Author |
|
Okami
Joined: 23 Aug 2019 Posts: 5 Location: Taiwan
|
Posted: Fri 23 Aug '19 7:21 Post subject: <RequireAll> deny all with local got 403 |
|
|
I have a question in apache 2.4. This is my setting in /etc/httpd/conf.d/vhost-www0.conf
Code: | <VirtualHost *:80>
DocumentRoot "/var/www/virtual"
ServerName www0.example.com
<Directory "/var/www/virtual">
<RequireAll>
Require all granted
</RequireAll>
</Directory>
<Directory "/var/www/virtual/private">
<RequireAll>
Require all denied
Require local
</RequireAll>
</Directory>
</VirtualHost> |
I got 403 Forbidden when open with http://www0.example.com/private/index.html
But if I took away RequireAll tag, like this
Code: | <VirtualHost *:80>
DocumentRoot "/var/www/virtual"
ServerName www0.example.com
<Directory "/var/www/virtual">
<RequireAll>
Require all granted
</RequireAll>
</Directory>
<Directory "/var/www/virtual/private">
Require all denied
Require local
</Directory>
</VirtualHost> |
And then open with http://www0.example.com/private/index.html again, it's show my index content.
Who can tell me why? Or it's my setting have somewhere wrong?
Information in google say if I want use Require, should use with ReqiureAll tag Is that wrong?
(Had try Require local granted is not work too)
Thank you very much, hope you have a good day |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 23 Aug '19 10:57 Post subject: |
|
|
It's strange behavior for sure but the way <RequireAll> works I think your basically confusing Apache. After all, local is a part of "All" and your forcing Apache to deny All.
Really, <RequireAny> is what you want, It will give local access but reject all others trying to gain access.
Try it.
Note, because <RequireAny> is Apache's default behavior, all you should need is Code: | Require all denied
Require local
| and not need to use any <Require*> containers. |
|
Back to top |
|
Okami
Joined: 23 Aug 2019 Posts: 5 Location: Taiwan
|
Posted: Fri 23 Aug '19 11:12 Post subject: |
|
|
Hi James
Thank's for your suggest, but is't not work too after I add any this three set:
(my environment no have ipv6 setting)
1. Require ip 127.0.0.0/8
2. Require ip 127.0.0.1/8
3. Require ip 172.25.0.11
the error log still is
[authz_core:error] [pid 66919] [client 172.25.0.11:39927] AH01630: client denied by server configuration: /var/www/virtual/private/index.html
|
|
Back to top |
|
Okami
Joined: 23 Aug 2019 Posts: 5 Location: Taiwan
|
Posted: Fri 23 Aug '19 11:29 Post subject: |
|
|
Hi glsmith
Thank's for your suggest, change to <RequireAny> is run.
But my doubt is why in <RequireAll> will be error?
Some information say
<RequireAll> can't have fail, at least one match than success, fail is priority
<RequireAny> can have fail, if have one match than success, success is priority
if at least one match than success, my first set is Require local, why error too?
Code: | <RequireAny>
Require local
Require all denied
</RequireAny> |
|
|
Back to top |
|
Otomatic
Joined: 01 Sep 2011 Posts: 213 Location: Paris, France, EU
|
|
Back to top |
|
Okami
Joined: 23 Aug 2019 Posts: 5 Location: Taiwan
|
Posted: Fri 23 Aug '19 17:10 Post subject: |
|
|
Hi Otomatic,
Thank's for your suggest!
But I'm very sorry that I can't understand ...
Require all denied fails >> why this is fails?
My Web show 403, isn't that this rule is success?
I had read the document which you post
I think that mean if there have at least one success then success? Or is I have somewhere misunderstanding ? |
|
Back to top |
|
Otomatic
Joined: 01 Sep 2011 Posts: 213 Location: Paris, France, EU
|
Posted: Fri 23 Aug '19 18:54 Post subject: |
|
|
Hi,
These are directives for requesting access authorisation, which means that when access authorisation is refused, the directive fails.
Require all denied is always fail because access authorisation is not given.
<Require All> asks that none of the present directives be "failed". In other words, <Require All> requires that all directives be validated, and in a <Require All> structure, Require all denied and Require local are antinomic, both cannot be successful at the same time.
Sorry if my explanations seem confusing to you, but English is not my native language.
Edit : 403 means "access denied" and this is the case with your structure <Require All> since not all directives are OK, at least one is "failed".
This works with the same directives in <Require Any> because in this case, it is enough if only one directive is OK. |
|
Back to top |
|
Okami
Joined: 23 Aug 2019 Posts: 5 Location: Taiwan
|
Posted: Sat 24 Aug '19 16:33 Post subject: |
|
|
Hi Otomatic,
Thank's for your explanation
I think I probably got something that you mean about my doubt.
This description is very helpful for me
English is not my native language, too
So is really hard for me when read Official documents.
Very grateful! Wish you have a nice day |
|
Back to top |
|