0

I'm trying to protect a few sitemap files from public access. The only ones that are allowed to have access are IP ranges from our lovely Google crawlers.

For example - the Apache module mod_authz_host.c did the job well. Until now....

<FilesMatch "(sitemap\.xml|sitemap_index\.xml|page-sitemap\.xml)$">
    Require ip 1.2.3.4
    Require ip 1.2.3.0/16
</FilesMatch>

It hasn't worked so far.

Where has the error crept in here?

Legion
  • 90
  • 11
  • 1
    What's not working with this code? – anubhava Oct 27 '22 at 13:42
  • As I can see I have no error in my code. But the Apache isn't executing the code for multiple files. Only if I set it for one file. Example – Legion Oct 27 '22 at 13:44
  • Checking about the module: httpd -M|grep authz_host The result is: authz_host_module (shared) .... It's active - just to be sure... – Legion Oct 27 '22 at 13:46
  • " Only if I set it for one file. Example ``" - That doesn't make any sense. Please confirm the Apache version you are using and what other directives you have in your `.htaccess` file. Do you have any other `.htaccess` files? – MrWhite Oct 27 '22 at 16:49

1 Answers1

1

Updating my answer (thanks for the constructive comments from @MrWhite and @Boppy - I really appreciate it):

Using Apache 2.2 and Apache 2.4 auth directives on the same server can cause problems and/or errors. Only use the code that applies to the version of Apache to avoid conflicts

  • Apache 2.2 uses the authz_host_module to control access with directives like Deny, Allow, and Order.
  • Apache 2.4 also uses the authz_host_module for access control, but also uses the authz_core_module that provides the new/+10 years old require directive.

For example, if I want to deny all access:

Apache version 2.2

Order deny,allow
Deny from all

Apache version 2.4:

Require all denied

About the usage of <IfModule>

If I don't know the version of Apache I'm using, I can use code with conditional statements that will detect the correct version of the web server and apply the correct rule accordingly.

# Apache 2.2

<IfModule !authz_core_module>
<FilesMatch "\.(md|exe|sh|bak|inc|log|sql)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>
<IfModule>

<IfModule !authz_core_module>
<FilesMatch "(sitemap\.xml|sitemap_index\.xml|page-sitemap\.xml)$">
    Order Deny,Allow
    Deny from all
    Allow from 1.2.3.4
    Allow from 1.2.3.0/16
</FilesMatch>
<IfModule>


# Apache 2.4

<IfModule authz_core_module>
<FilesMatch "\.(md|exe|sh|bak|inc|log|sql)$">
    Require all denied
</FilesMatch>
<IfModule>

<IfModule authz_core_module>
<FilesMatch "(sitemap\.xml|sitemap_index\.xml|page-sitemap\.xml)$">
    <RequireAll>
            Require ip 1.2.3.4
            Require ip 1.2.3.0/16
    </RequireAll>
</FilesMatch>
</IfModule>
Legion
  • 90
  • 11
  • 2
    Please consider to stop using `Order Deny,Allow`. Since Apache 2.4 (yes, it's only been 10 years) there is a totally new auth mechanism. See bottom of post https://stackoverflow.com/a/10078317/1985204 for details and links. Apache's migration guide might also help: https://httpd.apache.org/docs/2.4/upgrading.html – boppy Oct 27 '22 at 14:34
  • Thank you for the important information with the links. Very interesting! I will go diving deeper into it. – Legion Oct 27 '22 at 14:53
  • 1
    Is this supposed to be an answer to your question? Wrapping those directives in an `` container will not make any difference - are you saying that is your solution?! (The `` container is entirely superfluous here.) The two `` containers you have posted do not overlap, however, the Apache 2.2 auth directives will otherwise _override_ the Apache 2.4 auth directives and cause a conflict. You should never mix old and new auth directives since they can cause unexpected conflicts (as [stated in the docs](https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html)). – MrWhite Oct 27 '22 at 16:45
  • Hello Mr.White, I missed that when writing my answer. Exactly, in my htaccess I use different code, one for Apache 2.2 and one for 2.4. Not the overlap but the overwriting is the problem. Hence my surprise in my answer above. My mistake! I didn't pay attention to the version related code - you're both right. And after reading more information, I realized. Yes, right, there is no need for `` wrappers if I'm only dealing with one Apache version (here - 2.4). Unnecessarily more code and with it - as you said - the unexpected conflicts increase. Later I will adjust my above posting. – Legion Oct 27 '22 at 20:53