htaccess <Directory> deny from all - apache

I've been cleaning up my project lately. I have a main .htaccess in the root directory and 6 others. 5 of them ran Options -Indexes which i didn't see anypoint of allowing any Directory viewing so moved that to the main one. so now i only have 2 .htaccess files. the main and one in /system which holds
# Block External Access
deny from all
So i wanted to run that on /system only from within the main. So i deleted the one in /system and added
# Block External Access
<Directory "/system/">
deny from all
</Directory>
to my main .htaccess file leaving 1!
but now i get a
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
Please contact the server administrator, webmaster#localhost and
inform them of the time the error occurred, and anything you might
have done that may have caused the error.
More information about this error may be available in the server error
log.
Apache/2.2.17 (Ubuntu) Server at 10.0.1.5 Port 80
The goal is to block reading any files in /system and it's sub directory's but allow viewing of everything else all from one .htaccess file for the whole project. Any ideas on how i can fix this? I did some Google searches but couldn't really come out with anything.

You cannot use the Directory directive in .htaccess. However if you create a .htaccess file in the /system directory and place the following in it, you will get the same result
#place this in /system/.htaccess as you had before
deny from all

You can also use RedirectMatch directive to deny access to a folder.
To deny access to a folder, you can use the following RedirectMatch in htaccess :
RedirectMatch 403 ^/folder/?$
This will forbid an external access to /folder/ eg : http://example.com/folder/ will return a 403 forbidden error.
To deny access to everything inside the folder, You can use this :
RedirectMatch 403 ^/folder/.*$
This will block access to the entire folder eg : http://example.com/folder/anyURI will return a 403 error response to client.

You can use from root directory:
RewriteEngine On
RewriteRule ^(?:system)\b.* /403.html
Or:
RewriteRule ^(?:system)\b.* /403.php # with header('HTTP/1.0 403 Forbidden');

Related

.env file exposed only when accessing via https and website IP address

I can't wrap my head around why the .env is still exposed. The website has an HTTPS certificate. I have the .env file denied in the .htaccess file like so:
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Require all denied
</Files>
It is blocked properly (403 forbidden error) on these URLs:
https://example.com/.env
http://example.com/.env
http://###.IPaddress.###/.env
But is still visible here by ignoring the "not secure" warning:
https://###.IPaddress.###/.env
Likewise, there is still the Apache Testing 123 page being served as the homepage for the above URL (when not accessing the .env file). How can I block this file?
You probably have a default <VirtualHost *:443> that is catching the request (the first vHost that is defined in the server config is the "default") and this probably doesn't allow .htaccess overrides (ie. AllowOverride is not defined or set to None) so the .htaccess file is not processed.
You need to ensure that the default vHost that is catching the request either blocks requests to the IP address entirely, or redirects to the canonical hostname.
See the following question on ServerFault for more detail on configuring this:
https://serverfault.com/questions/914649/htaccess-block-access-when-http-host-is-ip-security

Exclude a directory from custom ErrorDocuments

Currently I have a few ErrorDocuments in my .htaccess (which is located in the www/site directory) like ErrorDocument 404 /site/error, which work.
However, there is one directory in this site dir which should not have these custom error documents. So whenever an user tries to access /site/no_custom_errors/non_existing_file.png, I should get the default Apache error page and not my custom error.
How would I achieve this?
Your apache config for that directory can change it, or if "AllowOverride FileInfo" (see: http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride) is active for that site or directory, then an .htaccess file in that directory will work containing:
ErrorDocument 404 /site/otherErrorDoc
see: http://httpd.apache.org/docs/current/mod/core.html#errordocument
Alternatively, it could be done in a <directory> directive in httpd.conf or in a virtual host like so:
<Directory path/to/special/directory>
ErrorDocument 404 /site/otherErrorDoc
</Directory>
see: http://httpd.apache.org/docs/2.2/mod/core.html#directory

Use the RewriteEngine to direct away from a denied directory

The setup
root/
.htaccess :
Deny from All
RewriteEngine On
RewriteRule secret.txt /root/public/welcome.txt
secret.txt
public/
.htaccess :
Allow from All
welcome.txt
The problem
A request to /root/secret.txt results in a 403 (Forbidden) response that tells me I have no access to /root/secret.txt. (A direct request to /root/public/welcome.txt is permitted.)
Thus, it seems to me that the RewriteEngine does nothing to a request that would be denied by a Deny from All directive.
The question
It would be nice if someone knows a way to get the expected /root/public/welcome.txt served. However, it would be nicer if someone could help me reach my eventual goal.
The goal
I decided to write down my eventual goal, because maybe I'm just looking in the wrong direction.
I would like to Deny from All in the root, and have subdirectories decide when to override that with an Allow. Then I would also like Apache to rewrite all requests that would result in a 403 or 404 to a single specific file. As of yet, I'm planning to do this with a !-U flag, but I can't get past my initial problem.
Yo may try this in the .htaccess file at root directory:
Deny from All
ErrorDocument 404 /Error403_404.php
ErrorDocument 403 /Error403_404.php
"Error403_404.php" is an example. Replace with the 403 and 404 error handler script.

typing DirectoryIndex into .htaccess and it doesn't work?

This is so frustrating. My root directory is at home/websitename/websitename/ and my httpd.conf has nothing in it!
My .htaccess is in the same directory as the index.php is supposed to be and all I'm typing into .htaccess (and FTP identifies this as an HTACCESS file) is:
DirectoryIndex Home.php
The error message I get when trying to visit the site is a 403 forbidden to list the directories of "/"
the AllowOverride directive is set to All
Ok actually I made a dumb mistake.
Basically all the things one needs to check in order for the .htaccess to work are these:
Create a .htaccess file in the main directory. Make sure the .htaccess file is made in a file editor for ACSII. (notepad++, dev editor, NO Microsoft Word)
Make sure AllowOverride is set to All in the Apache configuration for your website. It should be under <directory>
Make sure to restart apache after making any changes to the Apache file!! Note that even though .htaccess does not require you to restart Apache, changing anything in the website configuration file requires you to restart Apache in order for it to function.
Lastly, your website should output a 500 Internal Apache Error if it is able to actually read the .htaccess file, NOT a 403: Access Forbidden or directory listing.

Apache not processing encoded URLs with %3F

The problem url links to my website are of the form
/fullpage.php%3F%20cp3_Hex%3D0F0200%26cp2_Hex%3D000000%26cp1_Hex%3DFC2024
The un-encoded url is
/fullpadge.php?cp3_Hex=0F0200&cp2_Hex=000000&cp1_Hex=FC2024
Apache returns a:
403: You don't have permission to access /fullpage.php? cp3_Hex=0F0200&cp2_Hex=000000
I have tried the following rewrite rule
RewriteRule ^/fullpage.php%3F(.*)$ /fullpage.php?$1
to no avail
Any ideas
You are almost certainly getting a 403 error.
The error is caused because ? is a banned file/directory name character on Windows and Linux. This means when Apache attempts to find a file or directory named "/document/root/index.php?blah" (after decoding) and it causes a 403 error. This is before the .htaccess files are read so you cannot use mod_rewrite in the .htaccess file to override this 403 error or an ErrorDocument defined in the .htaccess file to catch this error.
The only way to catch %3f is to use mod_rewrite or an ErrorDocument in a "VirtualHost" e.g. in httpd-vhosts.conf (or the main server configuration if there aren't any "Virtualhost"s e.g. in httpd.conf).