# Apache (1.38) Directory Deny not working - why?

## whit

I have some directories under my document root that I do not want to have accessible via the Web. (It's a complicated setup - there's a reason to have this structure for other purposes.) But "Deny from All" isn't working for some reason. In /etc/apache/conf/commonapache.conf I have 

```

<Directory /absolute/path/to/files_to_hide/>

        Options -Indexes

        AllowOverride None

        Order Deny,Allow

        Deny from All

</Directory>

```

This works fine to turn off the indexes in those directories (which are on without this), but if I put in http://my.site/files_to_hide/test.html in the browser the test file is displayed! What the heck is going on? This directive has been basic since before Apache was born. "Deny from ALL" should stop anyone from getting any file from the directory. Yet the request shows up as a normal, successful GET in the log.

----------

## esammer

My first guess is that the enclosing directory (or something up the hierarchy) is also 'AllowOverride None' thus disallowing your changes. It does seem odd that Options changes would be respected and 'Allow' (mod_auth, iirc) would not, but it's worth a look.

Also, could there be an .htaccess file somewhere making changes? Is there a conflict between Location and Directory directives? When in doubt, start simplifying - start going back to defaults, switch from relative directives (i.e. change 'Options -Indexes' to 'Options FollowSymLinks MultiViews' or whatever the absolute is for you), move .htaccess files out of the way, disable funky 'mod_auth_*' modules, etc.

(Last minute guess: is it a 'Files *.html' weirdness thing?)

HTH.

----------

## whit

 *esammer wrote:*   

> My first guess is that the enclosing directory (or something up the hierarchy) is also 'AllowOverride None' thus disallowing your changes. It does seem odd that Options changes would be respected and 'Allow' (mod_auth, iirc) would not, but it's worth a look.

 

Nope. Since it's not a shared server, I let myself override at will. Anyhow there's no 'AllowOverride None' aside from the one I'm applying to this directory.

 *Quote:*   

> Also, could there be an .htaccess file somewhere making changes?

 

Nope, no .htaccess in this directory tree.

 *Quote:*   

> Is there a conflict between Location and Directory directives?

 

Nope. But as a workaround I've put a Location statement in place that succeeds in blocking the directory. It looks like:

```

<Location /dirinquestion/>

    Deny from all

    ErrorDocument 403 "

</Location>  

```

Of course, this isn't the preferred way to do it, since if someday I forget and use that directory name elsewhere on the server, it will fail.

 *Quote:*   

> When in doubt, start simplifying - start going back to defaults, switch from relative directives (i.e. change 'Options -Indexes' to 'Options FollowSymLinks MultiViews' or whatever the absolute is for you), move .htaccess files out of the way, disable funky 'mod_auth_*' modules, etc.

 

I'm no student of funky mod_auth modules. I've just got the default Gentoo assortment, which looks like:

```
apache.conf:LoadModule auth_module        modules/mod_auth.so

apache.conf:LoadModule anon_auth_module   modules/mod_auth_anon.so

apache.conf:LoadModule dbm_auth_module    modules/mod_auth_dbm.so

apache.conf:LoadModule db_auth_module     modules/mod_auth_db.so

apache.conf:AddModule mod_auth.c

apache.conf:AddModule mod_auth_anon.c

apache.conf:AddModule mod_auth_dbm.c

apache.conf:AddModule mod_auth_db.c
```

One of those may well be funking it, but I'm not sure about which can be disabled without other consequences. Mostly I do authorization through PHP scripts. Are any of these modules required for basic authorization?

 *Quote:*   

> (Last minute guess: is it a 'Files *.html' weirdness thing?)
> 
> HTH.

 

The only files directive is:

```

<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

</Files>

```

And that's not working either! (Nor does it work if I change it to "Order deny,allow".) Dang it. I know that worked on a similarly-configured pre-Gentoo rig. But I was just able to view a file I named ".httest" that should have been blocked by that. And also a prior, backup version of a file that ends in "~" because of the editor I use, that that should block - a real security problem if I forget to delete those files. And I see now I've got the same problem on a second similarly-configured Gentoo server. It looks a lot like Gentoo may have something broken, since I'm running out of other candidates for the cause.

