Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Disallow access to all files except a alias in Apache 2.4 |
|
| Author |
|
GoofyX
Joined: 13 Jan 2020
Posts: 6
Location: Greece
|
 Posted: Fri 10 Sep '21 17:55 Post subject: Disallow access to all files except a alias in Apache 2.4 |
 |
|
I have a Debian 11 web server that is setup with the Matomo analytics PHP software. In the site's configuration I have these lines:
| Code: | <Files "*">
Require ip 192.168.0.0/24
</Files>
<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|^container_.*\.js|robots\.txt|optOut.js|favicon\.ico)">
Require all granted
</FilesMatch>
Alias "/csp" "/www/vhosts/csp"
<Directory /www/vhosts/csp>
DirectoryIndex index.php
Require all granted
</Directory>
|
This is just a snippet. I also have a alias (/csp) with a few PHP files for a specific job. My problem is that I cannot access this alias outside the allowed IP range (192.168.0.0/24), although I have (in theory) added the directives for this (Require all granted) in the last Directory section. The /www/vhosts/csp directory resides outside Matomo's directory (thus, the Alias).
Inside the 192.168.0.0/24 network everything is fine. Accessing the /csp alias outside the network is not allowed (Forbidden because of client configuration).
How can I allow any host to access the /csp alias? Commenting out the first Files directive allows access to /csp, but is not what I wan (I don't want the other Matomo files to be accessible from any host). |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Fri 10 Sep '21 20:32 Post subject: |
|
|
If you look at the <Files> directive https://httpd.apache.org/docs/current/mod/core.html#files it says:
<Files> sections are processed in the order they appear in the configuration file, after the <Directory> sections and .htaccess files are read, but before <Location> sections So your <Files "*"> "Require ip" directive restriction takes precedence over the <Directory> "Require all granted" directive.
Does anything change if you alter your configuration logic to the following?
| Code: | Alias "/csp" "/www/vhosts/csp"
<Directory /www/vhosts/csp>
DirectoryIndex index.php
</Directory>
<Location /csp>
Require all granted
</Location> |
|
|
| Back to top |
|
GoofyX
Joined: 13 Jan 2020
Posts: 6
Location: Greece
|
| Posted: Fri 10 Sep '21 20:44 Post subject: |
|
|
Your answer helped me, thank you!
What I did was to transfer the Files and FilesMatch directives inside the Directory directive of the Matomo site's document root, so that they wouldn't apply to the whole directory structure and effectively override the alias /csp, something like this:
| Code: |
<Directory /www/vhosts/matomo>
Require all granted
AllowOverride None
<Files "*">
Require ip 192.168.0.0/24
</Files>
<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|^container_.*\.js|robots\.txt|optOut.js|favicon\.ico)">
Require all granted
</FilesMatch>
</Directory>
|
It helped. Thanks!  |
|
| Back to top |
|
|
|
|
|
|
