Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Problem with Restricting Directory in Apache

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Problem with Restricting Directory in Apache
# 1  
Old 01-29-2010
Problem with Restricting Directory in Apache
Hello,

I want to restrict access to our Subversion repositories to only our internal network.
I have a virtual host directive setup in Apache for the IP and port 443. When I put the following:

Code:
<VirtualHost 205.147.86.33:443>

<Directory "/var/www/svn/">
Order deny,allow

AllowOverride None

deny from all
Allow from 10.7.12.0/24
Allow from 205.15.86.0/24

</Directory>

    SSLEngine on
    ServerName edison.swi.com
    ServerAdmin sysadmin@swi.com
    SSLCertificateFile /etc/httpd/conf/intra.cer
    SSLCertificateKeyFile /etc/httpd/conf/intra.key
    DocumentRoot  /var/www/html/intraweb/htdocs
    ScriptAlias /cgi-bin/ "/var/www/html/intraweb/cgi-bin/"
    AddType application/x-httpd-php .php .php4 .php3 .phtml .php5
    AddType application/x-httpd-php-source .phps
 AddType application/x-httpd-php-source .phps
    #AddHandler cgi-script cgi pl
    ErrorLog /var/opt/CollabNet_Subversion/logs/error_log
    CustomLog /var/opt/CollabNet_Subversion/logs/access_log common

<Files .htaccess>
    order deny,allow
    deny from all
</Files>
< /VirtualHost>

I can still access the subversion repositories.
Only when I block /var completely I cannot access the repositories but doing that causes the pages on our intranet from being served.

Advice?
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

Restricting directory access in Apache server

Hi all, I have a web site that I'm serving on an Apache server, and it has a number of different folders, but I only want the user to be able to access certain ones -- the majority of them I don't want the user to access. I tried modifying my /etc/apache2/conf.d/security file to do this, but I... (1 Reply)
Discussion started by: Zel2008
1 Replies

2. UNIX for Dummies Questions & Answers

Restricting a Find search to the current directory only

Hi All, I am trying to delete file (with a mtime older than 2 days) from the current directory ONLY using: find . -daystart -maxdepth 1 -mtime 2 -exec rm {} \; but this doesn't seem to work it is still find files in subdirectories which I don't want to delete. Please can anyone offer... (2 Replies)
Discussion started by: daveu7
2 Replies

3. UNIX for Dummies Questions & Answers

Restricting a user to their home directory and below

I found this old closed thread: I can do these things, but how to I change someone's profile - where do I find the profile? I'm running Centos 5.6 ~~~~~~~~~ providing you have the password shell set to ksh, you can put this in his .profile: cd /opt/load alias -x cd=: (6 Replies)
Discussion started by: jjj0923
6 Replies

4. UNIX for Dummies Questions & Answers

Problem with Restricting Directory in Apache

Hello, I want to restrict access to our Subversion repositories to only our internal network. I have a virtual host directive setup in Apache for the IP and port 443. When I put the following: <Directory "/var/www/svn/"> Order allow,deny AllowOverride None Allow from 10.5.10.0/24 Allow... (1 Reply)
Discussion started by: mojoman
1 Replies

5. Solaris

Restricting SFTP user to a defined directory and home directory

Hi, I've created solaris user which has both FTP and SFTP Access. Using the "ftpaccess" configuration file options "guest-root" and "restricted-uid", i can restrict the user to a specific directory. But I'm unable to restrict the user when the user is logged in using SFTP. The aim is to... (1 Reply)
Discussion started by: sftpuser
1 Replies

6. Solaris

Restricting FTP access for a particular directory

Dear All, I have created a user called "x" who is allowed only to FTP and it is working fine. Here my problem is, I want to give access to a particular directory say for eg:- /dump/test directory. I don't find any option in the useradd command to restrict access to this particular directory only... (1 Reply)
Discussion started by: Vijayakumarpc
1 Replies

7. Shell Programming and Scripting

Restricting zip to current directory only

I am using the following command in a C shell script: find . -name "*.*" -print | zip $ProjectZipFile -@ to zip files in a Unix (Sun and/or Linux) directory for archiving purposes. This command works fine, the only problem being that if sub-directories are present, they are included in... (5 Replies)
Discussion started by: phudgens
5 Replies

8. Web Development

apache, surfing a directory

Hi, I have a directory and I need a url that users can surf it.like ftp. my web server is apache. Thanks in advance. (2 Replies)
Discussion started by: Zaxon
2 Replies

