libapache2-mod-rpaf 0.6.9 doesn't work well in combination with deny/allow operators
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libapache2-mod-rpaf (Ubuntu) |
Confirmed
|
Undecided
|
Sergey B Kirpichev |
Bug Description
On Ubuntu release 13.04 which comes with libapache2-mod-rpaf 0.6-9 there is an unexpected behavior of the combination of libapache2-mod-rpaf and the order allow/deny operators.
How to reproduce:
create .htaccess file with the following set:
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 5.5.5.5
</Limit>
Enable mod_rpaf and set your proxies ips.
Put the apache behind a reverse proxy and surf the protected url from 5.5.5.5,
you will receive the following error in the error log:
[error] [client 5.5.5.5] client denied by server configuration: /path/to/
Although the correct client IP shown in the error log, seems like Apaches initiates the access list policy check before mod_rpaf fires.
Makes the system unusable.
Status changed to 'Confirmed' because the bug affects multiple users.