I have installed zpanel with centos 6.3.
Now what is the problem.
I have added domain mydomain.com and I have added blank index.php file.
I added too .htaccess file with "deny from all"
Now when I open the page in the browser, I get Apache 2 Test Page instead 403 Forbidden
But if I open http://mydomain.com/index.php, now I get 403 Forbidden.
I tried to edit the apache config file Directoryindex but there is no positive result. Anyone can help me?
Try to disable the default Apache CentOS welcome page:
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>
Edit file /etc/httpd/conf.d/welcome.conf and comment everything. Simply removing the welcome.conf file (or renaming it as .conf.disabled for example) should do the trick too.
Then, reload apache configuration (service httpd restart) and things should work as expected.
Same problem, when apache has been updated, the file welcome.conf has been created.
I've renamed it to disable it and now I get to see the Forbidden page for my Deny from all directives
Related
Have upgraded PHP 7.4 to to PHP 8.2.1 on mac osx, and for some reason, can not locate what is causing an issue with the .htaccess file having this code in it:
Options -Indexes -Multiviews
If I remove this code the site loads, but than shows all folders and files which is not desirable. Need site to load the index.php file that is being shown here, trying to hide this, but once this is in the .htaccess file, I'm getting the following error message:
Forbidden
You don't have permission to access this resource.
Is there something in PHP that needs to be set? I did change the php_module to point to PHP 8 in the httpd.conf file, so I don't understand what else might need to change to get my localhost loaded properly instead of showing files and folders?
BTW, this was working fine on PHP 7.4, but after updating, no longer works. Maybe I have to install other modules for 8.2.1 to work correctly?
If I switch back to using PHP 7.4 everything is loading fine on the site after restarting apache.
Need site to load the index.php file
You need to set the DirectoryIndex (mod_dir) - this defaults to index.html only (an Apache issue, not PHP). It is the DirectoryIndex that determines which file(s) Apache will try to serve when requesting a directory.
For example:
Options -Indexes -Multiviews
DirectoryIndex index.php
If a DirectoryIndex document (there can be more than 1) is not found... and mod_autoindex is disabled (ie. -Indexes) then you get a 403 Forbidden response. If mod_autoindex is enabled then you naturally see a directory listing. (If mod_autoindex is not installed at all then you get a 404 Not Found.)
mod_autoindex (ie. Indexes) is not enabled by default on Apache 2.4 (it is on Apache 2.2), however, it has likely been explicitly enabled elsewhere in the server config.
I can't wrap my head around why the .env is still exposed. The website has an HTTPS certificate. I have the .env file denied in the .htaccess file like so:
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Require all denied
</Files>
It is blocked properly (403 forbidden error) on these URLs:
https://example.com/.env
http://example.com/.env
http://###.IPaddress.###/.env
But is still visible here by ignoring the "not secure" warning:
https://###.IPaddress.###/.env
Likewise, there is still the Apache Testing 123 page being served as the homepage for the above URL (when not accessing the .env file). How can I block this file?
You probably have a default <VirtualHost *:443> that is catching the request (the first vHost that is defined in the server config is the "default") and this probably doesn't allow .htaccess overrides (ie. AllowOverride is not defined or set to None) so the .htaccess file is not processed.
You need to ensure that the default vHost that is catching the request either blocks requests to the IP address entirely, or redirects to the canonical hostname.
See the following question on ServerFault for more detail on configuring this:
https://serverfault.com/questions/914649/htaccess-block-access-when-http-host-is-ip-security
I have configured apache by add Options -Indexes to disable directory browser but how can I access resources from website: in my html file (website from host1) has image take from one another server apache (host2), so if I set Options -Indexes in apache (host2) to prevent directory browser then image in my html can't access,too. How to solve this?
Thanks!
Why would a web page, or anything else other than a human, need to access a directory listing? Options -Indexes only stops a directory listing from being generated, it does not prevent access to any of the resources.
This is so frustrating. My root directory is at home/websitename/websitename/ and my httpd.conf has nothing in it!
My .htaccess is in the same directory as the index.php is supposed to be and all I'm typing into .htaccess (and FTP identifies this as an HTACCESS file) is:
DirectoryIndex Home.php
The error message I get when trying to visit the site is a 403 forbidden to list the directories of "/"
the AllowOverride directive is set to All
Ok actually I made a dumb mistake.
Basically all the things one needs to check in order for the .htaccess to work are these:
Create a .htaccess file in the main directory. Make sure the .htaccess file is made in a file editor for ACSII. (notepad++, dev editor, NO Microsoft Word)
Make sure AllowOverride is set to All in the Apache configuration for your website. It should be under <directory>
Make sure to restart apache after making any changes to the Apache file!! Note that even though .htaccess does not require you to restart Apache, changing anything in the website configuration file requires you to restart Apache in order for it to function.
Lastly, your website should output a 500 Internal Apache Error if it is able to actually read the .htaccess file, NOT a 403: Access Forbidden or directory listing.
My website has a file: www.mydomain.com/contact.php
If I request any of the following (which do not exist), apache serves the contact.php page.
www.mydomain.com/contact
www.mydomain.com/contact/
www.mydomain.com/contact/anything/else/here
How can I determine what part of the apache config to change to disallow this?
The apache server is running on a CentOS 5 box if that makes any difference.
This is called MultiViews.
A .htaccess file or modifying your httpd.conf with Options -MultiViews should do the trick.