I'm running httpd on fedora server 35 and want to use it to serve files on my local network. It works fine for files stored under the /var/www/html directory directly (e.g. /var/www/html/videos/video.mp4 can be accessed with http://IP/videos/video.mp4 on any local device).
I want to serve files stored in other locations in the file system. My plan was to create symbolic links to those locations. When I do that, I run into forbidden errors when trying to access the files (e.g. A video file /files/videos/video.mp4 linked with a sym link /var/www/html/videos-link -> /files/videos/ so that I would (theoretically) access it with http://IP/videos-link/video.mp4
I can navigate to http://IP/videos-link fine (an Index of DIRECTORY page, but no files are listed), but trying to access the file (http://IP/videos-link/video.mp4) gives me 403 forbidden.
My config (/etc/httpd/conf/httpd.conf) looks like this (it's a bit messy since I've been trying to fix this myself):
<Directory />
Options FollowSymLinks Indexes
AllowOverride All
Require all granted
</Directory>
...
<Directory "/var/www">
Options +FollowSymLinks +Indexes
AllowOverride All
Require all granted
</Directory>
...
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
...
<Directory "/files/videos">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
In attempts to make it work I've made sure the sym link and all the directories have the same owner and that their all 777 so ownership/read perms shouldn't be an issue. Would greatly appreciate some help, thanks.
My issue was with SELinux. To get it working immediately I was able to set SELinux to permissive mode with
# setenforce 0
That refreshes on boot and is probably insecure, so the permanent fix (to just let httpd through) would be:
# semanage permissive -a httpd_t
More details on SELinux in Fedora can be found here: https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/
I want to set the AllowOverride all But I don't know how to do it. I have found the following code by searching the google and pasted it in .htaccess:
<Directory>
AllowOverride All
</Directory>
But after pasting it I started receiving "Internal Server Error"
Can anyone guide me where to put this code or how to do it?
In case you are on Ubuntu, edit the file /etc/apache2/apache2.conf (here we have an example of /var/www):
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
and change it to;
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
then,
sudo service apache2 restart
You may need to also do sudo a2enmod rewrite to enable module rewrite.
The main goal of AllowOverride is for the manager of main configuration files of apache (the one found in /etc/apache2/ mainly) to decide which part of the configuration may be dynamically altered on a per-path basis by applications.
If you are not the administrator of the server, you depend on the AllowOverride Level that theses admins allows for you. So that they can prevent you to alter some important security settings;
If you are the master apache configuration manager you should always use AllowOverride None and transfer all google_based example you find, based on .htaccess files to Directory sections on the main configuration files. As a .htaccess content for a .htaccess file in /my/path/to/a/directory is the same as a <Directory /my/path/to/a/directory> instruction, except that the .htaccess dynamic per-HTTP-request configuration alteration is something slowing down your web server. Always prefer a static configuration without .htaccess checks (and you will also avoid security attacks by .htaccess alterations).
By the way in your example you use <Directory> and this will always be wrong, Directory instructions are always containing a path, like <Directory /> or <Directory C:> or <Directory /my/path/to/a/directory>. And of course this cannot be put in a .htaccess as a .htaccess is like a Directory instruction but in a file present in this directory. Of course you cannot alter AllowOverride in a .htaccess as this instruction is managing the security level of .htaccess files.
Goto your_severpath/apache_ver/conf/
Open the file httpd.conf in Notepad.
Find this line:
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
Remove the hash symbol:
LoadModule vhost_alias_module modules/mod_vhost_alias.so
Then goto <Directory />
and change to:
<Directory />
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Then restart your local server.
On Linux, in order to relax access to the document root, you should edit the following file:
/etc/httpd/conf/httpd.conf
And depending on what directory level you want to relax access to, you have to change the directive
AllowOverride None
to
AllowOverride All
So, assuming you want to allow access to files on the /var/www/html directory, you should change the following lines from:
<Directory "/var/www/html">
AllowOverride None
</Directory>
to
<Directory "/var/www/html">
AllowOverride All
</Directory>
If you are using Linux you may edit the code in the directory of
/etc/httpd/conf/httpd.conf
now, here find the code line kinda like
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
Change the AllowOveride None to AllowOveride All
Now now you can set any kind of rule in your .httacess file inside your directories
if any other operating system just try to find the file of httpd.conf and edit it.
