.htaccess deny from all doesn't work - apache

my problem is that I want to deny the access to a folder but I can't.
I've put a .htaccess file in this folder with just these lines:
order deny,allow
deny from all
Any idea of what can be happening?

I get it! It was due to the apache configuration. In my foo.conf of sites-avaiables directory I had:
AllowOverride None
As apache doc says, AllowOverride Description: Types of directives that are allowed in .htaccess files
When it is changed to:
AllowOverride All
it works perfectly!
You can also configure it with specific options:
AllowOverride directive-type
directive-options at: apache.org

I had the same issue using that method. Try this instead:
RewriteEngine On
RewriteCond %{REQUEST_URI} foldername
RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.44$
RewriteRule . - [R=404,L]
With this method you need to add your own ip.
Options: instead of the last line being a 404 page not found:
RewriteRule . - [R=404,L]
you can change it to a 403 forbidden:
RewriteRule .*? - [F]
or redirect to your homepage:
RewriteRule . http://www.domain.com/ [R,L]

you need to do two things,first, change the conf of apache to allow override,
second, to change the conf of a hosting to allow override
first
nano /etc/apache2/apache2.conf
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
and change it to;
<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Second
cd /etc/apache2/sites-available
nano yourdomain.com.conf
add the following codes into it,
<Directory "/var/www/html/yourdomain.com/public_html">
AllowOverride All
Require all granted
</Directory>
after adding
<VirtualHost *:80>
ServerAdmin support#yourdomain.com
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/html/yourdomain.com/public_html/
<Directory "/var/www/html/yourdomain.com/public_html">
AllowOverride All
Require all granted
</Directory>

Use this:
<Directory /folder_name>
Order Deny,Allow
Deny from all
</Directory>
Its better to add a rule to allow your ip address. You can use allow from your_ip_address for this. Be careful with the ip address as it can be shared. You can check your ip address using http://www.whatismyip.com/

Related

Prevent Apache for opening files with similar name to url

My .htaccess:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUESTFILENAME} !-f
RewriteCond %{REQUESTFILENAME} !-d
RewriteRule ^login/generic_oauth$ auth0-callback.php [L]
RewriteRule ^(.*)$ index.php?page=$1 [L]
My vhost file:
<VirtualHost *:443>
DocumentRoot /home/blabla/www/frontend/
ServerName some-domain.net
ServerAlias www.some-domain.net
SSLEngine on
SSLCertificateFile /etc/apache2/crt/cert.pem
SSLCertificateKeyFile /etc/apache2/crt/key.pem
<Directory />
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
<Directory /home/blabla/www/>
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
The problem is when I try to access https://www.some-domain.net/login/generic_oauth Apache is loading login.php (which exists). Problem disappears when I rename the file to loggin.php for example.
The problem is when I try to access https://www.some-domain.net/login/generic_oauth Apache is loading login.php (which exists). Problem disappears when I rename the file to loggin.php for example.
This problem is symptomatic of having MultiViews enabled. Although, you appear to be disabling MultiViews in the server config, except that you are not targeting the DocumentRoot with your <Directory> containers...
DocumentRoot /home/blabla/www/frontend/
:
<Directory />
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
<Directory /home/blabla/www/>
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
You should not be setting AllowOveride All and Require all granted in the <Directory /> container, ie. the entire drive! You should be disabling access instead and this should already be defined outside of the <VirtualHost> container, in the main server config.
You are then granting access to /home/blabla/www/, but this is the directory above the DocumentRoot?! Do you have another .htaccess in this parent directory? Do you have another <Directory> container that matches the DocumentRoot?
So, your config should look more like this:
<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
Require all denied
</Directory>
<VirtualHost *:443>
ServerName some-domain.net
ServerAlias www.some-domain.net
SSLEngine on
SSLCertificateFile /etc/apache2/crt/cert.pem
SSLCertificateKeyFile /etc/apache2/crt/key.pem
DocumentRoot /home/blabla/www/frontend/
<Directory /home/blabla/www/frontend>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
As with any changes to the server config, you need to restart Apache.
If this does not resolve the issue then you need to look for any other places in the config that could be enabling MultiViews. And if all else fails, explicitly disable MultiViews in the .htaccess file itself:
Options -MultiViews

Vhosts not redirecting

I have a server running Ubuntu 14.04 LTS and I am trying to set up vhosts. What I did already is,
1) Created 2 files desktopia.be.conf and everybodycreative.be.conf which look like this
desktopia.be.conf:
<VirtualHost *:80>
ServerAdmin your_email_address
ServerName desktopia.be
ServerAlias www.desktopia.be
DocumentRoot /var/www/desktopia
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/desktopia>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
everybodycreative.be.conf:
<VirtualHost *:80>
ServerAdmin your_email_address
ServerName everybodycreative.be
ServerAlias www.everybodycreative.be
DocumentRoot /var/www/everybodycreative
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/everybodycreative>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Under the www folder, I made 2 folders named desktopia and everybodycreative.
After I did that, I ran the following commands
sudo a2ensite desktopia.be
sudo a2ensite everybodycreative.be
and restarted the apache2 service.
Now the problem is that when I connect on one of the 2 domain names, I just get to see the content of my www folder as you can see here http://desktopia.be/
If anyone can tell me where I should look or what more information is needed to fix this problem, please ask me so that I can fix this. This has been bothering me for a few days already and I need this fixed asap.
Thanks for helping me already :)
I think you'll need to run
a2enmod rewrite
to turn on rewrite module.
Then in the relative folder .htaccess
RewriteCond %{HTTP_HOST} ^(.+)\.desktopia\.be
RewriteCond %{HTTP_HOST} !^www\.desktopia\.be [NC]
RewriteRule ^(.+)$ /var/www/desktopia/%1/$1
same for other url,
I haven't tried it so you may need to modify something in the .htaccess folder code
You need to enable the NameVirtualHosts directive in your config.

