Wednesday, May 19, 2010

apache2 black magic

Apache2 is like most open source projects. Started with nice clean code base that got hacked into spegitti by good intention "upgraders" and "fixes"
The apache2 manuals reflect its insanity.
Here is what I think its really doing(after hacking with allow denys for a while)
file loading precedence appears to be:
mods-enabled directory (not certain could be after conf.d but suspects its before)
conf.d file
global doc roots .htaccess
virtual hosts and .htaccess 
It appears that each DocRoot is searched for .htaccess files to be loaded when the vhost block is closed.

NOTE .htaccess files are NOT loaded 100%.. Their parsing is crippled to what the AllowOverride directive says. Non-allowed lines in the .htaccess files are basically ignored!
directive operating precedence (from weakest to strongest)

So the full loading order on a per-file/directive basis becomes.
Directory (conf)
Directory (.htaccess from default docroot)
Directory (vhost)
Directory (.htaccess)
File      (conf)
File      (.htaccess from default docroot)
File      (vhost)
File      (.htaccess)
Location  (conf)
Location  (.htaccess from default docroot)
Location  (vhost)
Location  (.htaccess)

This means that to generically block all accesses to a test server with test versions of web sites u need to use the weakest most overloadable type. So in the conf.d area add a "block_all" file with these contents;

<Directory />
  Order deny, allow
  Deny form all
  Allow form <IP_OR_RANGE>

No comments:

Post a Comment