I can't wrap my head around why the .env is still exposed. The website has an HTTPS certificate. I have the .env file denied in the .htaccess file like so:
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Require all denied
</Files>
It is blocked properly (403 forbidden error) on these URLs:
https://example.com/.env
http://example.com/.env
http://###.IPaddress.###/.env
But is still visible here by ignoring the "not secure" warning:
https://###.IPaddress.###/.env
Likewise, there is still the Apache Testing 123 page being served as the homepage for the above URL (when not accessing the .env file). How can I block this file?
You probably have a default <VirtualHost *:443> that is catching the request (the first vHost that is defined in the server config is the "default") and this probably doesn't allow .htaccess overrides (ie. AllowOverride is not defined or set to None) so the .htaccess file is not processed.
You need to ensure that the default vHost that is catching the request either blocks requests to the IP address entirely, or redirects to the canonical hostname.
See the following question on ServerFault for more detail on configuring this:
https://serverfault.com/questions/914649/htaccess-block-access-when-http-host-is-ip-security
Related
On a subdomain I want to use only a .htaccess file for redirects. No PHP, no database or something else will be used. Can a .htaccess file still be hacked? What should I do to protect it?
The apache2.conf file has following lines by default which prevent viewing of htaccess files:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
It will not be visible under standard Apache setup which blocks all files starting with.ht from being served. So nobody will be able to view the contents or get at it through the Apache front-end. Take the usual precaution of having it be 644 permissions and not owned by the user that Apache runs as. No extra security needed outside of protecting your server generally.
Check that the standard protection is in place, so it can't be viewed. Easiest way is just to try visiting it in a web browser. You should get a 403 forbidden.
If you're worried you could put the rules in the main server config instead. I wouldn't worry as long as the above is in place.
This is so frustrating. My root directory is at home/websitename/websitename/ and my httpd.conf has nothing in it!
My .htaccess is in the same directory as the index.php is supposed to be and all I'm typing into .htaccess (and FTP identifies this as an HTACCESS file) is:
DirectoryIndex Home.php
The error message I get when trying to visit the site is a 403 forbidden to list the directories of "/"
the AllowOverride directive is set to All
Ok actually I made a dumb mistake.
Basically all the things one needs to check in order for the .htaccess to work are these:
Create a .htaccess file in the main directory. Make sure the .htaccess file is made in a file editor for ACSII. (notepad++, dev editor, NO Microsoft Word)
Make sure AllowOverride is set to All in the Apache configuration for your website. It should be under <directory>
Make sure to restart apache after making any changes to the Apache file!! Note that even though .htaccess does not require you to restart Apache, changing anything in the website configuration file requires you to restart Apache in order for it to function.
Lastly, your website should output a 500 Internal Apache Error if it is able to actually read the .htaccess file, NOT a 403: Access Forbidden or directory listing.
I have installed zpanel with centos 6.3.
Now what is the problem.
I have added domain mydomain.com and I have added blank index.php file.
I added too .htaccess file with "deny from all"
Now when I open the page in the browser, I get Apache 2 Test Page instead 403 Forbidden
But if I open http://mydomain.com/index.php, now I get 403 Forbidden.
I tried to edit the apache config file Directoryindex but there is no positive result. Anyone can help me?
Try to disable the default Apache CentOS welcome page:
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>
Edit file /etc/httpd/conf.d/welcome.conf and comment everything. Simply removing the welcome.conf file (or renaming it as .conf.disabled for example) should do the trick too.
Then, reload apache configuration (service httpd restart) and things should work as expected.
Same problem, when apache has been updated, the file welcome.conf has been created.
I've renamed it to disable it and now I get to see the Forbidden page for my Deny from all directives
I've been cleaning up my project lately. I have a main .htaccess in the root directory and 6 others. 5 of them ran Options -Indexes which i didn't see anypoint of allowing any Directory viewing so moved that to the main one. so now i only have 2 .htaccess files. the main and one in /system which holds
# Block External Access
deny from all
So i wanted to run that on /system only from within the main. So i deleted the one in /system and added
# Block External Access
<Directory "/system/">
deny from all
</Directory>
to my main .htaccess file leaving 1!
but now i get a
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
Please contact the server administrator, webmaster#localhost and
inform them of the time the error occurred, and anything you might
have done that may have caused the error.
