0

I have a two domains johny.com and alice.com and one webserver (apache) managing them. Web files are in /var/www/johny.com and /var/www/alice.com and are configured as two virtual hosts with proper ServerName and DocumentRoot. Now Alice wants to protect one of her files on the web from anyone seeing. She introduces a .htaccess file with the following content

<Files "private.txt">
  Require all denied
</Files>

and also adds following to the apache config for her virtual host

<Directory /var/www/alice.com>
   Options Indexes FollowSymLinks
   AllowOverride All
</Directory>

And nobody has access to alice.com/private.txt. So far so good.

Now John decides to provide an alias for Alice's web by altering his vhost apache configuration with

Alias "/alice" "/var/www/alice.com"

and anyone can see Alice's web page on john.com/alice. But anyone can also see the content of alice's private file.

alice.com/private.txt gives 403 Forbidden.
john.com/alice/private.txt shows the content of the file.

What is going on in here? Does AllowOverride not propagate through Alias directive? How should we fix that? Apache version is Apache/2.4.38 (Debian). Also putting gibberish into .htaccess file gives 500 Internal Server Error only on alice.com, not on john.com/alice, so it seems like the .htaccess is not considered over an alias at all.

Zereges
  • 105
  • 2
  • 12

1 Answers1

1

The problem is a missing AllowOverride All directive for the /var/www/alice.com directory.

Specifically, the problem is here: (emphasis mine)

and also adds following to the apache config for her virtual host

Since you defined those directory permissions inside Alice's virtual host block, they don't apply to john.com/alice because the directory is not being accessed through the context of the <VirtualHost> block corresponding to Alice. As far as the server is concerned, the alias is legally accessing some directory in the filesystem. It just so happens that it's the same directory as the root of a different virtual host.

From the documentation:

Sections inside sections are applied after the corresponding sections outside the virtual host definition. This allows virtual hosts to override the main server configuration.

As it pertains to your particular case, however, it's important to note that this will only actually happen if the VirtualHost context corresponding to the sections in question is actually invoked, which it isn't here.

There are a couple of ways to fix this problem. The easiest is to simply declare the AllowOverride All directive in the server context (i.e... not within a VirtualHost, .htaccess, or even another Directory block.

<Directory "/var/www/alice.com">
    Options Indexes FollowSymLinks
    Require all granted
    AllowOverride All
</Directory>

Note again that because you are declaring AllowOverride All, you'll be able to modify these settings within the .htaccess file in that directory now, regardless of the VirtualHost context the directory is being accessed from.

If you wanted to get fancy, and you were dead-set on accessing /var/www/alice.com from john.com but within alice.com's virtual host context, you could always configure the john.com/alice uri to be ProxyPass'd to http://alice.com.

<VirtualHost "*:80">
    ...

    <Location "/alice">
        ProxyPreserveHost Off
        ProxyPass http://alice.com/
    </Location>
</VirtualHost>

You'll need to enable mod_proxy and mod_proxy_http for the above, but it'll meet your requirements for this particular use case, although I would be careful about relying on the Location directive for reasons which the documentation does a great job of delineating at length.

Jose Fernando Lopez Fernandez
  • 231
  • 2
  • 4