osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: imitExcept inside a Location overrules another Location restriction


This is not a mailing list for reporting bugs, it's the mailing list used by bugzilla.
Avoid Limit/LimitExcept in 2.4.  In the config below, if the Location / comes second,
it means the authorization config replaces the one defined in server-info, not merged with it, and GET is no longer limited.


On Fri, Nov 2, 2018 at 8:28 AM Lothar Belle <lothar.webmin@xxxxxxxxx> wrote:
We want to Allow only specific Methods i.e. HEAD POST GET.
so we are using.
<Location />
    <LimitExcept HEAD POST GET>
        Require all denied
    </LimitExcept>
</Location>
Location is required, because we use mod_proxy, so no directory access is performed.
Strangely it overrules a previous defined.
<Location /server-info>
    SetHandler server-info
    Require local
</Location>
So as a result server-info is accessible from everywhere.
According to my understanding, and documentation this behavior is not correct.
https://httpd.apache.org/docs/2.4/en/mod/core.html#limitexcept:
<LimitExcept> and </LimitExcept> are used to enclose a group of access control directives which will then apply to any HTTP access method not listed in the arguments

Thanks a lot!
Regards,
Lothar





--
Eric Covener
covener@xxxxxxxxx