Default User Home Directory Permissions
So it seems that the default permissions on user home directories in Ubuntu 12.04 is 700. Nginx needs to have read permission the files that should be served AND have execute permission in each of the parent directories along the path from the root to the served files.
You can give your user directory these permissions by running
chmod 701 user_home
You may also use 755, which is the default permission setting on the home directory on many systems.
The directories/files in your web root can belong to the www-data user or your regular personal user as long as the user/group that nginx runs as (as defined in nginx.conf) has READ permission on all files to be served and execute permission on all web root directories.
I just set all directories in my web root to be owned by my user account and have permissions 755 and I set all files to be served from the web root to have permissions 664 since these were the defaults on my machine.
Note on Converting Permission numbers to String Rep.
Ex. drwxr-x--x becomes 751.
Ignore the first character (d for directory, - for file, etc). The remaining 9 characters form a binary triplet where any non-dash character is a 1 and a dash is a 0.
So drwxr-x--x becomes rwxr-x--x
becomes 111 101 001
which is converted to a decimal 751
I needed a refresher on this when I was dealing with permissions.
When you use Order Deny,Allow the Allow from all will override any Deny from ....
The default behaviour with Order Deny,Allow in the event of no match is to "allow". Does it work closer to expected if you remove "Allow from all"?
Each <Directory> also inherits ancestor (i.e. shorter path) <Directory> settings, so the <LimitExcept> applies to the other <Directory> sections too. You cannot simply undo this by adding
<Limit GET HEAD>
Allow from all
</Limit>
to those, because that will undo your blocking of the bad IP addresses there too. (I don't know if you need to undo it on your website though.)
The important things to remember about Order/Allow/Deny are:
- this is not first-match logic like conventional access control
- the
Allow and the Deny are both checked for any match
- which one wins (
Allow or Deny) and what the default is both depend on the Order.
It's not a great idea to have duplicate <Directory ...> blocks, but if you do they are processed in the order they appear in the config.
See the Apache docs for the full logic: http://httpd.apache.org/docs/2.2/sections.html
Since your requirements don't quite fit simple allow/deny logic you should look at using either or both of:
SetEnvIf and Allow from env=... Deny from env=...mod_rewrite
This is one way of doing it:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} 1.1.1.1 [OR]
RewriteCond %{REMOTE_ADDR} 2.2.2.2 [OR]
RewriteCond %{REMOTE_ADDR} 3.3.3.3
RewriteRule . - [F]
Place that in your <Virtualhost> outside and </Directory> containers. Should the list of IPs be large or volatile you can also use RewriteMap and a variation on the above to keep IPs in a separate file as a more scalable solution.
Best Answer
Add
to the
denydirective level. This should prevent those entries.