----------

## thecooptoo

can you switch everything off with 

Directory />

  Options -All -Multiviews

  AllowOverride None

  <IfModule mod_access.c>

    Order deny,allow

  Deny from all

  </IfModule>

</Directory>

if not its a problem outside apache. If so then go though gradually giving access to the bits you want

----------

## whit

 *thecooptoo wrote:*   

> can you switch everything off with ...

 

Thanks for the suggestion. Yes I can switch off everything. However there are a number of sites on the server, and mostly I want stuff on by default, so I'm still looking for how to get this working that way around. Yet when I start with 

```
<Directory />

  Options FollowSymLinks

  AllowOverride All

  Order deny,allow

  Allow from all

</Directory>
```

and not far beyond that have 

```
<Files ~ "^\.ht">

    Order allow,deny

    Deny from all   

</Files>

```

That "Deny from all" isn't effective. Should the IfModule statement be having some necessary effect? It's not used in Gentoo's default <Directory /> statement.

----------

## thecooptoo

IIRC its part of Apache2 dont know about Apache1

So the allow/deny bit of apache is OK :-))

Id go through the conf file and comment out all further reference to directories and change things one at a time until you can see  where the problem is.

----------

## whit

 *thecooptoo wrote:*   

> 
> 
> So the allow/deny bit of apache is OK )
> 
> Id go through the conf file and comment out all further reference to directories and change things one at a time until you can see  where the problem is.

 

A reasonable suggestion. Unfortunately the only futher Directory commands are for cgi-bin, icons, and /usr/share/doc - don't see any way those could be involved in this.

I was wrong on one item though. To block files ending in ~ I needed to add:

```
<Files ~ "~$">

    Order allow,deny

    Deny from all

</Files>

```

 - I was misreading the tilde in the other Files directive. This does work. But Directory to block the specific directory still fails.

----------

## thecooptoo

grep  -v '#'    commonapache2.conf >logfile

will give a file withou all the commens.

Might help

Do you want to post it/send it

----------

## whit

 *thecooptoo wrote:*   

> can you switch everything off with ...
> 
> 

 

Oh damn. Since I seemed to have the problem on two machines, I tested on the less critical. But that machine really only had the separate problem with the tilde file blocking.

Turns out that for the system with the problem, this does not shut the system down. So when you say "problem outside Apache" ... um, where could that be to have this effect?

Just upgraded Apache on the machine in question to 1.3.28 from 1.3.27r3 - no difference in the problem.

----------

## thecooptoo

have you changed the  document root in commonapache2.conf and its still including apache2.conf ( which also has the document root)

post the relevant lines from commonapache.conf

----------

## whit

 *thecooptoo wrote:*   

> have you changed the  document root in commonapache2.conf and its still including apache2.conf ( which also has the document root)

 

The document root in commonapache.conf (not 2 here) is commented out, and it is set correctly for the system both in apache.conf and for each host in vhosts/Vhosts.conf.

 *Quote:*   

> post the relevant lines from commonapache.conf

 

I'm not sure what the relevant lines would be. It currently starts out with:

```

User apache

Group apache

ServerAdmin webmaster@domainobfuscated.com

<Directory />

Options -All -Multiviews

AllowOverride None

Order deny,allow

Deny from all

</Directory>

```

... and that Deny from all isn't doing a thing.

Thanks for taking an interest in this, btw. I've been running Webservers since the NCSA days, and it's strange to have one bite me like this on such a basic directive.

----------

## thecooptoo

try making it 

order deny,allow ( which is what mine is . I'll just go and look it up ......)

----------

## whit

 *thecooptoo wrote:*   

> try making it 
> 
> order deny,allow

 

I've tried it both ways. Nada.

----------

## thecooptoo

The Dircectives ARE working because you can switch everything off.

My book says

Oder Deny,Allow Deny evaluated before Allow. If nothing else  allow access by dealut

Order Allow,Deny default is to prevent access

I would set up 2 directives ( the main one to allow all and then a separate one to deny all

remove the option override diectives.

What appears in the log files?

Send the commonapache.conf ( or the grep -v ^# version)

----------

## whit

 *thecooptoo wrote:*   

> The Dircectives ARE working because you can switch everything off.
> 
> 

 

No. You missed my earlier message that switching everything off only works on a second server, which at first I accidentally thought had the same problem because I didn't understand the syntax of the Files command (that tilde meant something other in the context than I'd assumed). I cannot switch everything off on the server which continues to have the problem - although oddly trying to switch everything off did result in access being denied to one particular directory not mentioned anywhere in the .conf files, and without any .htaccess file either. But everything else I checked on the server remained accessible. 

