logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



<RequireAll> deny all with local got 403

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
Okami



Joined: 23 Aug 2019
Posts: 5
Location: Taiwan

PostPosted: Fri 23 Aug '19 7:21    Post subject: <RequireAll> deny all with local got 403 Reply with quote

I have a question in apache 2.4. This is my setting in /etc/httpd/conf.d/vhost-www0.conf

Code:
<VirtualHost *:80>
    DocumentRoot "/var/www/virtual"
    ServerName www0.example.com

    <Directory "/var/www/virtual">
        <RequireAll>
            Require all granted
        </RequireAll>
    </Directory>

    <Directory "/var/www/virtual/private">
       <RequireAll>
            Require all denied
            Require local
        </RequireAll>
    </Directory>
</VirtualHost>


I got 403 Forbidden when open with http://www0.example.com/private/index.html

But if I took away RequireAll tag, like this

Code:
<VirtualHost *:80>
    DocumentRoot "/var/www/virtual"
    ServerName www0.example.com

    <Directory "/var/www/virtual">
        <RequireAll>
            Require all granted
        </RequireAll>
    </Directory>

    <Directory "/var/www/virtual/private">
        Require all denied
        Require local
    </Directory>
</VirtualHost>


And then open with http://www0.example.com/private/index.html again, it's show my index content.

Who can tell me why? Or it's my setting have somewhere wrong?

Information in google say if I want use Require, should use with ReqiureAll tag Is that wrong?

(Had try Require local granted is not work too)

Thank you very much, hope you have a good day Smile
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6638
Location: Germany, Next to Hamburg

PostPosted: Fri 23 Aug '19 8:28    Post subject: Reply with quote

Require local

The local provider allows access to the server if any of the following conditions is true:


    * the client address matches 127.0.0.0/8
    * the client address is ::1
    * both the client and the server address of the connection are the same



consult your error log and the access log for the IP you access the server with.


Maybe you need to add

Require ip x

see https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html
and https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

if you still have a question please ask again.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2203
Location: Sun Diego, USA

PostPosted: Fri 23 Aug '19 10:57    Post subject: Reply with quote

It's strange behavior for sure but the way <RequireAll> works I think your basically confusing Apache. After all, local is a part of "All" and your forcing Apache to deny All.

Really, <RequireAny> is what you want, It will give local access but reject all others trying to gain access.

Try it.

Note, because <RequireAny> is Apache's default behavior, all you should need is
Code:
Require all denied
Require local
and not need to use any <Require*> containers.
Back to top
Okami



Joined: 23 Aug 2019
Posts: 5
Location: Taiwan

PostPosted: Fri 23 Aug '19 11:12    Post subject: Reply with quote

Hi James

Thank's for your suggest, but is't not work too after I add any this three set:

(my environment no have ipv6 setting)

1. Require ip 127.0.0.0/8
2. Require ip 127.0.0.1/8
3. Require ip 172.25.0.11

the error log still is
[authz_core:error] [pid 66919] [client 172.25.0.11:39927] AH01630: client denied by server configuration: /var/www/virtual/private/index.html

Crying or Very sad
Back to top
Okami



Joined: 23 Aug 2019
Posts: 5
Location: Taiwan

PostPosted: Fri 23 Aug '19 11:29    Post subject: Reply with quote

Hi glsmith

Thank's for your suggest, change to <RequireAny> is run.
But my doubt is why in <RequireAll> will be error?

Some information say

<RequireAll> can't have fail, at least one match than success, fail is priority

<RequireAny> can have fail, if have one match than success, success is priority

if at least one match than success, my first set is Require local, why error too?

Code:
       <RequireAny>
            Require local
            Require all denied
        </RequireAny>
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 14
Location: Paris

PostPosted: Fri 23 Aug '19 15:59    Post subject: Reply with quote

Hi,

The documentation on apache.org is very explicit on the subject
http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall

Require all denied fails even if Require local succeeds and for <Require all> none of the authorization directives must fail.
Back to top
Okami



Joined: 23 Aug 2019
Posts: 5
Location: Taiwan

PostPosted: Fri 23 Aug '19 17:10    Post subject: Reply with quote

Hi Otomatic,

Thank's for your suggest!

But I'm very sorry that I can't understand ... Embarassed

Require all denied fails >> why this is fails?

My Web show 403, isn't that this rule is success?

I had read the document which you post

I think that mean if there have at least one success then success? Or is I have somewhere misunderstanding Crying or Very sad ?
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 14
Location: Paris

PostPosted: Fri 23 Aug '19 18:54    Post subject: Reply with quote

Hi,

These are directives for requesting access authorisation, which means that when access authorisation is refused, the directive fails.

Require all denied is always fail because access authorisation is not given.

<Require All> asks that none of the present directives be "failed". In other words, <Require All> requires that all directives be validated, and in a <Require All> structure, Require all denied and Require local are antinomic, both cannot be successful at the same time.

Sorry if my explanations seem confusing to you, but English is not my native language.

Edit : 403 means "access denied" and this is the case with your structure <Require All> since not all directives are OK, at least one is "failed".
This works with the same directives in <Require Any> because in this case, it is enough if only one directive is OK.
Back to top
Okami



Joined: 23 Aug 2019
Posts: 5
Location: Taiwan

PostPosted: Sat 24 Aug '19 16:33    Post subject: Reply with quote

Hi Otomatic,

Thank's for your explanation

I think I probably got something that you mean about my doubt.

This description is very helpful for me

English is not my native language, too
So is really hard for me when read Official documents.

Very grateful! Wish you have a nice day Very Happy
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1