logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Prevent access to URL parent but not its children
Author
faal



Joined: 27 Sep 2023
Posts: 5

PostPosted: Wed 27 Sep '23 13:00    Post subject: Prevent access to URL parent but not its children Reply with quote

Hello everyone, I am glad I found an Apache forum.

I run a live Debian VPS with Apache (I have full control over it). I am trying to prevent access to a URL but not its children.

Example:
I want to prevent any access to https://example.com/users but I want to allow access to https://example.com/users/johnsmith, https://example.com/users/jameswhite, and so on.

I understand I need to use a <Location> directive for this, but I am unsure as to how exactly use it. I looked in the apache.org documentation but I find it confusing.

Does anyone have some advice?
Many thanks

Server version: Apache/2.4.56 (Debian)
Back to top
faal



Joined: 27 Sep 2023
Posts: 5

PostPosted: Wed 27 Sep '23 19:00    Post subject: Reply with quote

I tried this in my apache2.conf

Code:

<Location /users>
   Order Allow,Deny
</Location>
<Location /users/*>
   Order Deny,Allow
</Location>


But this is blocking access to both the parent and its children.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 346
Location: UK

PostPosted: Wed 27 Sep '23 20:59    Post subject: Reply with quote

You've said you're using Apache 2.4, so switching to later configuration options, try this:

Code:
    <Location /users/>
        Options None
        AllowOverride None
        Require all denied
    </Location>

    <LocationMatch /users/*>
        Require all granted
    </LocationMatch>

For me, on a test instance of Apache, this blocks access to /users, but not the folders below.

You can add additional caveats and authentication directives to the sub-folder LocationMatch block as required.
Back to top
faal



Joined: 27 Sep 2023
Posts: 5

PostPosted: Thu 28 Sep '23 9:32    Post subject: Reply with quote

Hi tangent, thanks a lot for replying.

I just tried this, unfortunately I get 403 Forbidden on both /users/ and its children still.

You mentioned Apache version 2.4 and later configuration options, does that infer that this Apache version 2.4 has somehow a different syntax?
Back to top
faal



Joined: 27 Sep 2023
Posts: 5

PostPosted: Thu 28 Sep '23 19:05    Post subject: Reply with quote

Ok, I've added this and it works.

Code:
<LocationMatch "^/users/$">
   Require all denied
</LocationMatch>

<LocationMatch "^/users/[^/]+$">
   Require all granted
</LocationMatch>
Back to top


Reply to topic   Topic: Prevent access to URL parent but not its children View previous topic :: View next topic
Post new topic   Forum Index -> Apache