The log files aren't showing anything except successful GETs of the pages that should be blocked. Nothing in the error log regarding these.

----------

## whit

 *thecooptoo wrote:*   

> 
> 
> Send the commonapache.conf ( or the grep -v ^# version)

 

Here goes. I'll be totally surprised if you find the cause here. Switching that "Allow from all" a few lines down to "Deny" does not result in denial, except for the one exception I mentioned in the last post.

The last two directories are the ones I was first focusing on where the -Indexes option takes effect, but the denial doesn't.

```
User apache

Group apache

ServerAdmin webmaster@obfuscated.com

<Directory />

  Options FollowSymLinks

  AllowOverride All

  Order deny,allow

  Allow from all

</Directory>

<IfModule mod_userdir.c>

    UserDir public_html

</IfModule>

<IfModule mod_dir.c>

    DirectoryIndex index.html index.php index.php3 index.shtml index.cgi index.pl index.htm Default.htm default.htm

</IfModule>

AccessFileName .htaccess

<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

</Files>

<Files ~ "~$">

    Order allow,deny

    Deny from all

</Files>

UseCanonicalName On

<IfModule mod_mime.c>

    TypesConfig conf/mime.types

</IfModule>

DefaultType text/plain

<IfModule mod_mime_magic.c>

    MIMEMagicFile conf/magic

</IfModule>

HostnameLookups Off

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script

LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost

ServerSignature On

<IfModule mod_alias.c>

    Alias /icons/ /home/httpd/icons/

    Alias /doc /usr/share/doc

    ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/

</IfModule>

<IfModule mod_autoindex.c>

    IndexOptions FancyIndexing

    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

    AddIconByType (TXT,/icons/text.gif) text/*

    AddIconByType (IMG,/icons/image2.gif) image/*

    AddIconByType (SND,/icons/sound2.gif) audio/*

    AddIconByType (VID,/icons/movie.gif) video/* 

    AddIcon /icons/binary.gif .bin .exe

    AddIcon /icons/binhex.gif .hqx

    AddIcon /icons/tar.gif .tar   

    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv

    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip .bz2

AddIcon /icons/a.gif .ps .ai .eps

    AddIcon /icons/layout.gif .html .shtml .htm .pdf

    AddIcon /icons/text.gif .txt

    AddIcon /icons/c.gif .c

    AddIcon /icons/p.gif .pl .py .php .php3

    AddIcon /icons/f.gif .for

    AddIcon /icons/dvi.gif .dvi

    AddIcon /icons/uuencoded.gif .uu

    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl

    AddIcon /icons/tex.gif .tex

    AddIcon /icons/bomb.gif core

    AddIcon /icons/back.gif ..

    AddIcon /icons/hand.right.gif README

    AddIcon /icons/folder.gif ^^DIRECTORY^^

    AddIcon /icons/blank.gif ^^BLANKICON^^ 

    DefaultIcon /icons/unknown.gif

    ReadmeName README

    HeaderName HEADER

    IndexIgnore .??* *~ *# HEADER* RCS CVS *,v *,t

</IfModule>

<IfModule mod_mime.c>

    AddEncoding x-compress Z

    AddEncoding x-gzip gz tgz

    AddLanguage da .dk

    AddLanguage nl .nl

    AddLanguage en .en

    AddLanguage et .ee

    AddLanguage fr .fr

    AddLanguage de .de

    AddLanguage el .el

    AddLanguage he .he

    AddCharset ISO-8859-8 .iso8859-8

    AddLanguage it .it

AddLanguage ja .ja

