I'm trying to setup custom error pages.
I put the pages in /error/ in the document root. However, I think this may have a conflict as .htaccess can not access the file I specified.
I did set AllowOverride All in my apache config file.
If I go to /error/, a 403 error appears.
I can confirm that my .htaccess is being read, because if I enter some random text into the .htaccess, it will return a internal server error.
rewriting is enabled.
Here is my .htaccess
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
<Files .htaccess>
order allow,deny
deny from all
</Files>
ErrorDocument 404 /error/noexist.html
If I put the error page in the document root and set it in the htaccess, it will read fine.
The problem is that it can't read the contents of the /error/ directory.
/error/ is a directory, right? The default Apache configuration is to return a 403 Forbidden status when trying to access the root of a directory that does not contain an index page unless Options +Indexes is set, which will cause the server to automatically generate and show a list of files and subdirectories.
If you want the error page to show in this case, you could try adding the same ErrorDocument line with 404 changed to 403.
Did you set directory permissions?
<Directory "C:/path/to/htdocs/error">
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
I think this requires access to Apache's httpd.conf, though. Do you have access to that?
Related
I was playing around with .htaccess files and I was wondering, completely out of curiosity, is it possible to redirect access to the .htaccess file itself to another file?
Example:
User goes to http://www.example.com/.htaccess
I want the user to be redirected to index.php?foo=bar
I've tried the following:
Redirect 301 /.htaccess /index.php?foo=bar
And
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^((?s).*)$ index.php?foo=bar [QSA,L]
</IfModule>
These methods work on any other file, but the .htaccess file itself always results in a 403 Forbidden page showing up.
Is this possible? If not, then why?
If you look in your webservers configuration file you will find some directive that prevents users from accessing .htaccess or .htpasswd file from the browser. For instance if I open up my apache configuration, located at /etc/apache2/apache.conf I can spot the following lines:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
So you should be able to change the above to:
Order allow,deny
Allow from all
you also need to make sure that you have the correct file permission on the .htaccess file and finally restart your server using:
sudo service apache2 restart
Of course doing the above would not be very secure.
I need to allow only specific IPs to access my site (www.domain.com/mysite). In htaccess I put this code:
ErrorDocument 403 /error403.html
order deny,allow
deny from all
allow from 1.1.1.1
But it looks for error403.html in root folder instead of "mysite" folder. I tried with ErrorDocument 403 /mysite/error403.html still doesn't work. I tried with RewriteBase /mysite also doesn't work.
So you're telling apache to not allow access to everything in /mysite, then you're telling apache to send any 403's (which is the result of attempting to access something in /mysite) to load a page in /mysute. So of course this isn't going to work. You're probably going to need to make an exception for /mysite/error403.html:
SetEnvIfNoCase Request_URI ^/mysite/error403.html$ allow_ok
ErrorDocument 403 /mysite/error403.html
order deny,allow
deny from all
allow from 1.1.1.1
allow from env=allow_ok
I have two index files and i want both to be there. I wrote DirectoryIndex index.php index.html in my .htaccess file. This is the only line in my .htaccess file and when i opened site browser is giving error 500.
The server probably hasn't set AllowOverride Indexes. If they haven't then DirectoryIndex in an .htaccess file isn't allowed, and you get 500 when you try.
Some options:
See if the web provider will grant AllowOverride Indexes in your URL space.
Ask what values of DirectoryIndex they do allow (maybe index.php, index.cgi, etc.) and use one of those instead.
Use a RewriteRule (if they allow that :| ), for example:
RewriteRule ^$ index.php
I've got a situation where I'm trying to deny access to all files in a subdirectory of my website. I have added an htaccess file to this subdirectory and added a deny from all directive to it. However, I also have an htaccess file in the site root, which allows specific file types, and it seems like these file types are still accessible in the subdirectory even though I no longer want them to be. I have a workaround for this (see below), but I feel like there must be a better way. Here are my two htaccess files:
Root .htaccess
# Deny access to everything by default
Order Deny,Allow
deny from all
# Allow access to html files
<Files *.html>
allow from all
</Files>
Subdirectory .htaccess
# Deny access to everything
deny from all
Workaround:
Subdirectory .htaccess
# Deny access to everything
Order Allow,Deny
deny from all
<Files *.*>
deny from all
</Files>
This does what I want, but I feel like there should be a way to make the deny from all statement work by itself. Does anyone know how?
You can have your Root .htaccess like this
# Deny access to everything by default
Order Deny,Allow
deny from all
# Allow access to html files
<Files *.html>
allow from all
</Files>
# Deny access to sub directory
<Files subdirectory/*>
deny from all
</Files>
There is no need for a separate .htaccess in the sub directory.
You are allowing access to all html files in your .htaccess in the Root Directory and not denying it anywhere in the sub directory in the first case. Apache parses all your rules and uses the last matching rule, unlike firewalls (which uses the first rule match hit). The global rules are read first and the the specific rules later.
Order of directives in apache is really not obvious.
You have a complete description of it on the documentation "How the sections are merged".
Here is an excerpt:
The order of merging is:
<Directory> (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding <Directory>)
<DirectoryMatch> (and <Directory ~>)
<Files> and <FilesMatch> done simultaneously
<Location> and <LocationMatch> done simultaneously
<If>
So what happens is that your <File> directive is handled after the Directory ones (as a .htaccess is in fact a Directory directive for the current directory).
It works in your given exemple as theses files directives are in fact nested in the .htaccess Directory directives, and the second File directive is applied after the parent directory one.
You cannot use a <FileMatch> directive in the parent, where files from the subdirectory would be excluded, as fileMatch is only working on the file name, and not on the file path. But you could maybe try with a LocationMatch, but it would maybe end in a quite complex one, to forbid also location hacks with dots.
In fact the solution I would use here is a RedirectMatch in the parent folder:
RedirectMatch 403 ^.*\.html$
After finding this thread I couldn't get it to work for a while, then I found out why, and thus hence my answer, to (hopefully) help people with the same problem in the future.
I copied #bansi's answer, like this:
#Deny access to everything by default.
Order Deny,Allow
deny from all
# Allow access to the root index.php.
<Files index.php>
allow from all
</Files>
#allow access to the other .PHP files
<Files pages/*.php>
allow from all
</Files>
And it did work partly, I couldn't access any javascript files in my js folder, or .PHP files that are not in the pages folder.
But I couldn't access my index.php file in the root folder, even though it is in the rules. the problem turned out to be because I also rewrited /index.php to -> /home like this:
RewriteRule ^home$ index.php [L]
the solution is to add this:
<Files home>
allow from all
</Files>
How can I deny access to a directory in .htaccess?
I don't mean directory listing, I mean everything that is inside the directory along with the directory itself? It should give a 503 or 404 error.
I am talking about /img-sys and /java-sys which apparently do not exist (I did not create them), but still give a white screen when accessed rather than a 404 error.
Put this at the top of your .htaccess file:
RewriteRule ^(img-sys|java-sys) - [R=404]
This will do it. It'll just fail with a 403 Forbidden HTTP response code. Stick that in your VirtualHost block:
<LocationMatch "/(img|java)-sys">
Order allow,deny
Deny from all
</LocationMatch>