9. UNIX for Dummies Questions & Answers

Question about Restricting Search path of FIND to current directory

Hi, By default FIND command searches for matching files in all the subdirectories within the specified path. Is there a way to restrict FIND command's search path to only the specified directory and NOT TO scan its subdirectories. Any help would be more than appreciated. Thanks and Regards (2 Replies)
Discussion started by: super_duper_guy
2 Replies

10. UNIX for Dummies Questions & Answers

apache directory browsing

How do i prevent clients from browsing directory structures if there is no index.html in a directory? For example, lets say that i dynamically create directories on in my doc root of an apache based web server. I know if i type the url and there is no index or default page in there, then apache... (1 Reply)
Discussion started by: ezekiel61
1 Replies
Login or Register to Ask a Question

LEARN ABOUT ULTRIX

mod_apparmor

MOD_APPARMOR(8) 						     AppArmor							   MOD_APPARMOR(8)

NAME

       mod_apparmor - fine-grained AppArmor confinement for Apache

DESCRIPTION

       An AppArmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions,
       the program can "change hats" via aa_change_hat(2) to a different role, also known as a subprofile.  The mod_apparmor Apache module uses
       the aa_change_hat(2) mechanism to offer more fine-grained confinement of dynamic elements within Apache such as individual php and perl
       scripts, while still allowing the performance benefits of using mod_php and mod_perl.

       To use mod_apparmor with Apache, ensure that mod_apparmor is configured to be loaded into Apache, either via a2enmod, yast or manual
       editing of the apache2(8)/httpd(8) configuration files, and restart Apache. Make sure that apparmor is also functioning.

       Once mod_apparmor is loaded within Apache, all requests to Apache will cause mod_apparmor to attempt to change into a hat named by the URI
       (e.g. /app/some.cgi). If no such hat is found, it will fall back to attempting to use the hat DEFAULT_URI; if that also does not exist, it
       will fall back to using the global Apache profile. Most static web pages can simply make use of the DEFAULT_URI hat.

       Additionally, before any requests come in to Apache, mod_apparmor will attempt to change hat into the HANDLING_UNTRUSTED_INPUT hat.
       mod_apparmor will attempt to use this hat while Apache is doing the initial parsing of a given http request, before its given to a specific
       handler (like mod_php) for processing.

       Because defining hats for every URI/URL often becomes tedious, mod_apparmor provides the AAHatName and AADefaultHatName Apache
       configuration options.

       AAHatName
	   AAHatName allows you to specify a hat to be used for a given Apache <Directory>, <DirectoryMatch>, <Location> or <LocationMatch>
	   directive (see the Apache documenation for more details). Note that mod_apparmor behavior can become confused if <Directory*> and
	   <Location*> directives are intermingled and it is recommended to use one type of directive. If the hat specified by AAHatName does not
	   exist in the Apache profile, then it falls back to the behavior described above.

       AADefaultHatName
	   AADefaultHatName allows you to specify a default hat to be used for virtual hosts and other Apache server directives, so that you can
	   have different defaults for different virtual hosts. This can be overridden by the AAHatName directive and is checked for only if there
	   isn't a matching AAHatName or hat named by the URI. If the AADefaultHatName hat does not exist, it falls back to the DEFAULT_URI hat if
	   it exists (as described above).

URI REQUEST SUMMARY

       When profiling with mod_apparmor, it is helpful to keep the following order of operations in mind:

       On each URI request, mod_apparmor will first aa_change_hat(2) into ^HANDLING_UNTRUSTED_INPUT, if it exists.

       Then, after performing the initial parsing of the request, mod_apparmor will:

	 1. try to aa_change_hat(2) into a matching AAHatName hat if it exists and applies, otherwise it will

	 2. try to aa_change_hat(2) into the URI itself, otherwise it will

	 3. try to aa_change_hat(2) into an AADefaultHatName hat if it has been defined for the server/vhost, otherwise it will

	 4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it will

	 5. fall back to the global Apache policy

BUGS

       mod_apparmor() currently only supports apache2, and has only been tested with the prefork MPM configuration -- threaded configurations of
       Apache may not work correctly.

       There are likely other bugs lurking about; if you find any, please report them at <http://https://bugs.launchpad.net/apparmor/+filebug>.

SEE ALSO

       apparmor(7), subdomain.conf(5), apparmor_parser(8), aa_change_hat(2) and <http://wiki.apparmor.net>.

AppArmor 2.7.103						    2012-06-28							   MOD_APPARMOR(8)