If I want to prevent a random user from using the URL to browse to a web file, I need to use an .htaccess file.
I have added my code below. I have created an .htaccess file and placed it within my include folder to prevent users from navigating to and reading my database.php file.
Following the instructions found here: https://www.plothost.com/kb/how-to-deny-access-to-a-specific-file-on-your-site-via-htaccess/
Of course I made some slight alterations.
Here is the code in my .htaccess file:
<files database.php>
Order Allow,Deny
Deny from all
</files>
Using the above, I am still able to URL right to the database.php file. I need to prevent this from happening.
What am I doing wrong?
Please check the following:
Make sure, your .htaccess file is really called ".htaccess"
The .htaccess file must be in the correct directory or the path of the file must be relative to the .htaccess file.
I just ran this on my machine. The same code you have used.
My structure:
The files are identical. I commented out the content in the .htaccess file in the root dir. So now I can call localhost:8080/database.php but not localhost:8080/test/database.php => I get an Error 403 (access denied).
EDIT
How about this guide here?
setup htaccess
Looks legit. This is my config. According to the guide, it is just about setting up this config file and restart.
EDIT 2
I found out, that the httpd.conf I had opened is not the correct one.
I found the correct one under: Application/XAMPP/xamppfiles/etc/httpd.conf.
In this file you have to search for:
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/Applications/XAMPP/xamppfiles/htdocs"
<Directory "/Applications/XAMPP/xamppfiles/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/trunk/mod/core.html#options
# for more information.
#
#Options Indexes FollowSymLinks
# XAMPP
Options Indexes FollowSymLinks ExecCGI Includes
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
#AllowOverride None
# since XAMPP 1.4:
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
Here you find this:
#AllowOverride None # this does deactivate .htaccess
# since XAMPP 1.4:
AllowOverride All # this does activate .htaccess
At least for me this was solely responsible for the .htaccess rewrite. When I set it to AllowOverride None the .htaccess is completely ignored.
You may do this using a mod_rewrite rule in site root .htaccess:
RewriteEngine On
RewriteCond %{THE_REQUEST} /database\.php[?\s/] [NC]
RewriteRule ^ - [F]
Related
I'm trying to get my site deployed using Laravel on an AWS EC2 instance running CentOS7. I've checked to make sure the ports and traffic settings are correct and they are as I was able to hit the apache landing page prior to editing the conf and I am also able to ssh in and ping the IP, but I believe I am possibly having some issue with the config files. This is what I hit when I hit the endpoint:
My httpd is running and I was able to access the apache landing page prior to editing my config files.
Here is the main part of my httpd.conf (please note: I didn't include the whole thing because it is massive and consists of mostly commented out code):
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/[project_path]/public"
#
# Relax access to content within /var/www.
#
<Directory "/var/www/[project_path]/public">
AllowOverride All
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/[project_path]/public">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
and here is my added project.conf file inside of conf.d:
<Directory "/var/www/[project_path]/public">
AllowOverride All
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/[project_path]/public">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
<Directory "/var/www/[project_path]/public">
Options -Indexes
</Directory>
<VirtualHost hostIP:80>
ServerName hostIP
DocumentRoot /var/www/[project_path]/public
TraceEnable Off
</VirtualHost>
ServerTokens Prod
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>
<IfModule mpm_prefork_module>
StartServers 50
MinSpareServers 10
MaxSpareServers 30
ServerLimit 50
MaxClients 50
MaxRequestsPerChild 100
</IfModule>
Any help would be greatly appreciated!
Your RewriteEngine is redirecting port 80 to HTTPS which goes to port 443 which is not defined.
If you want to run the server under port 80 (HTTP connection), remove the
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>
Resolved this by adding an ssl.conf file along with a project.conf.bak in conjunction with the project.conf file
I have laravel instaled CentOS 7 server. PHP, MariaDB and HTTPD are installed and works. All services are up and works. Browse the document root shows
Forbidden
You don't have permission to access / on this server.
this is the document root of my server
DocumentRoot "/var/www/html/api/public"
Document root configurations
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
This is welcome.conf file ( /etc/httpd/conf.d/welcome.conf)
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
What can I do for this issue?
Create and put this .htaccess file in your app folder.
RewriteEngine on
RewriteCond %{REQUEST_URI} !^public
RewriteRule ^(.*)$ public/$1 [L]
Below server configurations are fixed the issue with me.
Grant Folder Permission and Set ownership
chown -R apache:apache /var/www/html/laravel
chmod -R 755 /var/www/html/laravel/storage
Restore Security
restorecon -R /var/www
Disable SELinux
setenforce 0
I have a slight of problem.
I used simple php framework on github and have worked on it and added new functions and so on.
The framework that i have had help with is this:
https://github.com/panique/mini
Everything works perfectly in a MAMP environment, but now when i was going to test it on a live website and apache environment it does not work that good.
It obviously can read the index file since i point the directory to the directory that should be used for apache.
But when i am going to make a call to a controller (domain.com/login) it results in apache giving me :
"Not Found: The requested URL /login was not found on this server."
I have enabled rewrite with: service a2enmod rewrite, and i double checked and it is a Loaded module when looking in phpinfo().
