Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Match / Deny access to all subdirectories using apache2 server configuration

How can one deny access to all subdirectories of a given directory? (While allowing to manually modify the access rights for single items in the directory tree.)

I tried to do it with the <Directory(Match)> directives. The server configuration (000-sites-enabled) looks like this:

DocumentRoot /var/www
<Directory /var/www>
    Allow from all
    Deny from none
    Order deny,allow
</Directory>
<Directory /var/www/*>
    Deny from all
</Directory>

A query to http://localhost/ successfully displays /var/www/index.html and all queries to any subdirectories fail.

The problem is: any query to a file in the httproot fails - i.e. requesting http://localhost/index.html will result into 403 Forbidden.

The <Directory(Match)> directives seem to actually match directories AND files!?

To see if this is true, i tried:

<Directory /var/www/i*>
    Deny from all
</Directory>

This denies access only to files/directories starting with 'i'.

Is there a way to alter this behaviour and let <Directory> match only directories? Is there another way to accomplish that all the subdirectories are denied? (besides denying all of them manually or enabling all files manually)

like image 456
coldfix Avatar asked Mar 09 '11 21:03

coldfix


3 Answers

in the end, the solution turns out to be pretty simple:

<Directory /var/www/*/>
    Allow from None
    Order allow,deny
</Directory>

Note the trailing slash / after the directory pattern, which will make it match only directories, not files!

This works exactly like we would expect from the <Directory>-directive - in that it denies access only to the direct subdirectories of /var/www/. Specified subdirectories (anywhere in the tree) can still manually be re-enabled with <Directory> directives.

This is in contrast to <DirectoryMatch> which will
- also match all files & directories in the tree and
- override all <Files> or <Directory> directives for any item in the tree.

like image 132
coldfix Avatar answered Oct 14 '22 07:10

coldfix


This did it for me.

<DirectoryMatch "^/var/www/(.+)/"> # don't put $ at the end
Order Allow,Deny
Deny From All
</DirectoryMatch>


EDIT

For not denying sub-subdirectories (comment below), add this DirectoryMatch below the one above in your configuration file:

<DirectoryMatch "^/var/www/(.+?)/(.+)/"> # again no $, see comment
Order Deny,Allow
Allow From All
</DirectoryMatch>
like image 20
dialer Avatar answered Oct 14 '22 06:10

dialer


Use this:

<Directory /var/www/public>
    allow from all
</Directory>


<DirectoryMatch "^/var/www/public/(.+)/">
   deny from all
</DirectoryMatch>

You might want to add Options etc.

The trick is how the directives are merged.

like image 39
Derick Schoonbee Avatar answered Oct 14 '22 06:10

Derick Schoonbee