logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Disallow access to all files except a alias in Apache 2.4
Author
GoofyX



Joined: 13 Jan 2020
Posts: 5
Location: Greece

PostPosted: Fri 10 Sep '21 17:55    Post subject: Disallow access to all files except a alias in Apache 2.4 Reply with quote

I have a Debian 11 web server that is setup with the Matomo analytics PHP software. In the site's configuration I have these lines:
Code:
<Files "*">
    Require ip 192.168.0.0/24
</Files>

<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|^container_.*\.js|robots\.txt|optOut.js|favicon\.ico)">
    Require all granted
</FilesMatch>

Alias "/csp" "/www/vhosts/csp"
<Directory /www/vhosts/csp>
    DirectoryIndex index.php
    Require all granted
</Directory>

This is just a snippet. I also have a alias (/csp) with a few PHP files for a specific job. My problem is that I cannot access this alias outside the allowed IP range (192.168.0.0/24), although I have (in theory) added the directives for this (Require all granted) in the last Directory section. The /www/vhosts/csp directory resides outside Matomo's directory (thus, the Alias).

Inside the 192.168.0.0/24 network everything is fine. Accessing the /csp alias outside the network is not allowed (Forbidden because of client configuration).

How can I allow any host to access the /csp alias? Commenting out the first Files directive allows access to /csp, but is not what I wan (I don't want the other Matomo files to be accessible from any host).
Back to top
tangent



Joined: 16 Aug 2020
Posts: 125
Location: UK

PostPosted: Fri 10 Sep '21 20:32    Post subject: Reply with quote

If you look at the <Files> directive https://httpd.apache.org/docs/current/mod/core.html#files it says:
    <Files> sections are processed in the order they appear in the configuration file, after the <Directory> sections and .htaccess files are read, but before <Location> sections
So your <Files "*"> "Require ip" directive restriction takes precedence over the <Directory> "Require all granted" directive.

Does anything change if you alter your configuration logic to the following?
Code:
Alias "/csp" "/www/vhosts/csp"
<Directory /www/vhosts/csp>
    DirectoryIndex index.php
</Directory>

<Location /csp>
    Require all granted
</Location>
Back to top
GoofyX



Joined: 13 Jan 2020
Posts: 5
Location: Greece

PostPosted: Fri 10 Sep '21 20:44    Post subject: Reply with quote

Your answer helped me, thank you!

What I did was to transfer the Files and FilesMatch directives inside the Directory directive of the Matomo site's document root, so that they wouldn't apply to the whole directory structure and effectively override the alias /csp, something like this:

Code:

<Directory /www/vhosts/matomo>
    Require all granted
    AllowOverride None
    <Files "*">
        Require ip 192.168.0.0/24
    </Files>

    <FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|^container_.*\.js|robots\.txt|optOut.js|favicon\.ico)">
        Require all granted
    </FilesMatch>
</Directory>


It helped. Thanks! Very Happy
Back to top


Reply to topic   Topic: Disallow access to all files except a alias in Apache 2.4 View previous topic :: View next topic
Post new topic   Forum Index -> Apache