I'm trying to use the .htaccess file on my Apache server.
Here is what my .htaccess looks like
# 1 YEAR
<FilesMatch "\.(ico|svg|woff|eot|ttf)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
# 1 WEEK
<FilesMatch "\.(jpg|png|gif|css|js)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
# Add correct content-type for fonts
AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType font/x-woff .woff
AddType image/svg+xml .svg
# Compress compressible fonts
AddOutputFilterByType DEFLATE font/ttf font/otf image/svg+xml
I enabled mod_rewrite using a2enmod rewrite
The tutorials I followed told me to edit the file in /etc/apache2/sites-available/default but there isn't a file by the name default in that folder. There was a 000-default.conf instead in the same path. But that file didn't have the part
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
which I'm supposed to edit.
This is the contents of 000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
However /etc/apache2/apache2.conf had the exact same part. So I replaced AllowOverride None over there to AllowOverride All. I restarted the server after that.
However the .htaccess file is still not being loaded. If I add gibberish to the .htaccess file everything still works fine meaning it didn't get loaded.
What did I miss here?
First of all, the name of the file doesn't really matters. 000-default.conf, while not really common seems good to me.
Modify your site configuration
There are 2 major things you have to consider when serving .htaccess files :
AccessFileName .htaccess
AllowOverride All
As said in the apache2 doc, you must declare AllowOverride in a Directory section. That's why it didn't work when setting it in main config file.
I'd advise you to just paste those 4 lines in /etc/apache2/000-default.conf inside the Virtualhost section and it should work:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
(assuming your root directory is /var/www)
You don't have to set AccessFileName as default is .htaccess.
If it doesn't work and you have more than 1 file in /etc/apache2/sites-available
Apache might use another config thant 000-default.conf. Just check which of those are symlinked to /etc/apache2/sites-enabled. If there's still more than 1, you might want to disable every other enabled site just to be sure.
If it still doesn't work, just check file ownership & permissions.
The isssue was that I was placing the .htaccess file in /var/www/ while my DocumentRoot for my website was pointing to a different directory. Moving the .htaccess file to that folder solved the issue.
Related
I am using Ubuntu 14.04 and apache 2.
Here is my phpinfo file: https://www.vivashost.com/phpinfo.php
Here is my .htacess file:
Options +FollowSymLinks
RewriteEngine On
RewriteRule ^feature-pricing-tables.html$ feature.html
Here is my /etc/apache2/sistes-available/000-default.conf file:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ServerName vivashost.com
Redirect "/" https://www.vivashost.com/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
But when i try to open https://www.vivashost.com/feature.html it is giving me 404 error.
I am trying to make a rewrite rule that when you open feature.html apache2 must load the content from feature-pricing-tables.html file.
Where is my mistake, can you please help me out fix this thing ?
Thanks in advance!
This is a very common mistake that is made: You've declared the rule backwards.
Currently, your rule says that if I access feature-pricing-tables.html, then load up the content of feature.html.
Use this instead:
RewriteRule ^feature.html$ feature-pricing-tables.html [L]
Also, the L flag is necessary here - in case you add any other rules, you want to stop processing if there's a match for this rule.
I have setup Review Board and it works fine when accessed from localhost.
When I try to access it by ip (from LAN), I get BAD REQUEST.
I have copied apache-wsgi.conf to my apache conf directory.
apache-wsgi.conf
<VirtualHost *:8088>
ServerName localhost
DocumentRoot "/var/www/reviews.als.kz/htdocs"
# Error handlers
ErrorDocument 500 /errordocs/500.html
WSGIPassAuthorization On
WSGIScriptAlias "/reviews" "/var/www/reviews.als.kz/htdocs/reviewboard.wsgi/reviews"
<Directory "/var/www/reviews.als.kz/htdocs">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
</Directory>
# Prevent the server from processing or allowing the rendering of
# certain file types.
<Location "/reviews/media/uploaded">
SetHandler None
Options None
AddType text/plain .html .htm .shtml .php .php3 .php4 .php5 .phps .asp
AddType text/plain .pl .py .fcgi .cgi .phtml .phtm .pht .jsp .sh .rb
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
</Location>
# Alias static media requests to filesystem
Alias /reviews/media "/var/www/reviews.als.kz/htdocs/media"
Alias /reviews/static "/var/www/reviews.als.kz/htdocs/static"
Alias /reviews/errordocs "/var/www/reviews.als.kz/htdocs/errordocs"
Alias /reviews/favicon.ico "/var/www/reviews.als.kz/htdocs/static/rb/images/favicon.png"
I have installed reviewboard into /var/www/reviews.als.kz directory.
Chown-ed it to apache:apache.
I run it on Fedora 21.
Review Board version 2.0.12
Apache httpd version 2.4.10
Thanks
The problem had been with python settings.
Added my ip address to ALLOWED_HOSTS within settings_local.py file and everything worked.
Thanks
I had the same problem. When you configure your reviewboard, you have to give it a site name . Some thing like "reviewboard.mycompany.com". It doesn't have to be a registered name just make up something.
Then when you try to access the reviewboard main page, use the site name (reviewboard.mycompany.com) as the URL. You'll of course need to add the made-up hostname to to your /etc/hosts so your machine can resolve the address.
Create a host entry / DNS entry with the site name. like
reivews.mycompany.com x.x.x.x
It's worked for me.
I had the same problem.
Fixed it by adding this line to my httpd.conf :
HttpProtocolOptions unsafe
I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Put this in your .htaccess:
<Files *>
# #mivk mentionned in the comments that this may break
# directory indexes generated by Options +Indexes.
SetHandler default-handler
</Files>
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.
AFAICT, you should be pretty safe with that.
My Godaddy setup wont allow me to edit the httpd.conf files, and the php_flag command doesn't work due to how they've implemented php for me.
I was able to use this in my .htaccess file:
SetHandler default-handler
AddType text/plain php
I put this in the directory above where my FTP user is allowed to access, which forces all PHP files in that directory, as well as all sub-directories to show php as plain text.
This will work for other file types as well. All you need to do is add another line with whatever extension of file you want to be forced to display in plain text. AddType text/plain cgi for example
Until recently, an internal Bugzilla install was working fine. Now, all requests to pages inside the http://example.com/bugzilla directory return 403/Forbidden. Pages outside that directory, for instance at http://example.com/test.html or http://example.com/test/index.html work as expected. This is the .htaccess file for the bugzilla directory, which is unchanged from the original:
# Don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
deny from all
</FilesMatch>
<IfModule mod_expires.c>
<IfModule mod_headers.c>
<IfModule mod_env.c>
<FilesMatch (\.js|\.css)$>
ExpiresActive On
# According to RFC 2616, "1 year in the future" means "never expire".
# We change the name of the file's URL whenever its modification date
# changes, so browsers can cache any individual JS or CSS URL forever.
# However, since all JS and CSS URLs involve a ? in them (for the changing
# name) we have to explicitly set an Expires header or browsers won't
# *ever* cache them.
ExpiresDefault "now plus 1 years"
Header append Cache-Control "public"
</FilesMatch>
# This lets Bugzilla know that we are properly sending Cache-Control
# and Expires headers for CSS and JS files.
SetEnv BZ_CACHE_CONTROL 1
</IfModule>
</IfModule>
</IfModule>
AddHandler cgi-script .cgi .pl
DirectoryIndex index.cgi
This is the .htaccess file for the directory above the bugzilla directory. This is the public_html web root:
DirectoryIndex index.html
This is the Apache configuration file for the site:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/default/public_html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/default/public_html>
DirectoryIndex index.cgi
AllowOverride Limit FileInfo Indexes
AddHandler cgi-script .cgi
Options Indexes FollowSymLinks MultiViews +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Note that even non-Bugzilla static HTML files in that directory are affected. For instance, I create /bugzilla/test.html in VIM, then I try to access it in the browser and see that it is also returning 403/Forbidden. All files, both in and outside that directory, have the same user ubuntu and the same permissions 644. The bugzilla directory itself has permissions 755, as does its parent public_html.
No 'control panels' such as Plesk are installed on the server, all configuration is done in Apache config files. Why might Apache have decided that I may not be authorized to view the bugzilla directory? This is on a public webserver hosted in Amazon Web Services, on Ubuntu Server 12.04 LTS.
Check the error_log file, it usually has very detailed information about why it returns a 403 Forbidden.
(It looks like a debian server? If you post questions like this, always mention the OS.)
I suspect it to be a rights issue - wrong owner. For debian/ubuntu, the given folder and its files should be owned by user "www-data". For Centos/Redhat I believe it should be "nobody". Check it, change it if necessary.
sudo chown -R www-data:www-data test
NB: If you're unsure about changing rights, make a copy first. Change the owner of the copy, as copying in itself probably changes the owner. Or use rsync to make a copy of the folder, as rsync preserves owner and rights.
There is a number of similar questions, but none of them help.
I have the following rule in my .htaccess
RewriteRule ^images/.*$ - [F]
so for folders like /images/goods/ or /images/nonexistentfile.jpg I get 'Forbidden' which is what I want. The problem is if an existent file is requested, my rules are ignored and the file is served. In fact if I make a deliberate mistake in .htaccess I don't get an Internal Server Error as I would when requesting folders or non-existent files. What should I look for?
apache2.conf
<VirtualHost 1.2.3.4:8080>
ServerName domain.com
DocumentRoot /var/www/s3/data/www/domain.com
SuexecUserGroup s3 s3
CustomLog /var/www/httpd-logs/domain.com.access.log combin$
ErrorLog /var/www/httpd-logs/domain.com.error.log
ServerAlias www.domain.com
ServerAdmin example#domain.com
AddDefaultCharset utf-8
php_admin_value open_basedir "/var/www/s3/data:.:/tmp"
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f example#domain.com
php_admin_value upload_tmp_dir "/var/www/s3/data/mod-tmp"
php_admin_value session.save_path "/var/www/s3/data/mod-tmp"
AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
AddType application/x-httpd-php-source .phps
</VirtualHost>
anything else I should post here?
I had a similar issue.
I put the following .htaccess in to the images folder to forbid access to jpg files (in my case)
IndexIgnore */*
<Files ~ ".*\.jpg$">
Order deny,allow
Deny from all
</Files>
It looks like you're htaccess file isn't being applied. Try adding an AllowOverride directive in your vhost config:
<Directory "/var/www/s3/data/www/domain.com/">
AllowOverride All
</Directory>
By default, AllowOverride should be set to All, but it's possible your host set it to something else at the server config level.
in case someone has the same problem, it is painfully trivial. The default ISPManager installation puts nginx in front of Apache for static files...