httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Vas Dias <jason.vas.d...@gmail.com>
Subject [users@httpd] denying access to SSI fragments
Date Mon, 13 Sep 2010 15:09:31 GMT
Sorry if this question has been answered somewhere else before,
but searches of your site and google yielded nothing relevant.

How can I deny access to fragments that are included with 
server-side-includes (SSI) , ie. I want to be able to include
a fragment:
   '<!--#include virtual="/include/a_fragment"-->
in an html page, but I don't want users to be able to request
  '/include/a_fragment' .
on its own ?

All my attempts to do this by specifying access control on my
'/include/' directory fail, because the SSI #include request is itself denied, 
even though the request is coming internally from the server,
not from not an external user . 

I've tried specifying the include directory as :
   '<Directory /include/>
     ...
     Deny from all;
   '</Directory>'
and
    '<Directory /include/>
     ...
     Order Deny, Allow;
     Deny from all;
     Allow from 127.0.0.0/8;
   '</Directory>'
but both deny the SSI include requests as well as the external requests.

Why must SSI include requests use the same originating IP details as the request
for the whole page, since they are internal "request"s originating in the server ?

Can anyone suggest a way of denying access to '/include/*' from external users, 
while allowing '/include/*' to be targets of SSI #include requests ?

Thanks in advance for any responses,

Regards,
Jason Vas Dias <jason.vas.dias@gmail.com>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message