Apache prevent access to everything except a single location
I'm trying to block access to everything on a vhost except a single safe-path
(and really, everything under it, so /safe-path/item-1
, /safe-path/item-2
, etc); from reading the docs, it seems that I should be able to do:
<Location />
Order allow,deny
Deny from all
</Location>
<Location /safe-path>
Order allow,deny
Allow from all
</Location>
But this doesn't seem to work; all URLs return a 403. I've tried the other order as well, and it doesn't seem to matter. If there's a "better" solution to the problem I'm trying to solve, I'm open to that as well.
EDIT: After doing some more research, I found Require all denied
and Require all granted
, which seems to be the 2.4 syntax. However, even setting the blocks to look like this it doesn't seem to work as expected:
<Location "/">
Require all denied
</Location>
<Location "/safe-path">
Require all granted
</Location>
I'm getting a 403 on every URL I hit. Even changing the order doesn't seem to make a difference.
Solution 1:
Not sure why it does not work with Require
directive, but you can use instead mod_rewrite to acheive what you want.
In this example, I disable (403 Forbidden) everything except queries that start with /projects
(tested with an existing folder that has sub directories):
<Directory /my/document/root/path>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/projects
RewriteRule .* - [F]
</Directory>
Should work the same in a <Location>
block.