I have a website structure setup as follows, which I am trying to organize access levels for each but without specifying <Directory>
as that requires the structure to be fixed (aka, if i copy this to a different site, into a subfolder, it would require editing of all .htaccess to the new location).
- /app/ – allow all, deny config/etc
- /app/templates/ – deny all
- /app/templates/mytheme/ – allow all for images, javascript, css, fonts only
- /app/lib/ – deny all
I have tried implementing Apache2.4's new(ish) directive scheme:
/etc/apache2/conf-enabled/security.conf
... more stuff above ...
<Directory />
AllowOverride All
Require all denied
</Directory>
... more stuff below ...
And adding Require all allowed
to .htaccess
in the root of the application, while adding Require all denied
to .htaccess
in the folders I wish to deny access to.
The problem is Require all denied
seems to do absolutely nothing. I have seen reference to using the mod_auth_compat
or whichever library, but it appears to only be required for older versions of apache (v2.3).
I am using Apache 2.4 on Debian 8.
Previously, I would supply :
Order Allow, Deny
Deny from all
And then drop the following in folders which require access :
Allow from all
.. and where I need to allow only specific file type access,
<FilesMatch "\.(jpg|jpeg|gif|png|bmp|svg|css|less|sass|scss|js|ttf|woff|woff2|eot)$">
Allow from all
</FilesMatch>
According to apache's documentation, unexpected results may arise from mixing old and new declarations, and as such, I am only using new declarations. There are no stray .htaccess
files or *.conf
files loaded using the old declaration format for permissions – so this should work ?
Given the folder structure I laid out, and what is loaded in '/etc/apache2/conf-enabled/security.conf' (as that is where the "root" declaration is for AllowOverride [it doesn't seem to function when specifying AllowOverride All
inside the same format of declaration in the websites conf ( 000-default.conf )], could someone give some guidance or preferably a working solution to this problem.
Best Answer
See the upgrade guide with examples on the
Require
Directive: https://httpd.apache.org/docs/trunk/en/upgrading.htmlDeny from all
is nowRequire all denied
Allow from all
is nowRequire all granted
Plot twist: Apache 2.4 doesn't grant access to any directory by default and the order of evaluation has changed.
It was commonplace to block access to the filesystem in apache 2.2, with a
Directory /
+Require all denied
as you wrote. It should be removed now. It will backfire if it ever supersedes permissions in subdirectories.See the documentation on merging authentication restrictions. It gets insanely complicated in practice. https://httpd.apache.org/docs/trunk/en/mod/mod_authz_core.html#authmerging
The
Require all granted
in/app
is evaluated before theRequire all denied
in the/app/lib
subdirectory. It looks like apache grants access upon meeting the first allowing rule so it's allowed. The whole tree got opened by the directive on the parent and there is not a lot you can do against that.My advise is to not mix public and private content. It's completely unmanageable in practice. If it's served, it's meant to be served.