2

I'm trying to block access to everything on a vhost except a single safe-path (and really, everything under it, so /safe-path/item-1, /safe-path/item-2, etc); from reading the docs, it seems that I should be able to do:

<Location />
Order allow,deny
Deny from all
</Location>
<Location /safe-path>
Order allow,deny
Allow from all
</Location>

But this doesn't seem to work; all URLs return a 403. I've tried the other order as well, and it doesn't seem to matter. If there's a "better" solution to the problem I'm trying to solve, I'm open to that as well.

EDIT: After doing some more research, I found Require all denied and Require all granted, which seems to be the 2.4 syntax. However, even setting the blocks to look like this it doesn't seem to work as expected:

<Location "/">
    Require all denied
</Location>
<Location "/safe-path">
    Require all granted
</Location>

I'm getting a 403 on every URL I hit. Even changing the order doesn't seem to make a difference.

Glen Solsberry
  • 1,556
  • 1
    From a similar question, I would set Order Deny, Allow in main location (/) and remove that directive in second location (/safe-path). With allow,deny the deny rule on the main location takes precedence though /safe-path is declared after. Note this is apache 2.2 synthax, that is not the same in apache 2.4. – Chris Feb 03 '21 at 19:28

1 Answers1

1

Not sure why it does not work with Require directive, but you can use instead mod_rewrite to acheive what you want.

In this example, I disable (403 Forbidden) everything except queries that start with /projects (tested with an existing folder that has sub directories):

<Directory /my/document/root/path>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/projects
    RewriteRule .* - [F]
</Directory>

Should work the same in a <Location> block.

Chris
  • 302
  • 4
  • 10