apache2: why parameter results “deny not allowed here” error in virtualhost tag?

Question

I have asked the same question to stackoverflow but then I thought it might be more related to here.

in apache's httpd.conf between VirtualHost tags I put <LimitExcept> expression like follows:

<VirtualHost *:80>
 ServerName geopreprod.xxx.com.tr

 <LimitExcept HEAD POST GET>
     Deny from all
 </LimitExcept> 

  ProxyRequests Off
  ProxyPreserveHost On

  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

  ProxyPass / http://XXXXXXXX...
  ProxyPassReverse / http://XXXXXXXX....
</VirtualHost>

and then apache web server fails to start by giving following error:

Syntax error on line 513 of XXXXX/httpd.conf:
deny not allowed here

Although it says <LimitExcept> can be used in VirtualHost tag in offical docs why do I get this error?

in apache docs it says:

Context:    server config, virtual host, directory, .htaccess

score 16 · Accepted Answer · answered Feb 03 '12 at 20:40

As long as your <LimitExcept> block is within a context that's valid for the Allow/Deny directives, then it will work just fine.

If you try putting even a naked Deny rule directly in the <VirtualHost> context, you'll see that it's denied in the same way - <VirtualHost> with a Deny in it is not allowed, so neither adding a <LimitExcept> between them.

But, the trick is that <LimitExcept>, and some other block types like <IfModule>, do not modify the context of a directive; you'll never see "limit" in the list of acceptable contexts in the documentation for a directive.

There's are only four contexts that can dictate whether a directive is allowed:

server config
virtual host
directory (which includes <Location> and <Files> type directives, too)
.htaccess

In the case of the mod_authz_host directives (Order, Allow, and Deny), they're allowed only in directory and htaccess contexts, so they'll always error when they're not in one.

In your case, there's no filesystem location for this reverse-proxy vhost, so you'll want to use a <Location> block (which is a valid context for Allow/Deny because it's of the directory context type):

<Location />
    Order allow,deny
    Allow from all
    <LimitExcept HEAD POST GET>
        Deny from all
    </LimitExcept>
</Location>

Oh, and get rid of that <Proxy *> block, as it's not doing anything - the <Location> takes precedence over it anyway, but it's in conflict with the <LimitExcept>'s restrictions.. so it makes me nervous.

Ladadadada · Answer 2 · 2012-02-03T12:10:05.640

3

The error message is saying that Deny is not allowed in a <LimitExcept> block.

From a different part of the docs: "The directives provided by mod_authz_host are used in <Directory>, <Files>, and <Location> sections as well as .htaccess files".

edited Feb 03 '12 at 12:10

answered Feb 03 '12 at 11:29

Ladadadada

26,337
7
59
90

would it behave like I expected if I put `` in `` and then put `` in `` ? – destan Feb 03 '12 at 12:07
If you still had a `Deny` inside the ``, no. The problem is where you put the `Deny`. – Ladadadada Feb 03 '12 at 12:09
But when I do like that the server starts without error. Do you think the limit restriction won't work? – destan Feb 03 '12 at 12:24
1

@Ladadadada Actually it'll work when buried in a directory block (or a location block in this case, since there's no directory for a proxy config). See my answer. – Shane Madden Feb 03 '12 at 20:52
That makes perfect sense. – Ladadadada Feb 03 '12 at 21:49

apache2: why parameter results “deny not allowed here” error in virtualhost tag?

2 Answers2