On Thu, 2008-03-13 at 14:20 +0000, Chris G wrote: > On Thu, Mar 13, 2008 at 05:59:50AM -0700, Craig White wrote: > > On Thu, 2008-03-13 at 12:25 +0000, Chris G wrote: > > > I am running Fedora 8 with Apache 2.2. > > > > > > I have a section of my web site which is password protected for > > > outside (i.e. non LAN) users, this uses the standard sequence as > > > follows:- > > > > > > AuthType Basic > > > AuthName "ISBD Home Server" > > > AuthUserFile /etc/httpd/conf/passwd > > > Require valid-user > > > > > > So far so good, it works as intended. > > > > > > However I want to further restrict access to a lower sub-directory such > > > that it isn't accessible to outside users at all. How can I do this? > > > Allow/Deny directives don't do what I want because they don't affect > > > the above password authentication. What I want is some directive that > > > explicitly *removes* password authenticated access from a directory. > > > > > > > > > If I add a "Satisfy All" directive to the sub-directory then the > > > effect is to prevent outside access (which is what I want) but in > > > adddition LAN users have to enter a valid name/password which I don't > > > want to have to do. > > > > > > > > > The best solution I have come up with so far is to add "Require > > > aNonexistentUser" to the sub-directory, it asks for a name/password > > > but no valid ones exist. However, as I said, I'd really like to say > > > "don't try password authentication here at all". > > ---- > > This probably depends upon what the purpose of this non-accessible > > subdirectory is. > > > > If you don't want apache to access this directory at all, consider that > > httpd runs as user:group apache:apache and thus if you were to chmod > > o-x /path/to/this/subdirectory, httpd (apache) would not be able to read > > the contents, thus it would not be available to anyone via apache. Only > > root, owner and group members of the ownership of that directory would > > be able to enter the subdirectory (i.e., would require some login > > shell). > > > Ah, but I *do* want apache to be able to access the directory. It has > access because there are Allow/Deny directives that let local LAN > users access the directory. I just want to prevent remote users > getting access, even with a password. ---- in that case, I think this would be a better answer... http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html Allow from 192.168.0.0/24 which requires module authz_host_module which should be enabled by default. Craig
