My web host points my "main" domain name to the root www folder. The web files for that site are located in the "www/app/webroot" folder. I currently have the site up and running using the following in the htaccess file:
RewriteBase /
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
I'm trying to start a dev site for the same site. I made a folder named "dev" in the www folder. So, the web files for this folder are in: "www/dev/app/webroot" I have a sub-domain pointing to the dev folder. When I use the same htaccess as above in the dev folder, it doesn't work because (I believe) it is inheriting the settings from the root www folder. When the page loads, it just comes up blank. How do I set up my htaccess files to allow for both sites?
Thanks in advance for any help! I'm obviously a novice at this stuff.
So we'll try to clean the things :-)
Avoid using .htaccess. All the settings in a .htaccess in a directory /foo/bar can be set in apache configuration as a Directory setting (.haccess is usefull if you provide limited access on apache conf, if you own the server don't use it).
<Directory /foo/bar>(...)</Directory>
Then you can access your sites with named based virtualhosts. Verify you have this option:
NameVirtualHost *:80
When you have it nice things can start.
This will be your virtualhost for your 1st app:
<VirtualHost *:80>
ServerName app
ServerAlias www.app.somwhere.com
ServerAlias app.somwhere.com
DocumentRoot /www/app/webroot
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /www/app/webroot>
Options Indexes FollowSymLinks
# this prevent.htaccess reading, remove if you want .htaccess
AllowOverride None
# allow web access
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Most apache settings can be define here. Only for your 1st app. Apache will serve this configuration for all requests done for the site name 'app', or 'www.app.somwhere.com', or 'app.somwhere.com'. You can define a lot of alias(ServerAlias)., and only one name (ServerName).
Then if you go in your browser and type http://app/ your browser won't find the server, so set it in your /etc/hosts. This is what every people wanting to access your app should have in the hosts file until you get a real DNS (assuming your 1st app is app.somwhere.com and the second foo.somwhere.com and 92.128.52.226is your external IP):
127.0.0.1 app.somwhere.com app foo foo.somewhere.com
92.128.52.226 app.somwhere.com app foo foo.somewhere.com
And now let's add another virtualhost for your second app:
<VirtualHost *:80>
ServerName foo
ServerAlias www.foo.somwhere.com
ServerAlias foo.somwhere.com
DocumentRoot /www/foo/webroot
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /www/foo/webroot>
Options Indexes FollowSymLinks
# this prevent.htaccess reading, remove if you want .htaccess
AllowOverride None
# allow web access
Order allow,deny
allow from all
</Directory>
</VirtualHost>
And etc.
Don't forget to restart your apache. No rewrite rule. nice virtualhosts is the 1st step of a nice configuration, you will be able to define rules, directory or location specific things per name used. Even php configuration can be set per virtualhost with php_value instead of a global shared one on php.ini.
type
apache2 -S
to get the list of your virtualhosts, you'll see that the first one is the 'default' one, if apache does'nt understand the name of the requested site it will serve this default one (so you could ad a specific virtualhost on top to handle theses cases).
Try adding dev/ to the paths in lines 3 and 4 to your dev .htaccess.
Maybe you should remove the "RewriteBase /" line in the .htaccess in your dev folder?
Related
I have installed a nextcloud on my raspberrypi. I want to use it in my local network for file transfer and everywhere for contacts and the calendar.
My nextcloud is located at /var/www/html/nextcloud. I also created a file /etc/apache2/sites-available/nextcloud.conf to enable the virtual host. Basically:
<VirtualHost *:80>
DocumentRoot /var/www/html/nextcloud/
ServerName nextcloud.example.com
<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
</VirtualHost>
The nextcloud is reachable for the following links:
192.168.2.100/nextcloud
nextcloud.example.com
example.com/nextcloud
My question: Is there a way to forbid the access via example.com/nextcloud?
I tried to add deny, allow entries into /var/www/html/nextcloud/.htaccess. But either I block too much, or it does not work. Help is appreciated.
The fact that example.com/nextcloud is accessible at all is because you're pointing the subdomain at a subdirectory off the main domain's document root (as defined in the main domain's VirtualHost). If the subdomain is an entirely separate entity then it would be preferable that it points to an area outside of the main domain's document root.
