Apache .conf files "Require all" utility?

Frankie
February 22, 2020
223 views
1 vote
2 Answers

I am working with Apache .conf files on Fedora 30.

In /etc/httpd/conf/httpd.conf, there is :

<Directory />
    AllowOverride none
    Require all denied
</Directory>

There is also :

DocumentRoot "/var/www/html"

That means that “localhost” starts from this “/var/www/html” repertory.

Question 1 : What is the use of “Require all denied” for Directory “/” whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?

At the end of httpd.conf, there is :

IncludeOptional conf.d/*.conf

So I create a personal.conf in “/etc/httpd/conf.d” ; inside I set :

<Directory "/var/www">
    AllowOverride None
    Require all denied
</Directory>

I restart Apache (systemctl restart httpd.service) but the localhost/index.html (aka “DocumentRoot”/index.html or “/var/www/html”/index.html) is still available.

It acts as if this Directive in httpd.conf was prioritary :

<Directory "/var/www/html">
    Require all granted
</Directory>

Question 2 : So what is the use of “Require all denied” on a higher level repository ?

Thank you for your help 🙂

Tags: apache fedora

Answers

Chosen as BEST ANSWER
- Frankie
- February 23, 2020 at 12:28 pm
- 0 votes
0
thank you for your answer.

Now for question 2 ; let's imagine a house : outdoor [door 1] hall [door 2] corridor [door 3] living-room.

In /etc/httpd/conf/httpd.conf, I close the front door [door 1] of the house
```
<Directory />
    AllowOverride none
    Require all denied
</Directory>
```
I open the door between the hall and the corridor [door 2]
```
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>
```
I open the door between the corridor and the living-room [door 3]
```
<Directory "/var/www/html">
    AllowOverride None
    Require all granted
</Directory>
```
Then in a personal.conf file in "/etc/httpd/conf.d" I close the door between the hall and the corridor [door 2] :
```
<Directory "/var/www">
    AllowOverride None
    Require all denied
</Directory>
```
Why is the living-room still accessible (localhost/index.html or /var/www/html/index.html is accessible) whereas the [door 2] is closed ?

I need to be explicit :
```
<Directory "/var/www/html">
    AllowOverride None
    Require all denied
</Directory>
```
in personal.conf

To get the "Forbidden You don't have permission to access this resource." message...

Thanks again.

(Edit)

- Freddy
- February 22, 2020 at 8:24 pm
- 0 votes
0
Question 1 : What is the use of "Require all denied" for Directory "/" whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?

Question 2 : So what is the use of "Require all denied" on a higher level repository ?

The server could easily serve files below the document root if the Require all denied wasn’t there, you only need a small misconfiguration in your server. Imagine for example an Alias like
```
Alias /etc /etc
```
which would allow you to read the password file from http://localhost/etc/passwd or other sensitive stuff. With the default configuration you would need an explicit override like
```
<Directory /etc>
   Require all granted
</Directory>
```
to do this.

The directive
```
<Directory />
    AllowOverride none
    Require all denied
</Directory>
```
is used to prevent any access below your /var/www/html directory as a security mechanism ("be as restrictive as possible").
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.