I have a quick question that's driving me insane and would appreciate the assistance.
On a live wordpress setup, how does accessing /wp-config.php from a browser result in a 403 error when you can access all other PHP files fine froma webbrowser? The config.php file has a chmod that permits public read AND there's no mention of it in the corresponding .htaccess.
Just very curious as to how it works. Thanks!
This is server specific, but you could definitely add a rule to the web server configuration to do this. For instance, using Apache, you could do something similar to this:
<Directory /var/web/dir1>
<Files private.html>
Order allow,deny
Deny from all
</Files>
</Directory>
My point here is that there are more ways to configure permissions for files served by a web server than file system permissions.
It should also be noted that if you are not the administrator of the machine running the web server, you may not have access to tweak these settings.
Related
I just got a VPS and it's running CentOS 6.8 with WHM 58.0. I really don't want the WHM, I only want to add one site to the server. So I just installed an FTP server and uploaded the files to the Apache root dir at /usr/local/apache/htdocs and gave all files chmod 777.
All works good, but when I go to PHP or ajax to PHP I get "403 Forbidden". I suppose the problem is in the http.config but I really have no idea. Here is my http.conf file and I don't have any .htaccess files.
Among other things, you want to make sure that the Linux user that is running Apache has permission to read and execute the PHP files where they are on the server.
This is a good guide for transferring PHP files and setting the permissions using PHP: https://www.digitalocean.com/community/tutorials/how-to-use-sftp-to-securely-transfer-files-with-a-remote-server
There's also a guide here to setting up the server and checking that PHP is set up correctly here, but I assume you have done this already: https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-16-04
I just replace this
<Directory "/usr/local/apache/htdocs">
Options Includes Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
With this
<Directory "/usr/local/apache/htdocs">
Options Indexes
Order allow,deny
Allow from all </Directory>
Hello
I am testing apigility on a Turnkey Lamp stack, and I am stuck on actually getting Apigility to show me its welcome page:
I want that^
Instead, upon visiting the document root of the virtual host I am using "//ipaddress:port/", I am redirected to "/apigility/ui" (This is the correct behavior for apigility)
When I arrive at "//ipaddress:port/apigility/ui" I get
Not Found
The requested URL /apigility/ui was not found on this server.
I am now stuck on how to move forward.
I have:
Made sure that the directory permissions are set correctly
Set up my virtual host (text at the bottom)
Made sure that my apigility dir is at the correct location
Made sure apigility is in development mode
Taken my googlefu to its limit
EDIT: I have also successfully opened a phpinfo.php page that I moved into the public folder of the apigility project
EDIT: If I turn off development mode, I do get the page that says how to turn on development mode. Possibly an issue with dev mode?
Edit: I attempted Rahman's fix, but it did not assist with apigility not correctly serving the apigility/ui page. Although it does seem like a cleaner way to use Apache.
Any help would be much appreciated.
To me it seems like there is some issue with the apigility setup, as it starts to redirect me to the correct location, but cannot find the /apigility/ui page it redirects me to.
Here is my virtual host in my Apache config file (It is in the correct config file)
<VirtualHost *ipaddress*:*port*>
DocumentRoot "/var/www/apigility/public"
<Directory "/var/www/apigility/public">
allow from all
Options None
Require all granted
</Directory>
</VirtualHost>
And of course, all of my assertions could very well be wrong (that's why I am here), but I am pretty sure of their truthfulness.
UPDATE:
While Rahman's answer is useful, it does not answer my question. I believe the not found error is related to apigility failing, not Apache incorrectly routing. I will not be accepting that answer, as the problem is not solved. (But would be open to discussion on that answer)
UPDATE: With Rahman's VirtualHost in the apache config file, I only had to enable mod_rewrite, and I can now access the Welcome to Apigility page!
Details on mod_rewrite I found here:
.htaccess: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
Not Found error is because your web server neither can find the location on the server nor can find any rewrite rule for requested url.
So considering that Apiagility has a .htaccess file in the public directory, your problem is in the Apache configuration.
I suggest you edit your Apache configuration file like this:
<VirtualHost *ipaddress*:*port*>
DocumentRoot "/var/www/apigility/public"
<Directory "/var/www/apigility/public">
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
I just installed Symfony on my Mac running Yosemite but keep getting 403 errors. This isn't just affecting the directory into which I installed symfony, but also sites in other directories that were previously working fine! So far I have tried:
Following the "Setting up permissions" instructions on the Symfony installation page... http://symfony.com/doc/current/book/installation.html ("Using ACL on a system that supports chmod +a" and "change the umask so that the cache and log directories will be group-writable or world-writable") so I guess the problem isn't to do with the log and cache files.
Updating apache config with...
Require all granted
Allow from All
Checking user permissions:
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
Lots of killing and restarting apache
Still getting..
Forbidden
You don't have permission to access /projectx/ on this server.
Anyone seen this problem before?
Many thanks
Thanks so much for your suggestions, I figured it out. The problem was that I was putting my app in the apache doc root (symfony uses a different web server by default). I needed to create a virtual host (and tell apache to use the httpd-vhosts.conf in the first place)
This article had the answer...http://dab.io/posts/using-apache-for-developing-with-symfony.html
Thanks again!
I'm adding some database usage to a public facing site, and I wanted input on what the most secure way to store mysql connection information might be. I've come up with a few options:
First I could store the config in another directory, and just set the PHP include path to look for that dir.
Second, I know there are some files that apache won't serve to browsers, I could use one of these types of files.
Third, I could store encrypted files on the server, and decrypt them with PHP.
Any help would be much appreciated.
Storing the config outside of apache's document root is a must
You can configure apache to disallow any files with htaccess.
in the config folder add a .htaccess with the following
order allow,deny
deny from all
If you don't want to use .htaccess as #johua k, mentions, instead add
<Directory /home/www/public/config>
order allow,deny
deny from all
</Directory>
to your apache config.
This will deny any files in that folder from being served to anyone, which is fine since php doesn't care about htaccess you can just
include('config/db.php')
If you properly config your php scripts, they should never appear in plain text.
so a file like
define('mysql_password', 'pass')
would never display that text.
If you are worried about a shared hosting environment and another use having access to read this file then you should evaluate the security of the linux installation and the host. Other users should have any browsing access to your file. From the web files marked php should never return source.
You can explicitly tell apache not to serve the files ever, so they would only be include() or require() able.
I'm loading my files (pdf, doc, flv, etc) into a buffer and serving them to my users with a script. I need my script to be able to access the file but not allow direct access to it. Whats the best way to achieve this? Should I be doing something with my permissions or locking out the directory with .htaccess?
The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.
However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,
Order deny,allow
Deny from all
Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.
That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccess file on root. (no need to create extra folder)
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
my settings.ini file is on the root, and without this code is accessible www.mydomain.com/settings.ini
in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives.
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
to test your config before restarting apache
service httpd configtest
then (graceful restart)
service httpd graceful
Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.
If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccess file in the specific directory. That is (for example):
ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>
Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.
This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccess files.
To prevent .ini files from web access put the following into apache2.conf
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
How about custom module based .htaccess script (like its used in CodeIgniter)? I tried and it worked good in CodeIgniter apps. Any ideas to use it on other apps?
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>