Apache 2.4: Require (e.g. all denied) directive not honored

MartinV

5/7/23, 4:52 PM

I'm running Apache 2.4.41 on Ubuntu 20.04 and am not able to get any Require directives working on my VirtualHost. As a minimum working example, my VHost file:

<VirtualHost *:80>
        ServerName my.domain.com
        DocumentRoot "/var/www/html/admin"

        <Directory /var/www/html/admin>
               Require all denied
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

is intended to block all access but the log shows:

[authz_core:debug] [pid 340724] mod_authz_core.c(735): [client ***.***.***.***:59008] AH01625: authorization result of <RequireAny>: granted (directive limited to other methods)

I can't see any overrides on Require behaviour elsewhere in my Apache configuration tree. For instance, /etc/apache2/apache.conf contains:

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
</Directory>

My modules loaded are:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 proxy_module (shared)
 proxy_http_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

apachectl -t and apachectl -S give standard output.

Has anyone any thoughts as to where I should be looking next?

(Reminder: Apache 2.4 not Apache 2.2 so looking to use the current terminology)

0 + 0

virtualhost

apache-2.4

ubuntu-20.04

djdomi

5/7/23, 8:08 PM

Does this answer your question? [How to deny the web access to some files?](https://serverfault.com/questions/22577/how-to-deny-the-web-access-to-some-files) IMHO you seems to missed the ` order `

MartinV

5/7/23, 9:30 PM

Hi, thanks for taking the time to comment. Unfortunately the linked article was for Apache 2.2 not Apache 2.4. The terminology has been deprecated in later versions.

Score:0

Server

MartinV

5/8/23, 1:17 PM

Thanks to everyone who read through my question - I have found a solution and thought I would share it.

I moved my Apache2 tree to one side and reinstalled the relevant packages from repository. The Require suite of directives now worked again so I compared the old and new trees to find differences.

I found an obscure directive containing a Require all command that I had placed in my conf-enabled directory and this turned out to be the cause of the problem.

So, if there are problems with Apache directives, it is worth checking more than just apache2.conf and the vhosts directory - work through the conf and mods directories too!

Cheers

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Apache 2.4: Require (e.g. all denied) directive not honored

TH: Apache 2.4: คำสั่งที่จำเป็น (เช่น ปฏิเสธทั้งหมด) ไม่ได้รับเกียรติ

RO: Apache 2.4: Directiva Solicitare (de exemplu, toate refuzate) nu este onorată

RU: Apache 2.4: директива Require (например, все запрещено) не соблюдается

VI: Apache 2.4: Chỉ thị yêu cầu (ví dụ: tất cả bị từ chối) không được thực hiện

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.