    AddCharset ISO-2022-JP .jis

    AddLanguage kr .kr

    AddCharset ISO-2022-KR .iso-kr

    AddLanguage no .no

    AddLanguage pl .po

    AddCharset ISO-8859-2 .iso-pl

    AddLanguage pt .pt

    AddLanguage pt-br .pt-br

    AddLanguage ltz .lu

    AddLanguage ca .ca 

    AddLanguage es .es 

    AddLanguage sv .se 

    AddLanguage cz .cz 

    AddLanguage ru .ru 

    AddLanguage zh-tw .tw

    AddLanguage tw .tw   

    AddCharset Big5         .Big5    .big5

    AddCharset WINDOWS-1251 .cp-1251

    AddCharset CP866        .cp866  

    AddCharset ISO-8859-5   .iso-ru 

    AddCharset KOI8-R       .koi8-r 

    AddCharset UCS-2        .ucs2   

    AddCharset UCS-4        .ucs4   

    AddCharset UTF-8        .utf8   

    <IfModule mod_negotiation.c>

        LanguagePriority en fr de es it da nl et el ja kr no pl pt pt-br ru ltz ca sv tw

    </IfModule>

    AddType application/x-tar .tgz

    AddType application/x-httpd-php .php .php3

    AddHandler cgi-script .cgi

    AddType text/html .shtml

    AddHandler server-parsed .shtml

    AddHandler imap-file map

</IfModule>

<Location /manual>

Options Multiviews

ErrorDocument 404 "The document you requested has not been installed on your system.

</Location>

SetEnvIfNoCase User-Agent "EmailWolf" bad_bot

SetEnvIfNoCase User-Agent "CherryPickerSE" bad_bot

SetEnvIfNoCase User-Agent "CherryPickerElite" bad_bot

SetEnvIfNoCase User-Agent "Crescent" bad_bot 

SetEnvIfNoCase User-Agent "EmailCollector" bad_bot

SetEnvIfNoCase User-Agent "EmailSiphon" bad_bot   

SetEnvIfNoCase User-Agent "MCspider" bad_bot      

SetEnvIfNoCase User-Agent "bew" bad_bot           

SetEnvIfNoCase User-Agent "Deweb" bad_bot         

SetEnvIfNoCase User-Agent "FEZhead" bad_bot       

SetEnvIfNoCase User-Agent "Fetcher" bad_bot       

SetEnvIfNoCase User-Agent "Getleft" bad_bot       

SetEnvIfNoCase User-Agent "GetURL" bad_bot        

SetEnvIfNoCase User-Agent "HTTrack" bad_bot       

SetEnvIfNoCase User-Agent "IBM_Planetwide" bad_bot

SetEnvIfNoCase User-Agent "KWebGet" bad_bot       

SetEnvIfNoCase User-Agent "Monster" bad_bot       

SetEnvIfNoCase User-Agent "Mirror" bad_bot        

SetEnvIfNoCase User-Agent "NetCarta" bad_bot      

SetEnvIfNoCase User-Agent "OpaL" bad_bot          

SetEnvIfNoCase User-Agent "PackRat" bad_bot       

SetEnvIfNoCase User-Agent "pavuk" bad_bot         

SetEnvIfNoCase User-Agent "PushSite" bad_bot      

SetEnvIfNoCase User-Agent "Rsync" bad_bot         

SetEnvIfNoCase User-Agent "Shai" bad_bot          

SetEnvIfNoCase User-Agent "Spegla" bad_bot        

SetEnvIfNoCase User-Agent "SpiderBot" bad_bot     

SetEnvIfNoCase User-Agent "SuperBot" bad_bot      

SetEnvIfNoCase User-Agent "tarspider" bad_bot     

SetEnvIfNoCase User-Agent "Templeton" bad_bot     

SetEnvIfNoCase User-Agent "WebCopy" bad_bot       

SetEnvIfNoCase User-Agent "WebFetcher" bad_bot    

SetEnvIfNoCase User-Agent "WebMiner" bad_bot      

SetEnvIfNoCase User-Agent "webvac" bad_bot        

SetEnvIfNoCase User-Agent "webwalk" bad_bot                                            

SetEnvIfNoCase User-Agent "w3mir" bad_bot         

SetEnvIfNoCase User-Agent "XGET" bad_bot          

SetEnvIfNoCase User-Agent "Wget" bad_bot     

SetEnvIfNoCase User-Agent "WebReaper" bad_bot

SetEnvIfNoCase User-Agent "WUMPUS" bad_bot   

