Directory require all denied not working

Question

I created a virtual host and tried to forbid access to it by using the directory directive with Require all denied.

<VirtualHost *:80>
    DocumentRoot /var/www/test

    <Directory /var/www/test/>
        Require all denied
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

However, the users have still access to every page. How can i solve this?

Answer 1

The Require must not be combined with the deprecated Order, Allow, Deny directives (since Apache 2.4). Review all the configuration files and replace Order/Allow/Deny with Require, possibly combined using RequireAll, RequireAny, RequireNone.

Note that the configuration is not necesarrily located in the single file holding <VirtualHost>. You need to review all the server configuration files. E.g. on Ubuntu this includes:

• all files in /etc/apache2/sites-enabled
• all files in /etc/apache2/conf-enabled
• depending on AllowOverride setting you may need to review all the .htaccess files for any directories reachable from the web

Answer 2

These directives won't do anything if they're in a VirtualHost not matched by the current request.

Your VirtualHost has no ServerName nor ServerAlias, which is the primary means of having a VirtualHost used for a request.

If you think configuration is being ignored, step is to verify that this VirtualHost is in use. One simply way is to define a unique logfile for the virtual host. Yours does not look unique.

apachectl -S will quickly summarize your virtual hosts.