I tried to add deny, allow entries into /var/www/html/nextcloud/.htaccess
If you want to block this in .htaccess (as opposed to the main domain's vHost config) then you need to check the requested Host header. And in doing this I would have thought it would be preferable to block anything other than the canonical hostname, ie. anything other that nextcloud.example.com (so it also blocks requests via the IP address). Rather than checking for the hostnames you want to block. You can do this using mod_rewrite, for example:
# /var/www/html/nextcloud/.htaccess
RewriteEngine On
RewriteCond %{HTTP_HOST} !^nextcloud\.example\.com$
RewriteRule ^ - [F]
The above responds with a "403 Forbidden" for any request where the requested Host header is not (as denoted by the ! prefix) nextcloud.example.com.
You could also block this subdirectory in the main domain's vHost container (not the subdomain). So it only applies to requests to example.com. For example:
<Directory /var/www/html/nextcloud>
Require all denied
</Directory>
Note that Order, Allow and Deny are Apache 2.2 directives and formerly deprecated on Apache 2.4. You should be using Require (mod_authz_core) on Apache 2.4.
is there anyway to defy .htaccess? I mean to break what the rule written in the .htaccess file.
I have a directory, and I don't want others to browse it. So I created .htaccess file and wrote this
Deny from all
Is there anyway people can break it?
Nope this is radical. Nobody can access it. It is safe and commonly used. The deny is made server side, so nobody can try to bypass it.
.htaccess files are as secure as Apache allows you to.
See for example, assuming your .htaccess file is located in /var/www/foo:
<Directory />
Allow From All
AllowOverride All # allow .htaccess files globally
</Directory>
<VirtualHost *:80>
ServerName www.foo.com
DocumentRoot /var/www/foo # impossible to access, thanks to .htaccess
</VirtualHost>
<VirtualHost *:80>
ServerName www.bar.com
DocumentRoot /var/www/foo # same directory as above
<Directory /var/www/foo>
AllowOverride None # woops .htaccess will not be read, files can be accessed from this vhost
</Directory>
</VirtualHost>
Therefore there is no guarantee ever that your files are securely protected, as long as you don't know (and don't understand) how your apache installation is configured.
I always have trouble when moving a site that I've developed in localhost into my hosting server with the .htaccess file. Specifically with relative paths to the files. It's not hard to fix, but it's quite bothering.
For example:
Whereas ErrorDocument 404 /foo/404.php works in the
hosting, for it to work in localhost I have to specify ErrorDocument
404 /projectroot/foo/404.php.
When using mod_rewrite, RewriteRule ^example/$ example.php [L,NC]
works in localhost, but for it to work in the hosting I must use
RewriteRule ^example/$ /example.php [L,NC] (note the slash before the file name).
It could be because I'm running localhost on Windows and my hosting is on Linux, but I don't think that's the problem.
So my question is, how can I ensure the paths to the files are correct when working locally or on the remote server? What is the "working directory" for the .htaccess file?
This may look slight more complicated then it seems, but I would work out your issue in the following way.
Create a dev domain on the C:\Windows\System32\drivers\etc\hosts file pointing to the IP 127.0.0.1 which is the localhost IP.
The domain name doesn't really matter just something easy for you to use for that given project for example test.dev so the hosts file would look like this:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 localhost
127.0.0.1 test.dev
127.0.0.1 www.test.dev
Now define where the folder for that project will be, I will use c:\projects\test for this example.
Now create on your web server a new virtualhost for the domain you have just created, here is a sample of virtualhost that I use:
<VirtualHost *:80>
ServerAdmin root#localhost
DocumentRoot "C:/projects/test"
ServerName test.dev
ServerAlias www.test.dev
ErrorLog "C:/projects/logs/test.dev_error_log"
CustomLog "C:/projects/logs/test.dev_access_log" common
RewriteLog "C:/projects/logs/test.dev_rewrite_log"
RewriteLogLevel 9
ScriptAlias /cgi-bin/ "C:/projects/test/cgi-bin/"
<Directory "C:/projects/test">
Options -Indexes FollowSymLinks +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory "C:/projects/test/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Restart your server to activate the changes, you do not need to restart the computer for the hosts file, it should work immediately once you save it.