As other users explained here about the usage of allowoveride directive, which is used to give permission to .htaccess usage. one thing I want to point out that never use allowoverride all if other users have access to write .htaccess instead use allowoveride as to permit certain modules.
Such as AllowOverride AuthConfig mod_rewrite Instead of
AllowOverride All
Because module like mod_mime can render your server side files as plain text.
enter code hereif you are using linux you have to edit the
`/etc/apache2/sites-available/000-default.conf`
under the Documentroot . add the following code
`<Directory /var/www/>
AllowOverride all
Require all granted
</Directory>`
then ,
`sudo service apache2 restart`
and you have to enable the apache mod rewrite
`sudo a2enmod rewrite`
I think you want to set it in your httpd.conf file instead of the .htaccess file.
I am not sure what OS you use, but this link for Ubuntu might give you some pointers on what to do.
https://help.ubuntu.com/community/EnablingUseOfApacheHtaccessFiles
I also meet this problem, and I found the solution as 2 step below:
1. In sites-enabled folder of apache2, you edit in Directory element by set "AllowOverride all" (should be "all" not "none")
2. In kohana project in www folder, rename "example.htaccess" to ".htaccess"
I did it on ubuntu. Hope that it will help you.
There are several answers but there a number of things wrong with this question and I would like to address these:
If you get an error (e.g. 500), look in the log files (if you have access to them). e.g. /var/log/apache2/ssl_error.log
e.g.
cat /var/log/apache2/ssl_error.log
[Tue Jun 01 19:05:34 2021] [alert] [pid 31154] config.c(2119):
[client *******] /var/www/mysite/public/tmp/.htaccess:
<Directory not allowed here [lid YLZo3quRlv2EKOAABVoFLwAAAIM]
Putting AllowOverrides in a .htaccess makes no sense and is not allowed. See Context. See also my explanation below. It should be defined in the Apache configuration (e.g. /etc/apache2)
Allowing everything is usually not the best idea. Be as restrictive as possible!
the Directory directive is missing a directory, should be e.g. <Directory /var/www/html/etc>
the Directory directive does not make sense in an .htaccess. The location of the .htaccess in a directory already has the effect of making the statements within apply to a specific directory
do not mix and match snippets that are intended to be put in the Apache configuration (e.g. in /etc/apache2/...) with statements that are intended to be put in .htaccess - though most of the time, they will be identical, there are some subtle differences
If you have the possibility to modify the Apache configuration directly, do not use .htaccess and deactivate it. (for performance reasons, among others. Also you can have all configuration in one place, put it in version control or manage it via a software configuration management tool, e.g. Puppet, Ansible, SaltStack)
Unless you really cannot access and modify the Apache configuration directly, you do not need .htaccess. This is a common misconception.
That you saw a 500 error proves my point. If you change configuration in the Apache configuration directly (and not in .htaccess), you will usually get an error message with an explanation and information about the error and the line number (e.g. when you do service apache2 reload or apachectl configtest) - which gives you the possibility to fix the error before applying this in production(!).
Also, look in the documentation. It is really quite good. For most directives, you can find where they apply (see "Context").
For example, for IfModule, you can see:
Context: server config, virtual host, directory, .htaccess
For, AllowOverrides it is:
Context: directory
Note the missing .htaccess in the Context!
Instead of googling for information which repeat the same mistakes over and over, look in the documentation!
Docs
AllowOverrides
https://www.danielmorell.com/guides/htaccess-seo/basics/dont-use-htaccess-unless-you-must
SuSE Linux Enterprise Server
Make sure you are editing the right file
https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_apache2_configuration.html
httpd.conf
The main Apache server configuration file. Avoid changing this file. It primarily contains include statements and global settings. Overwrite global settings in the pertinent configuration files listed here. Change host-specific settings (such as document root) in your virtual host configuration.
In such case vhosts.d/*.conf must be edited
Plus those upvoted correct answers sometimes same error could be seen because of mismatched and different settings on SSL part of webserver configurations. (Obviously when not using .htaccess file).
