Subject: | |
From: | |
Reply To: | |
Date: | Fri, 10 Oct 1997 15:52:00 +0000 |
Content-Type: | Text/Plain |
Parts/Attachments: |
|
|
I originally posted this pivately to Mark Bixby. He suggested that
someone on the List may have also experienced this problem and be able
to shed more light on it. The problem is related to defining "allow"
directives in APACHE's "access.conf" runtime configuration. Here's the
problem:
It seems that if I define a list of specific host IP addresses -
each with its own "allow from", everything works OK. However, if I
try to use subnet specifications (either CIDR or a traditional
subnet mask), I get a "forbidden access" message from the server.
The following is a cut/paste of a "server-info" screen. I explicitly
defined my IP address (198.24.20.240) just to get access to do the
"server-info" display. The display would appear to indicate that the
specifications are at least syntactically correct (i.e., it didn't
blow up).
Module Name: mod_access.c
Content-types affected: none
Module Groups: Access Checking
Module Configuration Commands:
order - 'allow,deny', 'deny,allow', or 'mutual-failure'
allow - 'from' followed by hostnames or IP-address wildcards
deny - 'from' followed by hostnames or IP-address wildcards
Current Configuration:
access.conf
<Directory /APACHE/PUB/htdocs>
order deny,allow
deny from all
allow from 198.24.20.240
allow from 198.24.20.32/27
allow from 198.24.20.80/28
allow from 198.24.20.160/27
allow from 198.24.20.192/29
allow from 198.24.20.200
allow from 198.24.20.205
allow from 198.24.20.208/29
allow from 198.24.20.223
allow from 198.24.20.224/27
allow from 198.24.21.128/26
</Directory>
The following excerpt is from another version of the file
/APACHE/PUB/conf/access.conf. Here I tried using the traditional
subnet mask. My IP address (198.24.20.240) should be covered by
"allow from 198.24.20.224/255.255.255.224" (next to last in the
list). I have double checked all the subnets in the list to make
sure they fall on legitimate subnet boundaries for their particular
sized subnet. I was "forbidden" access with this version of the
file and tried a couple of other clients with the same result.
# Controls who can get stuff from this server.
order deny,allow
deny from all
allow from 198.24.20.32/255.255.255.224
allow from 198.24.20.80/255.255.255.240
allow from 198.24.20.160/255.255.255.224
allow from 198.24.20.192/255.255.255.248
allow from 198.24.20.200
allow from 198.24.20.205
allow from 198.24.20.208/255.255.255.248
allow from 198.24.20.223
allow from 198.24.20.224/255.255.255.224
allow from 198.24.21.128/255.255.255.192
</Directory>
The above directive list translates to approximately 3.5 pages of
explicitly defined IP addresses and I have 16 additional Class C subnets
of various sizes yet to define. BTW - (The reason I'm performing this
fairly painful operation) - This is an INTRAnet implementation in a
public library environment and each of the subnets has a number of
PUBLIC devices in the mix. I need to DENY access from the world and
ALLOW access only from staff devices.
Does anyone see an obvious problem with the way I have set this up or
any other ideas on why it may not be working?
Thanks for any assistance.
Steve Barrett
ps - John, I apologize in advance for being long-winded.
============================================================
= Steven P. Barrett [log in to unmask] =
= Systems Analyst =
= Fairfax County Public Library (703) 222-3132 - Voice =
= Technical Operations Center (703) 222-3135 - FAX =
= 4000 Stringfellow Rd. =
= Chantilly, VA 20151 =
= =
= --- The opinions expressed here are mine alone . --- =
============================================================
|
|
|