Apache configuration problem with and

I'm stuck with a pretty nasty problem. I have a staging system here where only our customers and our company should have access to. This is done using the following configuration:

<Directory "/srv/www/example.com">
    AllowOverride All
    Options FollowSymlinks -Indexes
    Order deny,allow
    Allow from 127.0.0.0/8 1.2.3.4 5.6.7.8
    # our IP
    Allow from 4.3.2.1
    # PayPal IPN
    Allow from 216.113.191.33
#    Deny from all

    AuthType Basic
    AuthName "Restricted Files"
    AuthUserFile /srv/www/htdocs/.htpasswd
    Require valid-user
    Satisfy Any
</Directory>

Now I want to make one URL public so everyone has access to it. As it is a URL I went for the Location directive. So I tried the following:

<Location /url/to/config.xml>
    Order allow,deny
    Allow from all
</Location>

But no matter which combination I'm trying for Order, it just won't work and the server is always asking for credentials. Am I missing something? As far as I understood the docs at apache.org, the Location directive is parsed after Directory and therefore should be able to override the access limitations.

Any idea/hint?

<Directory "/srv/www/example.com"> AllowOverride All Options FollowSymlinks -Indexes Order deny,allow Allow from 127.0.0.0/8 1.2.3.4 5.6.7.8 # our IP Allow from 4.3.2.1 # PayPal IPN Allow from 216.113.191.33 # Deny from all AuthType Basic AuthName "Restricted Files" AuthUserFile /srv/www/htdocs/.htpasswd Require valid-user Satisfy Any </Directory> <Directory "/srv/www/example.com/url/to/config.xml"> Order allow,deny Allow from all </Directory>

Best Answer

You should be able to do this with multiple <Directory> blocks. Here is a link to the applicable apache documentation:

http://httpd.apache.org/docs/2.2/sections.html

I think the key items for your case are:

What to use When

Choosing between filesystem containers and webspace containers is actually quite easy. When applying directives to objects that reside in the filesystem always use <Directory> or <Files>. When applying directives to objects that do not reside in the filesystem (such as a webpage generated from a database), use <Location>.

It is important to never use <Location> when trying to restrict access to objects in the filesystem. This is because many different webspace locations (URLs) could map to the same filesystem location, allowing your restrictions to be circumvented.

Also http://httpd.apache.org/docs/2.2/sections.html#mergin - specifically:

Apart from <Directory>, each group is processed in the order that they appear in the configuration files. <Directory> (group 1 above) is processed in the order shortest directory component to longest. So for example, <Directory /var/web/dir> will be processed before <Directory /var/web/dir/subdir>. If multiple <Directory> sections apply to the same directory they are processed in the configuration file order. Configurations included via the Include directive will be treated as if they were inside the including file at the location of the Include directive.

I think this will work:

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Apache deny directive not working

Related Topic