on my Magento site (not the real url ;) ), I have http://magento.local.com/media/ returning as a 403 Forbidden.
This seems to be standard for all Magento installs, but I want to change this, and not have a 403 returned for requests to /media/.
How can I do this?
EDIT: (adding further information and reason for it)
I want /media/ to not be a 403, so that I can redirect requests to /media/ to /media/index.html.
I thought this redirect would be easy once the 403 was resolved, but unfortunately it is not. e.g.
RewriteRule ^$ /index.html [L,NC,R=301]
does not redirect /media/ at all, and the usual "Index of /" is displayed.
SOLUTION: add DirectoryIndex to the htaccess file
Thanks
Paul
Put .htaccess to your media/ dir with following contents:
Options All +Indexes
DirectoryIndex index.html
Something to pay attention to.
The standard Magento .htaccess for the media directory is as follows:
Options All -Indexes
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
# AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
Due to the relaxed permissions Magento expects on this directory tree, they wish to prevent execution and interpretation of php and other scripts that could be maliciously uploaded into the directory tree and then executed remotely. As long as this function is preserved, you will be ok on modifications you make.
Related
I was playing around with .htaccess files and I was wondering, completely out of curiosity, is it possible to redirect access to the .htaccess file itself to another file?
Example:
User goes to http://www.example.com/.htaccess
I want the user to be redirected to index.php?foo=bar
I've tried the following:
Redirect 301 /.htaccess /index.php?foo=bar
And
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^((?s).*)$ index.php?foo=bar [QSA,L]
</IfModule>
These methods work on any other file, but the .htaccess file itself always results in a 403 Forbidden page showing up.
Is this possible? If not, then why?
If you look in your webservers configuration file you will find some directive that prevents users from accessing .htaccess or .htpasswd file from the browser. For instance if I open up my apache configuration, located at /etc/apache2/apache.conf I can spot the following lines:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
So you should be able to change the above to:
Order allow,deny
Allow from all
you also need to make sure that you have the correct file permission on the .htaccess file and finally restart your server using:
sudo service apache2 restart
Of course doing the above would not be very secure.
I am investigating Rewrite Rule of Apache and not using .htaccess but virtual host setting for writing them.
Here I have 2 questions:
I can use "RewriteRule blog_rss.xml blog_rss.php" but cannot use "RewriteRule ^blog_rss.xml$ blog_rss.php", why?
Even the first script is working, it doesn't change to the RSS style what I want. Should I set handler for it with Rewrite Rule?
Thanks for answering this question.
Update: Here is the scripts about rewrite rule.
<Directory />
<IfModule mod_rewrite.c>
RewriteEngine On
ErrorDocument 404 /error/404.php
RewriteRule ^blog_rss\.xml$ blog_rss.php
</IfModule>
</Directory>
No you shouldn't set a handler. Doing so will force the PHP code at blog_rss.php to execute as XML. This would result in the entire file being responded with an XML Mime type, which may present major security issues.
However, in the blog_rss.php file before completing the response you might want to set the response type to that of an RSS file.
blog_rss.php
header('Content-Type: text/xml');
v-host
<Directory />
<IfModule mod_rewrite.c>
RewriteEngine On
ErrorDocument 404 /error/404.php
RewriteRule ^blog_rss\.xml$ blog_rss.php
</IfModule>
</Directory>
Resource: electrictoolbox.com
Thanks for answers. For V-host, I found the reason finally.
According to RewriteRule in htaccess vs httpd.conf, the Directory path should be the same as the website base path. For example, if the root directory is /var/www/, the <Directory> should set /var/www/ or it will detect the root path of the server.
I have two index files and i want both to be there. I wrote DirectoryIndex index.php index.html in my .htaccess file. This is the only line in my .htaccess file and when i opened site browser is giving error 500.
The server probably hasn't set AllowOverride Indexes. If they haven't then DirectoryIndex in an .htaccess file isn't allowed, and you get 500 when you try.
Some options:
See if the web provider will grant AllowOverride Indexes in your URL space.
Ask what values of DirectoryIndex they do allow (maybe index.php, index.cgi, etc.) and use one of those instead.
Use a RewriteRule (if they allow that :| ), for example:
RewriteRule ^$ index.php
I have this as my .htaccess file:
AddType text/x-component .htc
ErrorDocument 404 /index.php
RewriteEngine on
RewriteRule ^maps/(\w+)/?$ /maps.php?lang=$1 [L]
RewriteRule ^(\w+)/?$ /index.php?lang=$1 [L]
The second RewriteRule is working PERFECTLY! No problems. But, the first one, is giving me a huge headache... It just doesn't work at all. It's redirecting to /maps.php, but it doesn't gives me the parameter, which is BASIC for me. It's like the GET params are not there, but are supposed to be there. I don't get it...because I've just copied a working RewriteRule, from StackOverflow, and addapted changing the word "search" to the word "maps".
Could anybody, please, help me with this thing? I'm pretty sure it'd be something simple, but I'm not seeing it...
EDIT: Apparently, there is a second .htaccess file in my server. "/logs/.htaccess".
Options +Indexes
RemoveHandler .html
RemoveType .html
AddType text/html .html
Satisfy any
Order Deny,Allow
Allow from MY_SERVER_IP
Deny from all
AuthType Basic
AuthName "Access to /logs"
There is no way I can delete this file. Or I didn't manage to do it. My hosting provider is 1&1.
I've found the problem through some deep searching after I realized it could be a problem with my hosting provider, 1and1. And I got it here 1and1 mod_rewrite issues
It was about an option you MUST add in your .htacces file which is:
Options -MultiViews
Now is working more than fine! Thanks to #kjetilh for the support.
I'm using the rule below in .htaccess to block bots that hammer my site for the listed .php files, i.e. mydomain.com/join.php:
<FilesMatch "(signup|register|join|timthumb)\.php$">
order allow,deny
deny from all
</FilesMatch>
But how can I also protect the same file names in folders in the tree, i.e. mydomain.com/otherdirectory/join.php?
Those file names in other directories are hit less often than root, but I'd still like throw an forbidden error rather than the site 404 page.
I tried, and since I'm on a shared server, I can't use the <Directory> directive.
You may try this in the .htaccess file in root directory:
Options +FollowSymlinks -MultiViews
RewriteEngine On
# Files to protect in next line
RewriteCond %{REQUEST_URI} (join|file1|file2)\.php [NC]
RewriteRule .+ - [F,NS,L]