Bug 42508 - "Deny from all" failing occasionally inside Location directive
Summary: "Deny from all" failing occasionally inside Location directive
Status: RESOLVED DUPLICATE of bug 36937
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_cache (show other bugs)
Version: 2.2.4
Hardware: Sun Solaris
: P2 major with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-24 05:25 UTC by David Keech
Modified: 2007-09-28 10:21 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Keech 2007-05-24 05:25:06 UTC 
While developing a new site we had a Location directive similar to the one below:
  <Location />
        Order deny,allow
        Deny from all

        Allow from 10.20.30.
        Allow from 140.211.11.4/32
        Allow from 140.211.11.130/32

        # Allow from the W3C validator
        Allow from 128.30.52.13/32
  </Location>

During this time we saw that most requests in the log files for IP addresses not
on that list were returning 403 errors but occasionally Apache would return a 200.
We verified that it was actually returning the requested page and not a logging
error by using anonymous web proxies.  Most received 403 errors but some
displayed the page.

The problem isn't consistent for a particular IP address.  We saw the Google bot
crawling the site from a single IP address.  Most of the time it would receive
403 errors but occasionally it would receive the page it was requesting.

It's also not consistent for a particular file.  Of the 117 requests for
robots.txt that the Google bot has made over the last two months, only three
were returned as 200, the rest were 403.

Return codes and their counts for all files and all IP addresses apart from the
IP addresses in the Location directive are:
  139 304
 1172 302
 1193 200
20142 403

Let me know if you would like any more information to help find this bug.
Comment 1 Nick Kew 2007-05-24 05:53:46 UTC 
Use of <Location> for local contents is NOT recommended, because it WILL confuse
you.  The problem you describe is likely to be due to it interacting with
another container in a manner you don't expect.

The other possible explanation is that you're using mod_cache, which is known
not to work with host-based access restrictions.
Comment 2 David Keech 2007-05-24 07:15:39 UTC 
Thanks for the info, I hadn't noticed that in the Apache2 documentation before.

It still seems like a bug but it's a bug in mod_cache rather than the Apache Core.
I have changed the component to be mod_cache and I'll have a look around again
to make sure it's not a duplicate of another bug.

In case someone with the same problem finds this bug we are planning on working
around this bug using mod_rewrite for whole sites that shouldn't be accessed and
CacheDisable for paths that shouldn't be accessed.
Comment 3 Wilson Felipe 2007-05-31 14:06:58 UTC 
hello,

I had the same problem, but it seems to be the behavior of mod_cache, as
describe in http://issues.apache.org/bugzilla/show_bug.cgi?id=36937

"Content is stored in and retrieved from the cache using URI based keys. Content
with access protection is not cached."
taken from apache documentation: http://httpd.apache.org/docs/2.2/mod/mod_cache.html
Comment 4 Joshua Slive 2007-09-28 10:21:57 UTC 

*** This bug has been marked as a duplicate of 36937 ***