Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: .htaccess is visible via browser |
|
Author |
|
Mister Nice
Joined: 07 Nov 2016 Posts: 9 Location: USA
|
Posted: Wed 15 Nov '17 22:24 Post subject: .htaccess is visible via browser |
|
|
Apache/2.2.15 (Unix)
--------------------
Hi,
I have a somewhat urgent question regarding .htaccess being visible on the web via a browser request.
I'm setting up a new server, and was attempting to prevent certain files being requested, and so I was testing out the <Files ...> directive, and the <FilesMatch ...> directives in .htaccess, but couldn't get them working. So, I started playing around a bit, and found another, more important issue.
I just casually requested .htaccess in the browser URL, expecting it to be denied, as I have the following code in httpd.conf:
Code: | <Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files> |
... but lo-and-behold the file was served up as plain text, and readable in the web browser. I've played with "AllowOveride All" and "AllowOveride None", but doesn't make any difference to either the original files problem or the .htaccess problem.
Well, confident that on my other servers, which have been up for years, I did not have this problem, I tried the same .htaccess request, and to my astonishment that server is also serving up .htaccess as plain text when requested.
Any idea what gives? I can't believe that it's not working, especially given that the code comes as standard in httpd.conf.
I have owner/group of apache on one .htaccess:
Code: | -rw-r--r--. 1 apache apache 4813 Oct 29 13:41 .htaccess |
and owner/group of apache/web on the other:
Code: | -rw-r--r-- 1 apache web 177 Nov 15 20:07 .htaccess |
Originally the second .htaccess (on the new server) was root/root, but same issue.
It's obviously very important for me to figure out what the issue is, and any assistance would be appreciated. Thanks!
Update:
Okay, I've managed to figure out how to prevent the hidden files being served, but I'm not sure why/how to fix properly. Turns out that on each machine, I had added a <Location "/"> section, in which I had code to deny bad-bots server-wide. That's all that was in the <Location "\"> section, and the bad bots code worked fine. However, removing that section entirely resolves the other issues (both the <FilesMatch ...> and <Files ...> directives now work, as does the original code in httpd.conf for denying the \.ht* hidden files.
However, I now have an issue in that I have no bad-bots code in my httpd.conf file, and would like to know how to correctly include a <Location "/"> section in httpd.conf without screwing up everything else. Any assistance appreciated! |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 16 Nov '17 0:28 Post subject: |
|
|
Seeing in what order the sections of the config files are merged (Files before Location), something in that Location container is overriding this, you figured that much out of course. What it is however no one here will be able to figure out without knowing what is in said Location container. |
|
Back to top |
|
Mister Nice
Joined: 07 Nov 2016 Posts: 9 Location: USA
|
Posted: Thu 16 Nov '17 0:34 Post subject: |
|
|
Apparently so, but there are no directives in the Location section other than the ones to ban bad bots.
Hence my question. I already looked at the Location doc's but can't see what it is that I may be doing incorrectly.
To all intents and purposes it seems set up fine.
If the order of the sections is relevant, as it sometimes can be, then I think they're in the correct order. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 16 Nov '17 1:43 Post subject: |
|
|
Ah-ha, well maybe,
I added a <location /> container that simply had Require all allowed in it. I could then see my .htaccess file. Which I knew would happen.
So in yours you may be allowing access provided it not a bad bot (stupid assumption). We know location overrides files so if it's not a bad bot, it becomes fair game. |
|
Back to top |
|
Mister Nice
Joined: 07 Nov 2016 Posts: 9 Location: USA
|
Posted: Thu 16 Nov '17 6:00 Post subject: |
|
|
Hmm ... I'll have another look tomorrow and test out the precedence of File and Location directives. |
|
Back to top |
|
Mister Nice
Joined: 07 Nov 2016 Posts: 9 Location: USA
|
Posted: Thu 16 Nov '17 18:26 Post subject: |
|
|
Went a different route in the end, and used a different idea:
Code: | <IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} AhrefsBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} AlphaBot [NC,OR]
....
....
RewriteRule ^(.*)$ - [L,R=403]
</IfModule> |
instead of using a Location section. |
|
Back to top |
|
|
|
|
|
|