Reputation: 195
Apache .conf files "Require all" utility?
I am working with Apache .conf files on Fedora 30.
In /etc/httpd/conf/httpd.conf, there is :
<Directory />
AllowOverride none
Require all denied
</Directory>
There is also :
DocumentRoot "/var/www/html"
That means that "localhost" starts from this "/var/www/html" repertory.
Question 1 : What is the use of "Require all denied" for Directory "/" whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?
At the end of httpd.conf, there is :
IncludeOptional conf.d/*.conf
So I create a personal.conf in "/etc/httpd/conf.d" ; inside I set :
<Directory "/var/www">
AllowOverride None
Require all denied
</Directory>
I restart Apache (systemctl restart httpd.service) but the localhost/index.html (aka "DocumentRoot"/index.html or "/var/www/html"/index.html) is still available.
It acts as if this Directive in httpd.conf was prioritary :
<Directory "/var/www/html">
Require all granted
</Directory>
Question 2 : So what is the use of "Require all denied" on a higher level repository ?
Thank you for your help :)
Upvotes: 0
Views: 608
Answers (2)
Reputation: 195
thank you for your answer.
Now for question 2 ; let's imagine a house : outdoor [door 1] hall [door 2] corridor [door 3] living-room.
In /etc/httpd/conf/httpd.conf, I close the front door [door 1] of the house
<Directory />
AllowOverride none
Require all denied
</Directory>
I open the door between the hall and the corridor [door 2]
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
I open the door between the corridor and the living-room [door 3]
<Directory "/var/www/html">
AllowOverride None
Require all granted
</Directory>
Then in a personal.conf file in "/etc/httpd/conf.d" I close the door between the hall and the corridor [door 2] :
<Directory "/var/www">
AllowOverride None
Require all denied
</Directory>
Why is the living-room still accessible (localhost/index.html or /var/www/html/index.html is accessible) whereas the [door 2] is closed ?
I need to be explicit :
<Directory "/var/www/html">
AllowOverride None
Require all denied
</Directory>
in personal.conf
To get the "Forbidden You don't have permission to access this resource." message...
Thanks again.
Upvotes: 0
Reputation: 4698
Question 1 : What is the use of "Require all denied" for Directory "/" whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?
Question 2 : So what is the use of "Require all denied" on a higher level repository ?
The server could easily serve files below the document root if the Require all denied wasn't there, you only need a small misconfiguration in your server. Imagine for example an Alias like
Alias /etc /etc
which would allow you to read the password file from http://localhost/etc/passwd or other sensitive stuff. With the default configuration you would need an explicit override like
<Directory /etc>
Require all granted
</Directory>
to do this.
The directive
<Directory />
AllowOverride none
Require all denied
</Directory>
is used to prevent any access below your /var/www/html directory as a security mechanism ("be as restrictive as possible").
Upvotes: 1
Related Questions
- How can I view the complete httpd configuration?
- How do I check the apache config for validity in Red Hat Linux?
- How to copy all .conf files and enable each of them in ubuntu-apache environment
- ubuntu /etc/apache2/conf-enabled uploadfiles
- Can't configure apache (httpd) on fedora 23
- What am I missing? [apache config]
- Apache config error Require all
- Apache Directory Listing, Including "Default" Files
- Apache virtualhost include
- Autoconf macros for Apache and conf.d install process?