Magento: .htaccess files - apache

I am running Magento Community Edition version 1.7.0.2.
I would like to know, how come are there two .htaccess
files in my installation, one in the magento root directory,
and another one in the magento app directory just beneath
the magento root directory?
On my system the first one is 209 lines long whereas the
second one only contains two directives.
Can anyone please explain how come there are two files
instead of one. Are both parsed or just one of them?

Normaly each .htaccess-File paresed, cause they could be used additional.
The last .htaccess-File may overwrite or enhanced previuos ones.

The .htaccess file in app/ is used to "deny" all access to any file under app. Without this someone could access http://yourdomain.com/app/etc/local.xml and see your database credentials, among other bad things. A similar file should be present in var/ as well (to prevent viewing logs, etc)

Delete the existing file and try adding default new .htaccess file
Magento default htaccess file

Related

How to disable the download of files in an Apache2 webserver?

I took over a website which I'm supposed to admin and somebody brought to my attention that certain Indexes and Files are available, which shouldn't be. I will be using dummy names.
You were able to access example.com/intern before, but I changed a line in /etc/apache2/apache2.conf according to this https://stackoverflow.com/a/31445273 . This worked partly, as I get a 403-Forbidden when I now navigate to example.com/intern and that's basically what I want.
However the directory intern governs a file called file.php.bak aswell as file.php. When I navigate to example.com/intern/file.php I get a white website. I am however not sure, if you are able to access file.php in another way, because the site does load and I don't get a 403 like before. What is way worse and the reason I am struggling with this is: If I go to example.com/intern/file.php.bak then my Browser (Firefox) offers me to download file.php.bak, which I can read in plaintext. I want all files in intern to not be accessible via the website, but I have no idea how to do this. Can anybody help?
Things I've tried:
Removing the Indexes from the apache2.conf file like mentioned above. It only puts the 403 on the directory itself and not recursively for all the files in it.
Writing a .htaccess file as described here: https://fedingo.com/how-to-prevent-direct-file-download-in-apache-server/ and putting it in intern with the same result as in 1)
Putting an empty index.html file in the intern directory. This leads to no more 403 in example.com/intern, but the download on example.com/intern/file.php.bak is still possible. I've also tried index.php with the same result.
File System:
The application runs from /var/www/application which is also the folder for the /var/www/application/index.php I want to use. The /var/www/application/intern directory is also there. While it isn't browsable anymore, the files in it still are accessible. /var/www/application/intern/file.php can be navigated to via example.com/intern/file.php, but it seems like it can't be downloaded or read as it results in a white page. /var/www/application/intern/file.php.bak can however be downloaded via example.com/intern/file.php.bak.
Let's say Apache document root is set to DocumentRoot "/folder_one/folder_two"
Placing files in a folder_one will prevent people browsing your apache server and requesting the files directly.
Place index file in folder_two and include some code such as PHP to tell apache to include whatever files you want from folder_one.
In this manor Apache will still be able to serve whatever files you want from folder_one and people will not be able to request the files directly as the are located in a directory above the Apache document root.

How to leverage browser cache globally on Easyapache4?

This article explains how to configure Apache2 with directives in either .htaccess or in httpd.conf to work globally. However in EasyApache4 httpd.conf is automatically generated, it says that modifications should go in include files, and it lists the following three files:
/etc/apache2/conf.d/includes/pre_main_global.conf
/etc/apache2/conf.d/includes/pre_virtualhost_global.conf
/etc/apache2/conf.d/includes/post_virtualhost_global.conf
This article talks about creating a new file expire.conf file in /etc/apache2/conf.d/ (ie not adding directives to an existing file and not in the includes sub-directory). This article talks about creating a new file 00-cache.conf in the conf.modules.d directory.
I'm confused whether to add directives to an existing file in the includes sub-directory, and if so which one, or to create a new file, and if so what filename to use and where to put it.
Can anyone advise please?
I'm looking into the same thing, and it's becoming clear that when on EA4, you should simply follow EA4 structures - the 3 include files you're already listing.
pre_virtualhost_global.conf is probably the most appropriate spot.

Contao is redirecting to non existend development subdirectory

Im currently trying to move a website to production that has been designed using contao. The website has been developed in a subdirectory of the current website. Now when I change the DocumentRoot to the contao directory the application automatically forwards me to the /development directory which in that situation does not exist anymore.
I did a database dump and searched it for "/development" to find the variable that is storing this information but I didn't find a match. I then did the same with the configuration files but it didn't show up any results too. How is redirecting handeled in contao?
It sounds like your pathconfig.php is wrong. After deploying/moving a Contao installation, you should always execute and log into the Install Tool under contao/install.php. This will correct your pathconfig.php.
Also make sure the RewriteBase in the .htaccess is set to the correct value (probably / in your case).

How Come Everybody Can See My Private Files?

Sorry for the newbie question...
When I go to http://www.plans4boats.com/scripts/youtubeplayer/ in Google Chrome, I can see a full listing of the files there. What should I do if I don't want any old hacker to just come in and view/copy my source codes? Does it have something to do with htaccess?
I discovered that putting a blank index.html file in the folder helps for THAT folder, but it still leaves all subfolders vulnerable.
What should I google for more information on how to set up my server to prevent this?
Just set Options -Indexes for that particular directories either in an .htaccess file or a <Directory> or <Location> container.
What you need to do is turn of Directory Listing for your specific server. I don't know what server you're using so I can't walk you through it, but just google your server name and how to disable directory listing.
I created a file called .htaccess and put the following contents:
IndexIgnore /

Apache serving files that should not be served

Today I discovered that my fresh installation of Apache HTTP Server is able to serve files from my C:\uploads\ directory.
I have two folders in C:\uploads:
C:\uploads\templates
C:\uploads\sites
Both folders contain testimage.jpg.
I found that Apache will serve the files from the templates folder if I request:
http://localhost/templates/testimage.jpg
However, http://localhost/sites/testimage.jpg 404's!
OMG - firstly, why does Apache serve the templates folder in the first place? Is it special?
Secondly, by what arbitrary set of rules does apache disallow access to other folders such the sites?
I'm so confused. Perhaps I've taken a wrong turn somewhere during the installation.
Did you look through your httpd.conf file to see what rules are in place for what is being served? Alternatively, are there .htaccess files that may be changing what is being served? You might have templates exposed in one or the other, but not sites... that's the first thing that comes to mind.
I would suggest going through these configuration files with a fine toothed comb to see what may cause the behavior you see.