How can one deny access to all subdirectories of a given directory?

I tried to do it with the <Directory(Match)> directives. The server configuration (000-sites-enabled) looks like this:

DocumentRoot /var/www
<Directory /var/www>
    Allow from all
    Deny from none
    Order deny,allow
</Directory>
<Directory /var/www/*>
    Deny from all
</Directory>

A query to http://localhost/ successfully displays /var/www/index.html and all queries to any subdirectories fail.

The problem is: any query to a file in the httproot fails - i.e. requesting http://localhost/index.html will result into 403 Forbidden.

The <Directory(Match)> directives seem to actually match directories AND files!?

To see if this is true, i tried:

<Directory /var/www/i*>
    Deny from all
</Directory>

This denies access only to files/directories starting with 'i'.

Is there a way to alter this behaviour and let match only directories? Is there another way to accomplish that all the subdirectories are denied? (besides denying all of them manually or enabling all files manually)

Comments

Looks like a bug to me. I opened issues.apache.org/bugzilla/show_bug.cgi?id=50926 so someone with more experience in the core can take a look.

Written by covener

Accepted Answer

Hey,
the solution turned out to be pretty obvious (after looking at the suggestions of Derick and dialer):

<Directory /var/www/*/>
    Allow from None
    Order allow,deny
</Directory>

This denies access only to the direct subdirectories (and their contents etc.) of /var/www/. Specific of these directories can still be re-enabled with <Directory> directives.

This is in contrast to <DirectoryMatch> which will
- also match all files & directories in the tree and
- override all <Files> or <Directory> directives for any item in the tree.

In most cases however, one should think about using a different directory-layout instead - as pointed out by John and Clodoaldo.

Nevertheless I think that it can still be usefull in many cases to apply a set of directives (may these be authorization specific or of any other kind!) to an entire directory tree - without losing the ability to alter these settings for the root directory of the tree or any subdirectories/files by standard means.

Written by Thomas G.
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki