My host has a cpanel which allows turning on the pagespeed from google. However turning it on produces 403 error for exteranally hosted js libraries on some domains( cdnjs maxcdn in my case) but not with googleapis. Any reason for the same?
To avoid this, open your .htaccess file you will find this somewhere in the file :
# mod_pagespeed configuration - Do NOT modify the contents
<IfModule pagespeed_module>
ModPagespeedDomain *
ModPagespeed on
</IfModule>
# End of mod_pagespeed configuration- Do NOT modify the contents
Replace this with :
# mod_pagespeed configuration - Do NOT modify the contents
<IfModule pagespeed_module>
ModPagespeedDomain http://yourdomain.com
ModPagespeed on
</IfModule>
# End of mod_pagespeed configuration- Do NOT modify the contents
Related
I can't wrap my head around why the .env is still exposed. The website has an HTTPS certificate. I have the .env file denied in the .htaccess file like so:
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Require all denied
</Files>
It is blocked properly (403 forbidden error) on these URLs:
https://example.com/.env
http://example.com/.env
http://###.IPaddress.###/.env
But is still visible here by ignoring the "not secure" warning:
https://###.IPaddress.###/.env
Likewise, there is still the Apache Testing 123 page being served as the homepage for the above URL (when not accessing the .env file). How can I block this file?
You probably have a default <VirtualHost *:443> that is catching the request (the first vHost that is defined in the server config is the "default") and this probably doesn't allow .htaccess overrides (ie. AllowOverride is not defined or set to None) so the .htaccess file is not processed.
You need to ensure that the default vHost that is catching the request either blocks requests to the IP address entirely, or redirects to the canonical hostname.
See the following question on ServerFault for more detail on configuring this:
https://serverfault.com/questions/914649/htaccess-block-access-when-http-host-is-ip-security
I have a severe problem, my cPanel URLs public, I don't want anyone to know the cPanel configuration URLs because if any user can access it with yourdomain.com/cpanel.
As I have shared hosting, I don't have access to the httpd/root or the server configuration files. I want to know whether I can add some code to the .htaccess file and stop this redirection.
I previously had shared hosting, and I discovered that this is not possible in shared hosting, you need to have root access.
I bought a vps hosting and removed it by doing the following:
Copying the Apache 2.4 template for EasyApache 4 to allow for customization using command line/terminal:
cp -a /var/cpanel/templates/apache2_4/ea4_main.default /var/cpanel/templates/apache2_4/ea4_main.local
By editing /var/cpanel/templates/apache2_4/ea4_main.local to change the entries to match your preferences:
vim /var/cpanel/templates/apache2_4/ea4_main.local
For instance, if you wanted to disable the /cpanel alias, you'd remove this line when editing the file:
ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
And then rebuilding the httpd.conf file by using:
/scripts/rebuildhttpdconf
And the last step is to restart by using:
service httpd restart
And your cPanel conf paths will be removed.
If you want to deny access to http://www.example.com/cpanel, do this:
In httpd.conf make sure you load mod_rewrite: LoadModule rewrite_module modules/mod_rewrite.so. Since you are on a shared hosting, you may not have access to that, but then it is most probably already loaded.
In your .htaccess, add:
RewriteEngine On
RewriteCond %{QUERY_STRING} "^/cpanel$"
RewriteRule ".*" "-" [F,L]
Tag [F] causes the server to return a 403 Forbidden status code to the client (ref: https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_f)
To ensure the .htaccess directives are taken into account, make sure you add this to the options of the directory where it resides:
AllowOverwride All
Refer to this SO question: How to Set AllowOverride all
I have installed zpanel with centos 6.3.
Now what is the problem.
I have added domain mydomain.com and I have added blank index.php file.
I added too .htaccess file with "deny from all"
Now when I open the page in the browser, I get Apache 2 Test Page instead 403 Forbidden
But if I open http://mydomain.com/index.php, now I get 403 Forbidden.
I tried to edit the apache config file Directoryindex but there is no positive result. Anyone can help me?
Try to disable the default Apache CentOS welcome page:
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>
Edit file /etc/httpd/conf.d/welcome.conf and comment everything. Simply removing the welcome.conf file (or renaming it as .conf.disabled for example) should do the trick too.
Then, reload apache configuration (service httpd restart) and things should work as expected.
Same problem, when apache has been updated, the file welcome.conf has been created.
I've renamed it to disable it and now I get to see the Forbidden page for my Deny from all directives
I have a .htaccess file & I currently I am working on localhost. For a 404 page error, I have the following code in the .htaccess file:
ErrorDocument 404 /my_local_domain/404.php
But when I upload this file to my website online, the functionality of the file breaks. It no longer shows the 404.php page. It works if I modify the code in the .htaccess file of my online website to the following:
ErrorDocument 404 /404.php
Now all through the changes that I do in the .htaccess file, I would have to remember to remove the domain name before I upload it to the website or I risk breaking the functionality. So with this in mind, here are my questions:
1. How do I solve the above problem without needing to edit the .htaccess file each time (by stripping it off the my_local_domain) I make a change & upload it online?
2. How do I setup 404 page redirection for all the nested folders? (I don't want to setup a .htaccess file for each of the folders. A single .htaccess file that resides in the root folder of the website & controls all the redirection for all the sub-folders would be awesome)
All help is appreciated.
Thank you.
I believe you have two different issues here.
First of all, you should not need to have different paths in development and live site. It appears that you've configured your local Apache to host only one site and each actual sites goes in a subdirectory. It's not a good idea: you'll soon be mixing cookies and sessions between all your dev sites. Have a look at the name based virtual hosts feature: you can configure as many independent sites as you need. You don't even have to buy real domains in you set them in the hosts file.
Secondly, under certain circumstances it can be useful to have different Apache directives. I've been using the following trick.
Pick a keyword for the dev server, e.g. DEV_BOX.
Pass that keyword to Apache in the -D parameter. If you run it as service, you can run regedit and find the HKLM\SYSTEM\CurrentControlSet\Services\Apache2.2\Parameters key. Append -D DEV_BOX to the ConfigArgs value. Restart Apache.
Now, you can use the <IfDefine> directive to set local directives:
-
#
# Common stuff
#
AddDefaultCharset UTF-8
#
# Local-only stuff
#
<IfDefine DEV_BOX>
Options +Indexes
</IfDefine>
#
# Live-only stuff
#
<IfDefine !DEV_BOX>
Options -Indexes
</IfDefine>
First of all I suggest you setup local domains for development. For example if you are developing a website which will go under www.example.com, you can setup a local.example.com in your HOSTS file. You'll do a VirtualHost setup in your apache and the .htaccess will then be the same.
Also, you can setup a build process (e.g via Ant) which will allow you to prepare and generate a zip file with the files which go on the live server. This build will feature the correct configuration files (db configs, mail servers, htaccess etc).
My website has a file: www.mydomain.com/contact.php
If I request any of the following (which do not exist), apache serves the contact.php page.
www.mydomain.com/contact
www.mydomain.com/contact/
www.mydomain.com/contact/anything/else/here
How can I determine what part of the apache config to change to disallow this?
The apache server is running on a CentOS 5 box if that makes any difference.
This is called MultiViews.
A .htaccess file or modifying your httpd.conf with Options -MultiViews should do the trick.