Require all denied has no effect. Require all allowed, works

I have a website structure setup as follows, which I am trying to organize access levels for each but without specifying <Directory> as that requires the structure to be fixed (aka, if i copy this to a different site, into a subfolder, it would require editing of all .htaccess to the new location).

/app/ – allow all, deny config/etc
/app/templates/ – deny all
/app/templates/mytheme/ – allow all for images, javascript, css, fonts only
/app/lib/ – deny all

I have tried implementing Apache2.4's new(ish) directive scheme:

/etc/apache2/conf-enabled/security.conf

... more stuff above ...

<Directory />
   AllowOverride All
   Require all denied
</Directory>

... more stuff below ...

And adding Require all allowed to .htaccess in the root of the application, while adding Require all denied to .htaccess in the folders I wish to deny access to.

The problem is Require all denied seems to do absolutely nothing. I have seen reference to using the mod_auth_compat or whichever library, but it appears to only be required for older versions of apache (v2.3).

I am using Apache 2.4 on Debian 8.

Previously, I would supply :

Order Allow, Deny
Deny from all

And then drop the following in folders which require access :

Allow from all

.. and where I need to allow only specific file type access,

<FilesMatch "\.(jpg|jpeg|gif|png|bmp|svg|css|less|sass|scss|js|ttf|woff|woff2|eot)$">
    Allow from all
</FilesMatch>

According to apache's documentation, unexpected results may arise from mixing old and new declarations, and as such, I am only using new declarations. There are no stray .htaccess files or *.conf files loaded using the old declaration format for permissions – so this should work ?

Given the folder structure I laid out, and what is loaded in '/etc/apache2/conf-enabled/security.conf' (as that is where the "root" declaration is for AllowOverride [it doesn't seem to function when specifying AllowOverride All inside the same format of declaration in the websites conf ( 000-default.conf )], could someone give some guidance or preferably a working solution to this problem.

Best Answer

See the upgrade guide with examples on the Require Directive: https://httpd.apache.org/docs/trunk/en/upgrading.html

Deny from all is now Require all denied
Allow from all is now Require all granted

Plot twist: Apache 2.4 doesn't grant access to any directory by default and the order of evaluation has changed.

It was commonplace to block access to the filesystem in apache 2.2, with a Directory / + Require all denied as you wrote. It should be removed now. It will backfire if it ever supersedes permissions in subdirectories.

See the documentation on merging authentication restrictions. It gets insanely complicated in practice. https://httpd.apache.org/docs/trunk/en/mod/mod_authz_core.html#authmerging

The Require all granted in /app is evaluated before the Require all denied in the /app/lib subdirectory. It looks like apache grants access upon meeting the first allowing rule so it's allowed. The whole tree got opened by the directive on the parent and there is not a lot you can do against that.

My advise is to not mix public and private content. It's completely unmanageable in practice. If it's served, it's meant to be served.

Best Answer

Related Solutions

Centos – .htaccess enabled, but not working

Apache – Understanding Apache’s ‘Require All Granted’

Related Topic