Now you can use http://www.test.dev or http://test.dev and you can use the very same .htaccess on both, dev and live sites.
Some other tips:
Always use and define RewriteBase / as it can make a difference specially when you want to use rules without the / at the start, like you have mentioned for RewriteRule ^example/$ example.php [L,NC]
Depending on the rules you want to use, you may need to specify -MultiViews so I often just leave it on by default, like this:
Options +FollowSymLinks -MultiViews
As you can see on my virtualhost setup, I define the access, error and rewrite logs into the logs folder by default and with the domain name in question so when I need to see what is going on I have an easy access with the clear logs for that domain only and not my whole bunch of projects running on the same virualhost.
I guess that is about it, you don't really need that huge virtualhost that's just how I use it and its not like I need to copy and paste it all the time as I have my own simple script to create new domains and do all the work for me.
I am unable to stop apache from creating directory listings when using the server IP address. I have tried editing the relevant site-available files as follows;
<VirtualHost *:80>
JkMount /* default
ServerName example.co.uk
ServerAlias www.example.co.uk
ServerAdmin me#example.co.uk
DocumentRoot /var/www/example.co.uk/public_html
ErrorLog /var/www/example.co.uk/logs/error.log
CustomLog /var/www/example.co.uk/logs/access.log combined
<Directory /var/www/example.co.uk/public_html>
Options -Indexes
</Directory>
</VirtualHost>
...but the public_html folder contents are being listed if I access the server using a url of this format;
http://192.168.1.99/example.co.uk/public_html
I have also tried to amend the apache config file at /etc/apache2/apache.conf to include the following;
<Directory />
Options -Indexes
</Directory>
..but no joy.
I am using Tomcat, and I need my WEB-INF folder to deny access. It doesn't, and so any .class files can be downloaded.
Does anyone know how I can fix this?
thanks
This sounds a little weird. Do you have an Apache HTTPD in front of an Apache Tomcat Server?
In this case the Apache HTTPD must not point to a directory where the Apache Tomcat files reside! The communication between both can be seen more as a proxy rather than a plugin.
We have some good experience using mod_proxy_ajp for this purpose. But if you are able to download .class files and (panic mode on) the web.xml (panic mode off) something is terribly wrong.
This means that it will not reach your VirtualHost settings, but default virtual host settings.
You have 2 options (at least):
1, put .htaccess file to your directory for which you want to restrict listing
2, Setup you IP based virtual host with similar settings as your name-based vhosts
You said that you put
<Directory />
Options -Indexes
</Directory>
You should have Location instead of Directory there
What if you add /* to the end?
<Directory /var/www/example.co.uk/public_html/*>
Options -Indexes
</Directory>
Update:
Or try to add the entry outside the VirtualHost directive.
I am trying to set up a VirtualHost for some web projects I have undergoing. To do this, I have a folder in my User account ~/Projects/ in which I place all of my projects and I want to remain like that. When I tried to create a VirtualHost under ~/Projects/aproject/web Apache denies me access.
After some tries, I discovered that if I put the project under other directory than the user space (~/....) the Apache lets me create the VirtualHost that otherwise denies access.
I think this problem has to do with the UserDir directive which I think prevents access to every folder in user space but the ones listed in the UserDir - in my case it is UserDir Sites - but I do not know how to circumvent this and allow Apache to serve custom user space folders. Any ideas?
The directives in httpd.conf that I am trying are this ones:
<VirtualHost *:80>
DocumentRoot "/Users/myuser/Projects/myproject/web"
ServerName www.myproject.local
</VirtualHost>
<Directory "/Users/myuser/Projects/myproject/web">
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
I also have set the directive NameVirtualHost *:80 in httpd.conf.
And created the appropriate directive in /etc/hosts: 127.0.0.1 www.myproject.local.
Best regards.
You may need to alter the config for your user:
users/{username).conf
Then all AuthConfig to AllowOverride