Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

.htaccess security



As I was playing around with a new web app that I'm working
on, I realised that I did not want web clients to be able to
view my config files. This led me into some Apache security
issues, which have made my web server a much safer thing.

However, I have a little problem.

What I want to do in my httpd.conf is:

<Files ~ ".+">
  Order Deny,Allow
  Deny from all
</Files>

And then in aru .htaccess, allow only certain things:

<Files ~ "\.(p?html|gif|jpe?g)">
  Order Deny,Allow
  Allow from all
</Files>

OK, this works well, all except for one little thing. When
requesting "[<dir>]/", apache denies access. Damn.
Apparently the <Files> directive is evaluated before the
DirectoryIndex option (which is in httpd.conf).

I like my deny by default policy, but I want / to work
properly. Does anyone know how I can make this work? I
RTFM'd the Apache docs pretty well, but I may have missed
something.

Onegaishimasu! ;)


---------------------------------------------------
"No segfault, no problem."

Josh Glover
jmglov@example.com
---------------------------------------------------


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links