The .htaccess file that is located in the "/var/www/html/php-project/public" directory(where i have pointed to in my virtual host file"
is the following:
# Necessary to prevent problems when using a controller named "index" and having a root index.php
Options -MultiViews
# Activates URL rewriting
RewriteEngine On
# Prevent people from looking directly into folders
Options -Indexes
# If the following conditions are true, then rewrite the URL:
# If the requested filename is not a directory,
RewriteCond %{REQUEST_FILENAME} !-d
# and if the requested filename is not a regular file that exists,
RewriteCond %{REQUEST_FILENAME} !-f
# and if the requested filename is not a symbolic link,
RewriteCond %{REQUEST_FILENAME} !-l
# then rewrite the URL in the following way:
# Take the whole request filename and provide it as the value of a
# "url" query parameter to index.php. Append any query string from
# the original URL as further query parameters (QSA), and stop
# processing this .htaccess file (L).
RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
00-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.domain.com
ServerAlias domain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/php-project/public
<Directory />
AllowOverride All
</Directory>
#DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
apache.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
AccessFileName .htaccess
I dont think the problem is within the php itself.
Thats why i don't added my code since its so many classes, but the code is as i said based on the framework in the beginning of the question.
Do any of you see any obvious problems in the conf's?
I have searched and searched for answers, but i don't seem to get it right. So i would really really appreciate some help.
Any questions, just ask on.
Thanks
Please follow the proper way of access rewrite module in apache2.
First enable the rewrite module in apache using below command-:
$ sudo a2enmod rewrite
Open the apache2.conf file
$ nano /etc/apache2/apache2.conf
Update the section
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Remove the section from 00-default.conf
Remove the below lines
<Directory />
AllowOverride All
</Directory>
Then finally restart your apache2.
$ sudo service apache2 restart
or
$ sudo /etc/init.d/apache2 restart
I know this question has been asked a bunch of times but I'm not finding any answer that helps.
So I have two pages, index.php and refer.php. I put a rule into my httpd.conf that used mod_rewrite to get rid of the .php extension when a user goes to the page. Refer.php worked fine to show up as just refer, but trying to go to index.php gives me a Forbidden error.
Error log shows this:
AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive.
Here's the relevant part of my httpd.conf:
<Directory "/var/www">
AllowOverride All
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
The file index.php exists, of course. Any help?
Edit:
The url is just the root url - like domain.com. It should access index.php, which it did fine before I did the mod_rewrite. So I expect the index page to come up, which it doesn't because of the errors that I described above. .htaccess file is just all defaults except for:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule (.*) $1.php [L]
I'm trying to get a website working on my test environment, but somehow it is not working. I can load the normal index page, but when I want to access /page/test it throws an error saying the page does not exists. My log says:
File does not exist: /home/page_url/www/page
Which is in fact true, but it should got to my Page controller instead and load the test method.
My .htaccess looks like:
# Turn on URL rewriting
RewriteEngine On
# Installation directory
RewriteBase /
# Protect hidden files from being viewed
<Files .*>
Order Deny,Allow
Deny From All
</Files>
# Protect application and system files from being viewed
RewriteRule ^(?:application|modules|system)\b.* /$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Rewrite all other URLs to index.php/URL
RewriteRule .* index.php/$0 [PT]
My vhost configuration looks like:
<VirtualHost *:80>
ServerName page_url
Include /etc/apache2/vhosts.d/vhco.include
DocumentRoot "/home/page_url/www/"
# Logging
CustomLog /var/log/apache2/access_log common
ErrorLog /var/log/apache2/error_log
# This should be changed to whatever you set DocumentRoot to.
<Directory "/home/page_url/www/">
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
Options Indexes FollowSymLinks
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
AllowOverride All
# Controls who can get stuff from this server.
Order allow,deny
Allow from All
</Directory>
<IfModule alias_module>
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"
</IfModule>
# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
<Directory "/home/page_url/www/">
AllowOverride None
Options None
Order allow,deny
Allow from All
</Directory>
</VirtualHost>
I'm using Gentoo.
Any help would be appreciated.
<Directory "/home/page_url/www/">
AllowOverride None
This AllowOverride None disables .htaccess files from being read. See the manual.
Also, please bear in mind that there's nothing magical about .htaccess files. They are a crude workaround for not having full access to the server configuration. All they are is a piece of Apache configuration. If you have full access to the server configuration, you should be putting stuff like this into the vhost configuration, not .htaccess files.
As Jim said, if you have full access to your server, you should just put everything in the server configuration files.
I reached here because I thought my server was ignoring my own htaccess/server configuration files. However, it turned out I had mod_expires and mod_rewrite disabled. After I had those two looked into, everything was working again as it should.
You can enable them by executing these commands:
sudo a2enmod expires
sudo a2enmod rewrite
Then restart apache
service apache2 restart
Hope this helps someone out there!
One thing to remember if your rewrite rules still don't work:
Also activate the ModRewrite module! It is not by default in Ubuntu.
See other answer here on how to do that.
In my case the problem was the permissions for .htaccess file.
Solution:
sudo chown apache:apache .htaccess