Trying to do hidden redirect with .htaccess - redirect is visible

I am trying to set something up on my local server where if I go to mydomain/docs it does a redirect internally to mydomain/slate/build, but have the user still see mydomain/docs in their browser's url. I have it half working - when I go to mydomain/docs, it loads the correct index.html in /slate/build but the issue is that my url bar:wq shows mydomain/slate/build when the desired url is mydomain/docs.
Here is my entire .htaccess file that does the redirect:
RewriteEngine on
RewriteRule ^/?docs$ /slate/build [L]
And here is what I believe to be potentially relevant from my apache2.conf:
HostnameLookups Off
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
Allow from all
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
And finally my VirtualHost in sites-enabled:
<VirtualHost mydomain>
DirectoryIndex index.html
ServerAdmin postmaster#dummy-host.localhost
DocumentRoot /correct/file/structure
ServerName mydomain
ServerAlias mydomain
</VirtualHost>
Yes it is - it's a directory with an index.html in it, which is the file I'm trying to pull up.
Since it's a directory, you need to end the URI with a slash, otherwise mod_dir will kick in an redirect the browser to the same URI but with a trailing slash. Try changing your rule to:
RewriteEngine on
RewriteRule ^/?docs$ /slate/build/ [L]

Non-existing file/URL returns 403 Forbidden

Going to example.com/config or example.com/account/login returns 403 Forbidden.
In reality, /config and /account/login should be redirected to index.php but it gives 403.
My directory structure is like this:
/var/www/example
└─/assets
└─/bower_components
└─/node_modules
└─/partials
└─/templates
└─/tests
└─/vendor
└─index.php
This is my Virtual host configuration:
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/example
<DirectoryMatch "^/var/www/example/(?!(assets|partials))\w+">
Require all denied
</DirectoryMatch>
<Location />
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
</Location>
</VirtualHost>
I want to disallow access to every folder except assets and partials, that's why I added that DirectoryMatch directive.
I use a PHP framework called Slim so I have to add Location and Rewrite directives.
I think Apache thinks my URLs are directories and blocks them. Is there a way to unblock my URLs?
Try adding:
<Directory "/var/www/example">
Order Allow,Deny
Allow From all
</Directory>
above the <DirectoryMatch> container in your vhost config.
Since you're using apache 2.4, then use require all:
<Directory "/var/www/example">
Require all granted
</Directory>
If you're using Apache 2.4 try to add in the end of your VirtualHost:
<Directory /var/www/example>
Options Indexes FollowSymLinks MultiViews
# If you want to enable overrides, you should read:
# http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride
AllowOverride All
Require all granted
Satisfy Any
Order allow,deny
Allow from all
</Directory>

.htaccess of getsimple gets me a 500 Internal Server Error on Ubuntu Localhost

localhost setup
ubuntu 12.04
mod rewrite enabled
multiple sites running in different directory’s
dir structure
/var/www/mysite1/htdocs/
/var/www/filehostwatch.com/htdocs/
.
.
.
wordpress .htaccess that works in my getsimple dir(copyed for test reasons) without problems
the one from getsimple gives me a 500 The server encountered an internal error or misconfiguration ... i later figured out that this section is what caussing the error
.htacess
AddDefaultCharset UTF-8
now the section that causes errors
Options -Indexes
# blocks direct access to the XML files - they hold all the data!
<Files ~ "\.xml$">
Order allow,deny
Deny from all
Satisfy All
</Files>
<Files sitemap.xml>
Order allow,deny
Allow from all
Satisfy All
</Files>
end of the section that causese 500 errors
RewriteEngine on
# Usually it RewriteBase is just '/', but
# replace it with your subdirectory path
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule /?([A-Za-z0-9_-]+)/?$ index.php?id=$1 [QSA,L]
the config file in /etc/apache2/sites-enabled/ of the site looks like the one with another site where wordpress is running without problems. and as i said the htaccess from wordpress works even in this site when copied over.
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName filehostwatch.localhost
DocumentRoot /var/www/filehostwatch.com/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/filehostwatch.com/htdocs/>
Options Indexes FollowSymLinks MultiViews
AllowOverride FileInfo
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Any idea what might cause this problem?
You should probably change Satisfy All to Satisfy Any in the offending section to see if it helps.
AddDefaultCharset UTF-8
Options All -Indexes
# blocks direct access to the XML files - they hold all the data!
<Files ~ "\.xml$">
Order deny,allow
Deny from all
</Files>
<Files sitemap.xml>
Satisfy Any
Order allow,deny
Allow from all
</Files>
RewriteEngine On
# Usually it RewriteBase is just '/', but
# replace it with your subdirectory path
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule /?([A-Za-z0-9_-]+)/?$ index.php?id=$1 [QSA,L]
If I'm understanding your problem correctly... .htaccess is in your /var/www/filehostwatch.com/htdocs/ directory? In which case I don't think you're giving enough permissions for your .htaccess file to configure what you want... In your virtual host settings you have:
<Directory /var/www/filehostwatch.com/htdocs/>
...
AllowOverride FileInfo
...
</Directory>
Which gives the ability to change mod_rewrite settings, but doesn't permit changing of host accesses (e.g. Allow & Deny) nor the changing of Options.
Have you tried setting this to AllowOverride All in your virtual host config? Alternatively you could add more directive settings to the AllowOverride option. Offhand I think AllowOverride FileInfo Limit Options should do the trick.
See also Apache's doc on AllowOverride