, your cgi-bin is in /opt and you are restricting /usr. Even if one is a symlink to another, you can't mix the two. - Your "Limit Get Post Put" is broken because methods are case sensitive (eg. GET, not Get). If you want to limit all methods, simply remove the Limit directives. You really need to look at your config files in more detail and ask yourself why you are doing each thing. Oh, and Location directives and Directory directives do different things. Directory is what you want, not Location. Read the manual. >Unformatted: