is there anyway to defy .htaccess? I mean to break what the rule written in the .htaccess file.
I have a directory, and I don't want others to browse it. So I created .htaccess file and wrote this
Deny from all
Is there anyway people can break it?
Nope this is radical. Nobody can access it. It is safe and commonly used. The deny is made server side, so nobody can try to bypass it.
.htaccess files are as secure as Apache allows you to.
See for example, assuming your .htaccess file is located in /var/www/foo:
<Directory />
Allow From All
AllowOverride All # allow .htaccess files globally
</Directory>
<VirtualHost *:80>
ServerName www.foo.com
DocumentRoot /var/www/foo # impossible to access, thanks to .htaccess
</VirtualHost>
<VirtualHost *:80>
ServerName www.bar.com
DocumentRoot /var/www/foo # same directory as above
<Directory /var/www/foo>
AllowOverride None # woops .htaccess will not be read, files can be accessed from this vhost
</Directory>
</VirtualHost>
Therefore there is no guarantee ever that your files are securely protected, as long as you don't know (and don't understand) how your apache installation is configured.
Related
What I'm trying to achieve is quite simple. I want Apache to use the content of /home/user/www/bar/public when users go to www.example.com/foo/bar. The bar part may change and I want Apache to be able to change the directory in consequence.
I tried to do this. And it works but it won't load my index.php file and actually shows the content of the directory...
<VirtualHost *:80>
ServerName example.com
AliasMatch ^/foo/(.*)$ /home/user/www/$1/public
<Directory /home/user/www/$1/public>
AllowOverride all
</Directory>
</VirtualHost>
There isn't any .htaccess file and it doesn't need one because I managed to make it work with a subdomain :
<VirtualHost *:80>
ServerName test.example.com
DocumentRoot /home/user/www/test/public
<Directory /home/user/www/test/public>
AllowOverride all
</Directory>
</VirtualHost>
I'm really stuck and any help would be great ! Thank you.
You can't reuse the "$1" in the section because that's local to the AliasMatch.
You can simply use a wildcard if you are okay with applying the contents to every public dir under every subdir of /home/user/www
I've recently switched over to a fedora 19 cloud server service and got most things squared away except for htaccess. Am I doing this wrong or missing something?
This is what i have updated in my httpd.conf file
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
And Here is my VirtualHost telling it what folder structure and which file to use for htaccess
<VirtualHost *:80>
DocumentRoot /var/www/vhosts/domain.com/httpdocs
ServerName www.domain.com
ServerAlias www.domain.com
<Directory /var/www/vhosts/domain.com/vhosts/>
AllowOverride All
Order allow,deny
allow from all
</Directory>
AccessFileName .htaccess
</VirtualHost>
I've thrown random junk into my htaccess and I do not get a 500 error so I know its not getting read.
Your document root is:
/var/www/vhosts/domain.com/httpdocs
And your <Directory> container is for:
/var/www/vhosts/domain.com/vhosts/
Are those supposed to be different? If your htaccess file is in the httpdocs directory, then that directory doesn't have the AllowOverride All associated with it. If your htaccess file is in the vhosts directory, then it's not being accessed when you go to your website.
I am unable to stop apache from creating directory listings when using the server IP address. I have tried editing the relevant site-available files as follows;
<VirtualHost *:80>
JkMount /* default
ServerName example.co.uk
ServerAlias www.example.co.uk
ServerAdmin me#example.co.uk
DocumentRoot /var/www/example.co.uk/public_html
ErrorLog /var/www/example.co.uk/logs/error.log
CustomLog /var/www/example.co.uk/logs/access.log combined
<Directory /var/www/example.co.uk/public_html>
Options -Indexes
</Directory>
</VirtualHost>
...but the public_html folder contents are being listed if I access the server using a url of this format;
http://192.168.1.99/example.co.uk/public_html
I have also tried to amend the apache config file at /etc/apache2/apache.conf to include the following;
<Directory />
Options -Indexes
</Directory>
..but no joy.
I am using Tomcat, and I need my WEB-INF folder to deny access. It doesn't, and so any .class files can be downloaded.
Does anyone know how I can fix this?
thanks
This sounds a little weird. Do you have an Apache HTTPD in front of an Apache Tomcat Server?
In this case the Apache HTTPD must not point to a directory where the Apache Tomcat files reside! The communication between both can be seen more as a proxy rather than a plugin.
We have some good experience using mod_proxy_ajp for this purpose. But if you are able to download .class files and (panic mode on) the web.xml (panic mode off) something is terribly wrong.
This means that it will not reach your VirtualHost settings, but default virtual host settings.