More information about this error may be available in the server error
log.
Apache/2.2.17 (Ubuntu) Server at 10.0.1.5 Port 80
The goal is to block reading any files in /system and it's sub directory's but allow viewing of everything else all from one .htaccess file for the whole project. Any ideas on how i can fix this? I did some Google searches but couldn't really come out with anything.
You cannot use the Directory directive in .htaccess. However if you create a .htaccess file in the /system directory and place the following in it, you will get the same result
#place this in /system/.htaccess as you had before
deny from all
You can also use RedirectMatch directive to deny access to a folder.
To deny access to a folder, you can use the following RedirectMatch in htaccess :
RedirectMatch 403 ^/folder/?$
This will forbid an external access to /folder/ eg : http://example.com/folder/ will return a 403 forbidden error.
To deny access to everything inside the folder, You can use this :
RedirectMatch 403 ^/folder/.*$
This will block access to the entire folder eg : http://example.com/folder/anyURI will return a 403 error response to client.
You can use from root directory:
RewriteEngine On
RewriteRule ^(?:system)\b.* /403.html
Or:
RewriteRule ^(?:system)\b.* /403.php # with header('HTTP/1.0 403 Forbidden');
I have a .htaccess file & I currently I am working on localhost. For a 404 page error, I have the following code in the .htaccess file:
ErrorDocument 404 /my_local_domain/404.php
But when I upload this file to my website online, the functionality of the file breaks. It no longer shows the 404.php page. It works if I modify the code in the .htaccess file of my online website to the following:
ErrorDocument 404 /404.php
Now all through the changes that I do in the .htaccess file, I would have to remember to remove the domain name before I upload it to the website or I risk breaking the functionality. So with this in mind, here are my questions:
1. How do I solve the above problem without needing to edit the .htaccess file each time (by stripping it off the my_local_domain) I make a change & upload it online?
2. How do I setup 404 page redirection for all the nested folders? (I don't want to setup a .htaccess file for each of the folders. A single .htaccess file that resides in the root folder of the website & controls all the redirection for all the sub-folders would be awesome)
All help is appreciated.
Thank you.
I believe you have two different issues here.
First of all, you should not need to have different paths in development and live site. It appears that you've configured your local Apache to host only one site and each actual sites goes in a subdirectory. It's not a good idea: you'll soon be mixing cookies and sessions between all your dev sites. Have a look at the name based virtual hosts feature: you can configure as many independent sites as you need. You don't even have to buy real domains in you set them in the hosts file.
Secondly, under certain circumstances it can be useful to have different Apache directives. I've been using the following trick.
Pick a keyword for the dev server, e.g. DEV_BOX.
Pass that keyword to Apache in the -D parameter. If you run it as service, you can run regedit and find the HKLM\SYSTEM\CurrentControlSet\Services\Apache2.2\Parameters key. Append -D DEV_BOX to the ConfigArgs value. Restart Apache.
Now, you can use the <IfDefine> directive to set local directives:
-
#
# Common stuff
#
AddDefaultCharset UTF-8
#
# Local-only stuff
#
<IfDefine DEV_BOX>
Options +Indexes
</IfDefine>
#
# Live-only stuff
#
<IfDefine !DEV_BOX>
Options -Indexes
</IfDefine>
First of all I suggest you setup local domains for development. For example if you are developing a website which will go under www.example.com, you can setup a local.example.com in your HOSTS file. You'll do a VirtualHost setup in your apache and the .htaccess will then be the same.
Also, you can setup a build process (e.g via Ant) which will allow you to prepare and generate a zip file with the files which go on the live server. This build will feature the correct configuration files (db configs, mail servers, htaccess etc).