1

Problem

The system is allowing universal access to the php app 'owncloud'. That is, access is granted to servers across the network. As a test 'Require all denied' did not control access.

What is missing in this configuration to limit access to the server host?

Other thoughts

Are there config changes required to hpptd.conf as well? Is this an owncloud.conf issue or an httpd.conf issue? Is php.conf involved in these symptoms?

Specs

Fedora 21

  • httpd
  • mod_ssl level 2.4.16
  • As part of the process to get to this point htaccess files have been renamed.
  • /etc/httpd/conf/httpd.conf file is standard.

/etc/httpd/conf.d/owncloud.conf file:

<VirtualHost *:443>
    ServerName owncloud
    ServerAlias owncloud
    DocumentRoot /var/www/html/owncloud
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/owncloud.pem
SSLCertificateKeyFile /etc/httpd/ssl/owncloud.key
<Directory /var/www/http/owncloud>
    Options +Indexes +FollowSymLinks
        AllowOverride All
        Require local
    <IfModule mod_php5.c>
    php_value upload_max_filesize 512M
    php_value post_max_size 512M
    php_value memory_limit 512M
    php_value mbstring.func_overload 0
    </IfModule>
    <IfModule pagespeed_module>
    </IfModule>
    RewriteEngine on
    RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
    RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R]
    RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R]
</Directory>
</VirtualHost>
clarity123
  • 117
  • 3
dan sawyer
  • 141
  • 2
  • 12

1 Answers1

0

If your server is allowing traffic in despite having Require local and especially Require all denied, then it is an apache/httpd issue. It's either an override (e.g. .htaccess), or another config file being loaded. Apache will apply the access lists according to the most specific directory listed. Example: /var/www/http/owncloud set to Require local, if you had /var/www/http/owncloud/theRealServerRoot set to Require all granted, then everyone would be allowed to whatever is in 'theRealServerRoot' though they're denied from the parent directory. You may already know this, but just in case. Also, if two config files reference the same directory using the <directory> statement, whichever config file was loaded last will apply. The loading is usually done alphabetically. If you have a 'security.conf' file that defines alternative Require statements for /var/www/http/owncloud, then these will be used instead of whatever is in owncloud.conf.

1) Can you double check that owncloud isn't recreating the .htaccess files as soon as you rename them?

2) What other files are you in your conf.d directory? Could you check to see if they're acting on the directory?

3) Also, the file you posted is for https; You're testing access against the https:// URL, correct? Because there is likely a different set of rules for the http:// URL.

4) Finally, but most unlikely, are you using a reverse proxy or a load balancer? Both of these alter the IP address which apache/httpd will see, and would produce the same problem if it was running on the same server (though it would still get blocked when you wrote in the Require all denied line).

Neil
  • 842
  • 7
  • 13
  • Here are the answers to the questions: 1. I ran an updatedb and looked for any .htaccess files in var and usr. There were none. There is no .htaccess file in the owncloud path. 2. Below are the files in /conf.d/ autoindex.conf mod_evasive.conf owncloud.conf php.conf ssl.conf userdir.conf welcome.conf I checked them and there no Directory directives with a path to the owncloud paths. 3. Yes. There is a 'welcome' in the http: path. It works correctly. 4. No. I am not using a reverse proxy load balancer. There is no RealServerRoot directive in the /etc/httpd path. – dan sawyer Nov 14 '15 at 14:14
  • Finally, and perhaps a clew. If I rename owncloud.conf to owncloud.conf.sav and restart httpd - the owncloud app works. In other words the privledge in httpd.conf and other .conf files is sufficient to allow owncloud to run. – dan sawyer Nov 14 '15 at 14:15
  • If httpd is started without the owncloud.conf file then the Directory configuration parameters in /conf/httpd.conf work based on the /var/www/html/ directory path. When this path has a Require local directive then access is only allowed from the host server. When this path has a Require ip 10 directive then other clients on the local network can access owncloud. (again owncloud is running without an owncloud.conf file present. ) – dan sawyer Nov 14 '15 at 14:23