You have 2 options (at least):
1, put .htaccess file to your directory for which you want to restrict listing
2, Setup you IP based virtual host with similar settings as your name-based vhosts
You said that you put
<Directory />
Options -Indexes
</Directory>
You should have Location instead of Directory there
What if you add /* to the end?
<Directory /var/www/example.co.uk/public_html/*>
Options -Indexes
</Directory>
Update:
Or try to add the entry outside the VirtualHost directive.
In the apache server installation I have a .conf file which forwards all requests from www.domain.com to c:\www\domain. Now, i'm trying to forward www.domain.com/abcd to a different subfolder locally (say c:\www\abcd). i tried adding another .conf which looked like this.
<VirtualHost *:80>
ServerName www.domain.com/abcd
DocumentRoot "c:/www/abcd"
ErrorDocument 404 /404.php
ErrorLog "C:/logs/error.log"
CustomLog "d:/logs/access.log" common
<Directory "c:/www/abcd">
RewriteEngine on
AllowOverride All
</Directory>
<Location />
Order deny,allow
Deny from all
Allow from all
</Location>
</VirtualHost>
This doesn't work as intended. When i go to www.domain.com/abcd , I guess its trying to access c:\www\domain\abcd and showing not found error. Is there anyway to solve this issue without making DNS entries and without making changes to your local hosts file?
One possible solution would be to make a symbolic link
mklink /D C:\www\domain\abcd C:\www\abcd
My web host points my "main" domain name to the root www folder. The web files for that site are located in the "www/app/webroot" folder. I currently have the site up and running using the following in the htaccess file:
RewriteBase /
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
I'm trying to start a dev site for the same site. I made a folder named "dev" in the www folder. So, the web files for this folder are in: "www/dev/app/webroot" I have a sub-domain pointing to the dev folder. When I use the same htaccess as above in the dev folder, it doesn't work because (I believe) it is inheriting the settings from the root www folder. When the page loads, it just comes up blank. How do I set up my htaccess files to allow for both sites?
Thanks in advance for any help! I'm obviously a novice at this stuff.
So we'll try to clean the things :-)
Avoid using .htaccess. All the settings in a .htaccess in a directory /foo/bar can be set in apache configuration as a Directory setting (.haccess is usefull if you provide limited access on apache conf, if you own the server don't use it).
<Directory /foo/bar>(...)</Directory>
Then you can access your sites with named based virtualhosts. Verify you have this option:
NameVirtualHost *:80
When you have it nice things can start.
This will be your virtualhost for your 1st app:
<VirtualHost *:80>
ServerName app
ServerAlias www.app.somwhere.com
ServerAlias app.somwhere.com
DocumentRoot /www/app/webroot
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /www/app/webroot>
Options Indexes FollowSymLinks
# this prevent.htaccess reading, remove if you want .htaccess
AllowOverride None
# allow web access
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Most apache settings can be define here. Only for your 1st app. Apache will serve this configuration for all requests done for the site name 'app', or 'www.app.somwhere.com', or 'app.somwhere.com'. You can define a lot of alias(ServerAlias)., and only one name (ServerName).
Then if you go in your browser and type http://app/ your browser won't find the server, so set it in your /etc/hosts. This is what every people wanting to access your app should have in the hosts file until you get a real DNS (assuming your 1st app is app.somwhere.com and the second foo.somwhere.com and 92.128.52.226is your external IP):
127.0.0.1 app.somwhere.com app foo foo.somewhere.com
92.128.52.226 app.somwhere.com app foo foo.somewhere.com
And now let's add another virtualhost for your second app:
<VirtualHost *:80>
ServerName foo
ServerAlias www.foo.somwhere.com
ServerAlias foo.somwhere.com
DocumentRoot /www/foo/webroot
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /www/foo/webroot>
Options Indexes FollowSymLinks
# this prevent.htaccess reading, remove if you want .htaccess
AllowOverride None
# allow web access
Order allow,deny
allow from all
</Directory>
</VirtualHost>
And etc.
Don't forget to restart your apache. No rewrite rule. nice virtualhosts is the 1st step of a nice configuration, you will be able to define rules, directory or location specific things per name used. Even php configuration can be set per virtualhost with php_value instead of a global shared one on php.ini.
type
apache2 -S
to get the list of your virtualhosts, you'll see that the first one is the 'default' one, if apache does'nt understand the name of the requested site it will serve this default one (so you could ad a specific virtualhost on top to handle theses cases).
Try adding dev/ to the paths in lines 3 and 4 to your dev .htaccess.
Maybe you should remove the "RewriteBase /" line in the .htaccess in your dev folder?