1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

deny from htaccess not working?

Discussion in 'Plesk for Linux - 8.x and Older' started by ElricM, May 28, 2005.

  1. ElricM

    ElricM Guest

    0
     
    I have someone who is direct linking to my files in a particular directory. I tried to experiment with using .htaccess to deny, but it's not working.

    I have the following:

    order allow,deny
    deny from badguy.com
    allow from all

    I also tried reversing the order

    order deny,allow
    deny from badguy.com
    allow from all

    but when I go to his site, I can still download my files. WHat am I doing wrong? I have the .htaccess file in the directory I want to forbid and at the webroot. This is in a subdomain. (eg. subdomain.mydomain.net)

    Thanks

    Edit: I also created a vhost.conf file for the subdomain and put these lines in it:

    <Directory "/home/httpd/vhosts/<Mydomain>.net/subdomains/<SubdomainName>/httpdocs/*">
    order allow,deny
    deny from badguy.com
    allow from all
    </Directory>

    ran websrvmng, restarted apache and verified the directives were in the list (using Webmin to view them). It still doesn't work e.g., I can still download the files from his site.
     
  2. ElricM

    ElricM Guest

    0
     
    Anyone? I have AllowOverride All enabled for the directory container. I also put "deny from all" in the .htaccess file as a test and got rejected so I know .htaccess is being read.

    Seems if I have

    deny from badguy.com
    allow from all

    the "allow from all" overrides the deny, similarily if I have

    deny from all
    allow from <me>

    the "deny from all" takes precedence. This seems to be the case no matter what the order directive is (e.g., "order deny,allow" or "order allow,deny")
     
  3. jamesyeeoc

    jamesyeeoc Guest

    0
     
    It is possible that when the double reverse DNS lookup is done and then the forward lookup to verify (per Apache's docs) is done and if the result does not match, then the directive is not applied.

    Have you tried verifying all IPs owned by badguy.com and blocking the IP range?

    Personally, I'd block his IPs at the firewall level....
     
Loading...