0

I have a Web site that contains several Web applications. Each Web application corresponds to a subdirectory of the document root whose name starts with "Web". (For example, /WebLulzGenerator and /WebInternetHateMachine are Web applications but /MoarHelperz is not.)

I want that those Web applications be available only via HTTPS, so I did the following in my httpd.conf file:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<DirectoryMatch "^/Web[A-Za-z0-9]+">
    Order allow,deny
    Deny from all
</DirectoryMatch>

# In extra/httpd-ssl.conf, access to "^/Web[A-Za-z0-9]+"
# is reenabled, but only through HTTPS.

However, when I tested my configuration "http://myip/WebTest" opened correctly. What am I doing wrong?

isekaijin
  • 153
  • 1
  • 1
  • 6

1 Answers1

2

<Directory> maps to physical locations of resources. You should use <Location> or <LocationMatch>for locations.

<LocationMatch /Web.*>
   Order Allow,deny
   Deny from All
</Location>

Beware of the following warning from the documentation:

<Location> sections operate completely outside the filesystem. This has several consequences. Most importantly, <Location> directives should not be used to control access to filesystem locations. Since several different URLs may map to the same filesystem location, such access controls may by circumvented.

Lekensteyn
  • 6,241
  • 6
  • 39
  • 55