SetEnvIfNoCase User-Agent "FAST-WebCrawler" bad_bot

SetEnvIf Request_URI "cmd\.exe" ATTACK

SetEnvIf Request_URI "root\.exe" ATTACK

SetEnvIf Request_URI "default\.ida" ATTACK

<Location />

    Order Allow,Deny

    Allow from all  

    Deny from env=bad_bot

    ErrorDocument 403 "  

</Location>

<Location /default*>

    Deny from all   

    ErrorDocument 403 "

</Location>

<Location /scripts/>

    Deny from all   

    ErrorDocument 403 "

</Location>

<Location /MSADC/>

    Deny from all 

    ErrorDocument 403 "

</Location>

<Location /c/>

    Deny from all

    ErrorDocument 403 "

</Location> 

<Location /d/>

    Deny from all

    ErrorDocument 403 "

</Location>            

                       

<Location /_mem_bin/>  

    Deny from all

    ErrorDocument 403 "

</Location>

<Location /_vti_bin/>

    Deny from all

    ErrorDocument 403 "

</Location>

<Location /msadc/>

    Deny from all 

    ErrorDocument 403 "

</Location>

<Location /alt/>

    Deny from all

    ErrorDocument 403 "

</Location>

<Location /std/>

    Deny from all

    ErrorDocument 403 "

</Location>

<IfModule mod_setenvif.c>

    BrowserMatch "Mozilla/2" nokeepalive

    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

    BrowserMatch "RealPlayer 4\.0" force-response-1.0

    BrowserMatch "Java/1\.0" force-response-1.0

    BrowserMatch "JDK/1\.0" force-response-1.0 

</IfModule>

<IfModule mod_status.c>

    <Location /server-status>

        SetHandler server-status

        Order deny,allow

        Deny from all   

        allow from 127.0.0.1

    </Location>

ExtendedStatus On

</IfModule>

<IfModule mod_info.c>

    <Location /server-info>

        SetHandler server-info

        Order deny,allow

        Deny from all   

        Allow from 127.0.0.1

    </Location>

</IfModule>

<IfModule mod_perl.c>

    <Location /perl-status>

        SetHandler perl-script

        PerlHandler Apache::Status

        Order deny,allow

        Deny from all   

        Allow from 127.0.0.1

    </Location>

</IfModule>

<IfModule mod_dav.c>

     DavLockDB /var/lock/mod_dav

</IfModule>

<IfModule mod_include.c>

</IfModule>

<Directory /web/obfuscated/web>

    Options Indexes FollowSymLinks MultiViews

    AllowOverride All

    Order allow,deny

    Allow from all  

</Directory>

<Directory /home/httpd/cgi-bin>

    AllowOverride All

    Options ExecCGI  

    Order allow,deny 

    Allow from all   

</Directory>

<IfModule mod_perl.c>

    <Directory /home/*/public_html/perl>

        SetHandler perl-script

        PerlHandler Apache::PerlRun

        Options -Indexes ExecCGI   

        PerlSendHeader On

    </Directory>

</IfModule>

<Directory /home/httpd/icons>

    Options -Indexes MultiViews

    AllowOverride None

    Order allow,deny  

    Allow from all    

</Directory>

<Directory /usr/share/doc>

    Options Indexes FollowSymLinks

    Order deny,allow

    Deny from all   

    Allow from 127.0.0.1

</Directory>

<Directory /web/obfuscated/first>

        Options -Indexes

        AllowOverride None

        Order Deny,Allow  

        Deny from All     

</Directory>

<Directory /web/obfuscated/second>

        Options -Indexes

        AllowOverride None

        Order Deny,Allow  

        Deny from All     

</Directory>

