PDA

Click to See Complete Forum and Search --> : .htaccess configuration (limit get, allow, deny) and <Limit GET HEAD POST>

strawberry
07-22-2009, 09:23 AM
Part of my default .htaccess contain the following lines
IndexIgnore .htaccess */.?* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

What do they do? Why having "deny from all" and "allow from all" in the same script?

----

What is the different of <Limit GET POST> and <Limit GET HEAD POST>?

----

There are some conflicts with the below lines.
When I add it, my site is down.
Could you help me?
Thanks.

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

<Limit GET HEAD POST>
order allow,deny
deny from 116.193.8.0/21
deny from 125.31.0.0/18
deny from 161.64.0.0/16
deny from 192.203.232.0/24
deny from 202.75.248.0/22
deny from 202.86.128.0/18
deny from 202.171.252.0/22
deny from 202.172.0.0/22
deny from 202.173.0.0/22
deny from 202.174.0.0/22
deny from 202.175.0.0/22
deny from 202.175.4.0/22
deny from 202.175.8.0/21
deny from 202.175.16.0/20
deny from 202.175.32.0/19
deny from 202.175.64.0/19
deny from 202.175.96.0/19
deny from 202.175.160.0/19
allow from all
</LIMIT>

:)
bradgrafelman
07-23-2009, 07:48 PM
What do they do?<LIMIT> (http://httpd.apache.org/docs/2.2/mod/core.html#limit) allows you to limit access to certain HTTP "verbs" or methods. IndexIgnore (http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexignore) is part of the mod_autoindex module that handles displaying pretty HTML indexes when no index file is found; it instructs the webserver which files it should not show in these listings... presumably because they either a) have no value for the end user, or b) are private in nature and don't need to be shown to the world.

For more information on either of them (or other Apache directives used in .htaccess or httpd.conf), visit the manual links I provided or search the Apache documentation (http://httpd.apache.org/docs/2.2/).

Why having "deny from all" and "allow from all" in the same script? No idea; not only does it not make sense, it's probably not doing anything you intended it to. As such, you should get rid of it.

What is the different of <Limit GET POST> and <Limit GET HEAD POST>?The former of the two places the ensuing limitations on the GET and POST verbs/methods, while the latter of the two also includes HEAD as well.
strawberry
07-25-2009, 10:27 PM
Thank you.

Why <Limit GET POST> and <Limit GET HEAD POST> can not coexist?

If my .htaccess include <Limit GET POST> and <Limit GET HEAD POST>, then I can't connect to my site.
bradgrafelman
07-25-2009, 10:44 PM
Why <Limit GET POST> and <Limit GET HEAD POST> can not coexist?No one said they couldn't.

If my .htaccess include <Limit GET POST> and <Limit GET HEAD POST>, then I can't connect to my site.The presence of both of those tags has nothing to do with whether you can access the site - it's what's inside those tags that make the difference.

I believe what is happening that the "order" statement in the last <Limit GET HEAD POST> tag is overriding the order of the first tag. Since the first LIMIT tag includes "deny from all", it's probably processed last (which means it's denying access from everyone).

Again, however, the first <LIMIT GET POST> tag is pointless (other than to cause errors like what you're seeing now).
strawberry
07-26-2009, 03:15 AM
I see. :)

It's really helpful to me, thanks for teaching me.