I'm using Apache in my web server which resides in a public IP. I wan to be able to limit access of this whole site to the local network except for one file.
For example:
<Directory "/var/www/mysite">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from all
Allow from 192.168.1.1/24
</Directory>
would limit access to my website only to the people in that IP range. However, the file myfile.html also resides in that directory, and I want it to be visible publicly. Maybe:
<File "/var/www/mysite/myfile.html">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</File>
So my questions are: Does the <File> tag go inside the <Directory> tag or somewhere else? Will myfile.html be visible publicly even though it resides in a Directory that is only visible to a range of IPs? Do the configurations above look right? (I'm an apache noob) Is there a better way to this (maybe the firewall)?
Your input is appreciated.
I have been struggling with this problem for some time now. Let me break it down:
We have an apache2 server which hosts most of our company's websites. Each website is a separate vhost. One of this vhosts is used by our internal UI Designer to present his latest drafts and projects to both internal users and 3rd party clients. At the moment, this VHost is password protected from the Vhost configuration file using this directive:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
Allow from all
AuthUserFile /home/secure/passwords
AuthName "Username and password required"
AuthType Basic
Require valid-user
</Directory>
What I need is to make this website available (so NO password prompt) to our internal users meaning a specific IP range. I have tried to use the Allow from 192.168.xxx.xxx option in the above instruction set. However this is not letting the internal IP through (still asking for a password). So I tried to use our company's external IP address (which you can find on any "what's my IP website"). No luck with that either.
So for my last attempt, I have created a second vhost which obviously uses a different ServerName. Also, in order not to have any conflicts in the configuration file, I have created a symlink to /var/www and called it www2. Therefore, the Directory directive in the second vhost file looks like this:
<Directory /var/www2/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Allow from all
</Directory>
However the configuration files are clearly conflicting because with the current configuration I get password protection on both hosts. If I disable this in the first Vhost, I lose it on both.
There is no .htaccess file in any of the directories, so there is nothing there to overwrite the configuration. The apache2.conf file has nothing defined related to Auth.
I'm not sure if you require more details, but feel free to ask me anything.
I appreciate the help!
----edit----
I just want to specify that I can't say 100% that my method of doing it is the correct one. Maybe setting up 2 VHosts isn't the solution to my problem. If anyone thinks of a better way of doing it, I'm open to suggestions. Bottom line is that I need one website to be available to internal users and password protected for anyone else.
Cheers!
have you tried to solve this using Satisfy Directive of Apache?
For example:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
Allow from all
AuthUserFile /home/secure/passwords
AuthName "Username and password required"
AuthType Basic
Require valid-user
Allow from 192.168.1
Satisfy Any
</Directory>
More information can be found here
I've been trying to use a <limit> tag to disable PUT and DELETE calls from being executed through our Apache server and have been unsuccessful.
Apache Version: 2.2
I am currently adding something like this to the inside of my httpd.conf file:
<Directory />
Options none
AllowOverride none
Order deny,allow
Deny from all
<Limit PUT DELETE TRACE>
Order deny,allow
Deny from all
</Limit>
</Directory>
But I have been unable to get a successful restart on Apache while this line is in the file. Now, I know very little about Apache and I've been trying to follow along in some of the Apache docs I've found but have been unsuccessful.
With none of my changes this section of the httpd.conf looks like this:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Any help would be appreciated.
http://wiki.linuxquestions.org/wiki/Securing_Apache#Disabling_PUT_and_DELETE
<Directory /usr/apache/www/myserver.com/htdocs>
...bunch of useful stuff
<Limit PUT DELETE>
Require user terribleUnguessableUsername235452309875wesaef
</Limit>
</Directory>
According to Apache docs found at a hyperlink I do not have enough rep to include, you cannot restrict TRACE using a Limit directive.
If you can't restart Apache, there will be a line in the error log telling you what the problem is.
That said, I think a limit is not allowed inside a directory, but I'm not sure.
Note that TRACE can't be limited.
Trace can be limited in server.xml by adding allowTrace = false in connector tag.