```

----------

## thecooptoo

have you got 

LoadModule access_module         modules/mod_access.so

in apache.conf?

Id try taking the allow Overrides line at the very top out  to see if it makes any difference

----------

## whit

 *thecooptoo wrote:*   

> have you got 
> 
> LoadModule access_module         modules/mod_access.so
> 
> in apache.conf?

 

Yup:

apache.conf:LoadModule access_module      modules/mod_access.so

 *Quote:*   

> Id try taking the allow Overrides line at the very top out  to see if it makes any difference

 

Well, if I don't allow overrides then I won't be able to override the general settings for the specific ones I want to block, will I? Besides, I have these same lines on another server - and Deny works there (and putting in the section from above here to block everything worked on the second server, but not on the one that's not taking Deny statements - and that version had it as AllowOverrides None).

----------

## thecooptoo

its a matter of trying to sort out where the problem is, not coming up with a definitive solution.

Id remove things until it works as expected and then add them back one at a time.

if http://127.0.0.1 doesnt work with nothing but a single directive with oder allow,deny and then order deny,allow

ive not idea where to start looking.

Must be a problem in the apache installation.

remove the old one , emerge a new one and start again?

----------

## whit

 *thecooptoo wrote:*   

> Id remove things until it works as expected and then add them back one at a time.
> 
> if http://127.0.0.1 doesnt work with nothing but a single directive with oder allow,deny and then order deny,allow
> 
> ive not idea where to start looking.
> ...

 

Look, I think we already know enough to rule out that it's a problem with the .conf files. AllowOveride None followed by Deny from All should do that, when it's the first thing in commonapache.conf. It doesn't. 

But emerging a new Apache didn't fix it either. Which suggests that the problem is in some external file that gets included when Apache is emerged, perhaps? Or could there be a flaw in how Apache builds on a dual-processor system (which the problem one is, and the almost identically configured non-problem one isn't)? 

Thanks for helping check out the .conf files. That's really quite useful. Hopefully, since I've submitted a bug report on this, someone on the Gentoo team who understands the program internals can suggest where this bug may really reside.

----------

## Janne Pikkarainen

According to Apache guide at http://httpd.apache.org/docs/mod/mod_access.html#order

```
The presence of an Order directive can affect access to a part of the server even in the absence of accompanying Allow and Deny  directives because of its effect on the default access state. For example,

    <Directory /www>

      Order Allow,Deny

    </Directory> 

will deny all access to the /www directory because the default access state will be set to deny.
```

... so if you make your entries even more simple to be like

```
<Directory /web/obfuscated/first>

Order Allow,Deny

</Directory>
```

... that doesn't help either? If that does not, try to setup Apache's loglevel higher and see where it decides to allow the request.

----------

## whit

 *Janne Pikkarainen wrote:*   

> According to Apache guide at http://httpd.apache.org/docs/mod/mod_access.html#order
> 
> 

 

That's all interesting, but doesn't explain why "Deny from All" would fail - and as I said earlier the order of the order statement isn't affecting that.

 *Quote:*   

> ... that doesn't help either? If that does not, try to setup Apache's loglevel higher and see where it decides to allow the request.

 

Good suggestion. I hadn't noticed when the LogLevel directive was added in 1.3.  :Smile: 

----------

## whit

 *Janne Pikkarainen wrote:*   

> try to setup Apache's loglevel higher and see where it decides to allow the request.

 

I set the LogLevel to debug, restarted Apache, and requested the file .httest from the root directory. This should have been denied by 

```
<Files ~ "^\.ht">

    Order allow,deny

    Deny from all   

</Files>
```

But all that made it to the logs from the request was:

123.123.123.124 - - [27/Oct/2003:10:07:53 -0500] "GET /.httest HTTP/1.1" 200 5 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030811"

Is there some additional trick to getting the debugging information at a level that would allow me to, as you say, "see where it decides to allow the request." Most daemons, if you set the debug level high, put the extra info in the normal logs. Yet there's nothing in any file in either /var/log/apache or /var/log except that one line showing the request - a request which should have been blocked by the Files rule (i.e., any filename starting with ".ht"), which works fine on other systems for me.

So is there some way to actually get debug info at the grain needed to see where this is failing here? Are there extra steps needed to set up a log to catch it? The Apache doc says "LogLevel adjusts the verbosity of the messages recorded in the error logs." There's nothing in the error logs at all from this request (and yes, the error logs are recording errors just fine, among them page requests which are blocked by Location rules). What's needed is a way to increase debugging info from a successful request - and I can't find that option if it exists.

----------

## Janne Pikkarainen

The debug info should go to /var/log/httpd/error_log, not /var/log/httpd/access_log.

----------

## whit

 *Janne Pikkarainen wrote:*   

> The debug info should go to /var/log/httpd/error_log, not /var/log/httpd/access_log.

 

Yes it should. And as I said there's nothing there at all reflecting my request for the file ".httest". The only thing logged there durring the session I made the request - with LogLevel set to debug - is the server startup messages. Even at "debug" it seems the error log logs only exceptional events (from the daemon's point of view) not what the daemon views as normal, successful page requests.

----------

