Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Prevent access to URL parent but not its children |
|
Author |
|
faal
Joined: 27 Sep 2023 Posts: 5
|
Posted: Wed 27 Sep '23 13:00 Post subject: Prevent access to URL parent but not its children |
|
|
Hello everyone, I am glad I found an Apache forum.
I run a live Debian VPS with Apache (I have full control over it). I am trying to prevent access to a URL but not its children.
Example:
I want to prevent any access to https://example.com/users but I want to allow access to https://example.com/users/johnsmith, https://example.com/users/jameswhite, and so on.
I understand I need to use a <Location> directive for this, but I am unsure as to how exactly use it. I looked in the apache.org documentation but I find it confusing.
Does anyone have some advice?
Many thanks
Server version: Apache/2.4.56 (Debian) |
|
Back to top |
|
faal
Joined: 27 Sep 2023 Posts: 5
|
Posted: Wed 27 Sep '23 19:00 Post subject: |
|
|
I tried this in my apache2.conf
Code: |
<Location /users>
Order Allow,Deny
</Location>
<Location /users/*>
Order Deny,Allow
</Location>
|
But this is blocking access to both the parent and its children. |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 346 Location: UK
|
Posted: Wed 27 Sep '23 20:59 Post subject: |
|
|
You've said you're using Apache 2.4, so switching to later configuration options, try this:
Code: | <Location /users/>
Options None
AllowOverride None
Require all denied
</Location>
<LocationMatch /users/*>
Require all granted
</LocationMatch>
|
For me, on a test instance of Apache, this blocks access to /users, but not the folders below.
You can add additional caveats and authentication directives to the sub-folder LocationMatch block as required. |
|
Back to top |
|
faal
Joined: 27 Sep 2023 Posts: 5
|
Posted: Thu 28 Sep '23 9:32 Post subject: |
|
|
Hi tangent, thanks a lot for replying.
I just tried this, unfortunately I get 403 Forbidden on both /users/ and its children still.
You mentioned Apache version 2.4 and later configuration options, does that infer that this Apache version 2.4 has somehow a different syntax? |
|
Back to top |
|
faal
Joined: 27 Sep 2023 Posts: 5
|
Posted: Thu 28 Sep '23 19:05 Post subject: |
|
|
Ok, I've added this and it works.
Code: | <LocationMatch "^/users/$">
Require all denied
</LocationMatch>
<LocationMatch "^/users/[^/]+$">
Require all granted
</LocationMatch>
|
|
|
Back to top |
|
|
|
|
|
|