blog.plee.me About software, technology and random things

2Jul/130

Access Control via Hybrid .htaccess for Both Apache HTTPd 2.2 and 2.4

Hi!

If you're running the Apache HTTPd in the versions 2.2 and 2.4 in different environments but would like to control access to certain directories (include, lib, ...) via Apache, chances are that you don't want to use one 2.2 specific file and a different one for 2.4, especially if you keep transferring and synchronizing the files between those different setups.

Between versions 2.2 and 2.4 a couple of things have changed. The perhaps most prominent change would be the one that comes with the new mod_authz_host module and deals with authorization / access control. Instead of using Order, Allow, Deny and/or Satisfy you are now advised to use the new Require directive.

So what do you do if you cannot switch every .htaccess over to the new format for reasons like the one mentioned in the beginning?

You could in fact enable the mod_access_compat module and keep rolling with the old configuration. But that would only mean procrastinating until you would finally have to deal with it anyway.

The better solution is to use configurations that are not even necessarily dependent on your Apache version (remember, you could just load the legacy compatibility module in 2.4), but in fact check for the correct module to work with. The key element to work with here is the IfModule directive.

# Apache 2.4
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

# Apache 2.2
<IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
</IfModule>

As you can see, there are two checks that basically work as an "if ... else" selection. The rest should be self-explanatory.

For more information about the new way of handling access with the Apache HTTPd 2.4, please refer to the official documentation.

I hope this was of any help to you.

Thanks for reading.

20May/120

Making Traceroutes Work with a Firewall (Windows)

Hi!

Even though I've had software firewalls in action for years now, I haven't really come across too many instances where I'd need traceroutes. The few times I did, however, I noticed that I only got output like the following:

>tracert example.com

Tracing route to example.com [123.123.123.123]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11    50 ms    50 ms    50 ms  example.com [123.123.123.123]

Trace complete.

The number of hops would of course vary for the specific host / IP address.

Today I had to use traceroute in order to analyze a couple of networking problems. That was the incentive I needed to look up why it didn't work.

The fact that not even my router was showing up was a big indicator that something was wrong with my local firewall settings.

After searching the web for a couple of minutes, I found out what I was looking for at this page: http://www.phildev.net/ipf/IPFques.html#ques34

Traceroute is using ICMP packets (plus UDP on Linux systems, but that's outside the scope of this blog entry. You can read more about it on the page I linked above). But even for an outgoing traceroute you need to accept incoming ICMP packets.

Which ones? These:

  • ICMP TTL Expired (Type 11, Code 0)
  • ICMP Port Unreachable (Type 3, Code 3)

Once you've enabled these types of packets for incoming traffic in your firewall(s), you'll see that your traceroute will now function as it should.

If your firewall does not allow you to configure accepting specific types of ICMP packets, try allowing incoming ICMP packets altogether (if that's not too much of a compromise for you).

Anyway, long-ish story short: It's working now 🙂

Thanks to the webmaster of the page I linked above! And thanks to you for reading.