Match / Deny access to all subdirectories using apache2 server configuration
How can one deny access to all subdirectories of a given directory? (While allowing to manually modify the access rights for single items in the directory tree.)
I tried to do it with the <Directory(Match)>
directives. The server configuration (000-sites-enabled) looks like this:
DocumentRoot /var/www
<Directory /var/www>
Allow from all
Deny from none
Order deny,allow
</Directory>
<Directory /var/www/*>
开发者_开发技巧 Deny from all
</Directory>
A query to http://localhost/
successfully displays /var/www/index.html
and all queries to any subdirectories fail.
The problem is: any query to a file in the httproot fails - i.e. requesting http://localhost/index.html
will result into 403 Forbidden
.
The <Directory(Match)>
directives seem to actually match directories AND files!?
To see if this is true, i tried:
<Directory /var/www/i*>
Deny from all
</Directory>
This denies access only to files/directories starting with 'i'.
Is there a way to alter this behaviour and let <Directory>
match only directories? Is there another way to accomplish that all the subdirectories are denied? (besides denying all of them manually or enabling all files manually)
in the end, the solution turns out to be pretty simple:
<Directory /var/www/*/>
Allow from None
Order allow,deny
</Directory>
Note the trailing slash /
after the directory pattern, which will make it match only directories, not files!
This works exactly like we would expect from the <Directory>
-directive - in that it denies access only to the direct subdirectories of /var/www/
.
Specified subdirectories (anywhere in the tree) can still manually be re-enabled with <Directory>
directives.
This is in contrast to <DirectoryMatch>
which will
- also match all files & directories in the tree and
- override all <Files>
or <Directory>
directives for any item in the tree.
This did it for me.
<DirectoryMatch "^/var/www/(.+)/"> # don't put $ at the end
Order Allow,Deny
Deny From All
</DirectoryMatch>
EDIT
For not denying sub-subdirectories (comment below), add this DirectoryMatch below the one above in your configuration file:
<DirectoryMatch "^/var/www/(.+?)/(.+)/"> # again no $, see comment
Order Deny,Allow
Allow From All
</DirectoryMatch>
Use this:
<Directory /var/www/public>
allow from all
</Directory>
<DirectoryMatch "^/var/www/public/(.+)/">
deny from all
</DirectoryMatch>
You might want to add Options etc.
The trick is how the directives are merged.
The best approach is to move all content not available to the public to a directory out of the root tree like to /home/my/app/
<Directory /home/my/app>
Order Allow,Deny
Deny from all
</Directory>
Then give read permission to the Apache user in that directory and in all directories that lead to that one, say, /home and /my
This way there is no risk of some of that content to leak when some root directory configuration error occurs.
You can disable Auto Indexing in all sub-directories, by removing the Indexes
option from Options
directive inside configuration file, so for default configuration the Options
directive should looks something like:
httpd.conf:
...
Options FollowSymLinks
...
(no "Indexes" option set.)
And then, put index.html
or index.php
file inside each particular sub-directory you want to be available for client access.
If you want to auto indexing be enable in some particular directory, you could add a .htaccess
files inside those directories and put this line inside the .htaccess
file:
Options Indexes
Note that .htaccess
will effects on its directory and all of its sub-directories recursively, so you should exclude any recursive sub-directory that you don't want this option on it, by adding .htaccess
and disabling auto index by:
Options -Indexes
Note: To .htaccess
files be enable and take affect on apache configurations, you should AllowOveride All
on the directory matches you want to place .htaccess
file.
So, I have 2 thoughts that might be of help (or not).
The first is that locations can override your directory permissions. So make sure you don't have those. hitting localhost/ is hitting whatever you have set up as root, which is probably overriding your security. That's why if you specify the file directly, you cant' get to it. So, if you don't want people to be able to reach your root, you should not specify a root.
As for your point about restricting access to subdirectories, I would check out this other post. ... maybe not helpful. Perhaps more details into your use case would help.
https://serverfault.com/questions/190447/apache-2-htaccess-matching-all-sub-directories-of-current-directory
精彩评论