I have a website structure setup as follows, which I am trying to organize access levels for each but without specifying
- /app/ - allow all, deny config/etc
- /app/templates/ - deny all
- /app/templates/mytheme/ - allow all for images, javascript, css, fonts only
- /app/lib/ - deny all
I have tried implementing Apache2.4's new(ish) directive scheme:
/etc/apache2/conf-enabled/security.conf
... more stuff above ...
AllowOverride All
Require all denied
... more stuff below ...
And adding Require all allowed to .htaccess in the root of the application, while adding Require all denied to .htaccess in the folders I wish to deny access to.
The problem is Require all denied seems to do absolutely nothing. I have seen reference to using the mod_auth_compat or whichever library, but it appears to only be required for older versions of apache (v2.3).
I am using Apache 2.4 on Debian 8.
Previously, I would supply :
Order Allow, Deny
Deny from all
And then drop the following in folders which require access :
Allow from all
.. and where I need to allow only specific file type access,
Allow from all
According to apache's documentation, unexpected results may arise from mixing old and new declarations, and as such, I am only using new declarations. There are no stray .htaccess files or *.conf files loaded using the old declaration format for permissions - so this should work ?
Given the folder structure I laid out, and what is loaded in '/etc/apache2/conf-enabled/security.conf' (as that is where the "root" declaration is for AllowOverride [it doesn't seem to function when specifying AllowOverride All inside the same format of declaration in the websites conf ( 000-default.conf )], could someone give some guidance or preferably a working solution to this problem.
No comments:
Post a Comment