0

Per requirements of a project I am working on, the apache httpd.conf must have the following restrictive setting as a security measure.

<Directory />
    Order Deny,Allow
    Deny from all
    Options None
    AllowOverride None
</Directory>

I've added this for my virtual host, which was also set out by my project requirements.

<Directory /var/www/html/>
    Options -Indexes -Includes -FollowSymLinks -MultiViews
    AuthType None
    Order allow,deny
    <LimitExcept GET POST OPTIONS>
        Deny from all
    </LimitExcept>
</Directory>

To be certain, this site is secure indeed, but I cannot even access my index.html! I'm am encountered with this error "You don't have permission to access / on this server."

When I remove the restrictive root directory settings, everything works perfectly fine. How do I go about fixing up my configuration, but sticking to the requirements? It seems to me like adding the directive for the document root in my virtual host did not work as expected or maybe I'm just not doing something else properly?

tremor
  • 143
  • 1
  • 10

1 Answers1

0

You forgot to Allow from something in your virtual host's Directory.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Would I put something like "Allow from all" before, after or in the tags? – tremor Apr 08 '14 at 00:52
  • 2
    It depends on what you want to allow, and you were not specific about that. – Michael Hampton Apr 08 '14 at 00:55
  • I don't really know, this is finer detail than I've ever worked with in the apache conf before, I'm a developer who's been thrown into the role of server admin for the time being. Any suggestions would be appreciated. Looking at it, i assume "order allow,deny" allows all traffic unless it is explicitly denied by the limitexcept rule? Where did I go wrong here? – tremor Apr 08 '14 at 12:31