Operating an apache 2.4.7 server on Ubuntu 14.04 LTS, I am having an issue with a configuration setup to "Restrict File Extensions," as recommended by Center for Internet Security (CIS). The basic idea is (1) restrict all files then (2) allow access only to file types to be served.
The MAIN_APACHE2.conf file includes, in relevant part, the following:
<Directory />
Require all denied
AllowOverride None
Options None
<LimitExcept GET HEAD OPTIONS>
Require all denied
</LimitExcept>
</Directory>
<FilesMatch "^.*$">
Require all denied
</FilesMatch>
The included V_HOST.conf file includes, in relevant part, the following:
DocumentRoot /var/www/html
<Directory /var/www/html>
Require all granted
<FilesMatch "^.*\.(htm)$">
Require all granted
</FilesMatch>
</Directory>
The only file on the server is an entirely self-contained test file "index.htm" located in the vHost Document root. Attempting to hit the server with this configuration results in a 403 Error. Thinking that this issue might be a question of how the FilesMatch merges, especially with the vHost set up and the nested Directory directive, I substituted the following in the V_HOST.conf file:
<Directory /var/www/html>
Require all granted
<FilesMatch "^.*$">
Require all granted
</FilesMatch>
</Directory>
Somewhat to my surprise, this works! So ... what am I missing? Is this a problem with the regular expression? Am I missing some "other" file that the Apache server needs to be able to read? I have tried any number of other expressions, have attempted with ALL of the FilesMatch in the MAIN_APACHE2.conf (outside of the Directory directive) and at this point am just stuck!
Any pointers here are greatly appreciated. Of course, if I should be on Stack Overflow or somewhere else with this please let me know.
FilesMatch are applied in the order they occur in the merged configuration file. The layout implied from your question is ambiguous, but your results imply the relative order is not as you "expect".
After giving this a bit more thought, here is the answer:
The
FilesMatch
directive is applied against the "directory" hit prior to the mod-dirDirectoryIndex
directive assignment to "index.htm." As a result, a "null" condition must pass the test in order for the request to be handled. With that, this set up (all the same except for this change to the V_HOST.conf file) works:NOTE: I also took this opportunity to "tighten" the requirement on the allowed files with extensions to require that there is actually some character prior to the period delineating the extension, which makes it less likely that a ".ht" type file (i.e. a file name beginning with a single ".") will inadvertently be allowed by a future configuration change.