Is there anyway to use PHP to check the value of AllowOverride too see if .htaccess will have any effect?
I am not aware of a clean, direct way to do this.
If you have http access to the folder you want to check this for, you could write something into the .htaccess file that will trigger a certain kind of output.
For example, you could set a header (this has an added dependency on mod_headers, though):
<FilesMatch "\.(php)$">
<IfModule mod_headers.c>
Header set htaccess_works "yes"
</IfModule>
</FilesMatch>
then make a request from PHP, and check the response headers, e.g. using curl's CURLOPT_HEADER. If they contain the htaccess_works header, it works.
Another method that is terrible but guaranteed to work independently from specific Apache modules is to programmatically write gibberish into the .htaccess file, then to make a curl request like above, and to check for a 500 status code. If it throws a 500, the .htaccess file got interpreted. But as said, this is terrible - if possible, go with the headers method instead.
In complement to #Pekka response:
AllowOverride can be set to None or All, but as well to a specific list of terms:
AuthConfig, FileInfo, Indexes, Limit, Options. So you could be allowed to use a Header instruction but not Deny, for example.
So a way to test the real value of AllowOverride is to add this to your .htaccess:
#AuthConfig
AuthName "Secret"
#FileInfo
ErrorDocument 404 index.php
#Indexes
DefaultIcon /icon/unknown.xbm
#Limit
Allow From All
#Options
Options FollowSymLinks
Then if you have an 500 error comment lines to detect which words (sections) are forbidden. You'll get an error 500 until you remove every forbidden instruction. When you'll know the allowed sections you'll have to check the documentation for the complete list of allowed instructions.
If you do not have any error you have AllowOverride None or All. Then alter the Deny/Allow to:
Deny From All
If you have the 403 result it's a AllowOverride All.
Easiest way
Add: show-error in the first line on your page an load domain via browser to trigger a 50x error
Another method that is terrible but guaranteed to work independently
from specific Apache modules is to programmatically write gibberish
into the .htaccess file, then to make a curl request like above, and
to check for a 500 status code. If it throws a 500, the .htaccess file
got interpreted. But as said, this is terrible - if possible, go with
the headers method instead.
Related
I tried to allow access to a directory by using the .htaccess file.
This is my .htaccess:
<Directory Bilder_Team>
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
The directory is "Bilder_Team". If I open the link to this directory, it shows me
500 Internal Server Error
How can I fix this?
Use this htaccessCheck for future checks or problems. Your problem as you could see, once checked, is that you are not allowed tags such as <Directory> in .htaccess files.
Instead put the .htaccess directly into the Build_Team directory and leave off the surrounding tags.
Possibly, a bigger problem is the use of AllowOverride None, which disables the use of .htaccess files and, obviously, has no part of any .htaccess file. AllowOverride directive can only be part of the main config file!
As shown the snippet is correct iff put in the httpd.conf file (name could vary). Which actually, if possible, is the better way to do it.
For more information about security concerns, you could refer to this StackOverflow answer.
Hope this helps!
I have Apache 2.2 set up to accept PUTs and funnel them to a specific handler script /put.php as shown below in the Directory Directive in httpd.conf:
<Directory />
Options FollowSymLinks
AllowOverride All
Script PUT put.php
</Directory>
This has always worked, no matter the request as long as the method is PUT in the past. I used curl to validate this using a request URL of "/" which pointed to index.html.
I recently found a need to convert index.html to index.php to do some session handling, and suddenly my PUT requests stopped being handled by /put.php as soon as the file became index.php.
I realize that one solution is to point all PUT requests to /put.php, but we have an app that is hard coded to send them to / which doesn't work anymore since the change to index.php.
It'd be nice to be able to get index.php to still send PUT requests to it to /put.php, but I haven't been able to find a way.
The apache logs show that the PUT requests are being handled properly (201 response and no error), but the behavior is just that it never redirects to /put.php as it used to.
I also tried leaving the page as html, and adding the following line to the httpd.conf prior to the "Script PUT /put.php" directive:
AddType application/x-httpd-php .html
which then parsed the html page with the php parser, but then I got the same effect (No redirection to put.php) as when the page was called index.php and parsed by php.
Anyone have any ideas or encountered this before? It is as if when I turn index.html into index.php and send to the php parser it is unable to redirect any longer using the "Script PUT" directive.
The problem is the following:
There is one server that I deploy to and for some reason the server does not respond to urls as usual. What I mean is when I have a file called somefile.php uploaded to mysite.com/ and I type in browser mysite.com/somefile the file somefile.php gets called instead of saying 404 not found. I think that this is weird and for some reason it prevents my .htaccess file to rewrite correctly, because the file somefile.php gets called and if there is information after mysite.com/somefile like mysite.com/somefile/someotherfile, someotherfile gets ignored and somefile.php gets displayed. I have all other .htaccess files deleted even in parent directories of the server and still the same result. I hope that you can hep me.
On localhost this problem is not observed. I get 404 not found as I should...
Sounds like you have MultiViews currently enabled. Try disabling them.
Multiviews
MultiViews is a per-directory option, meaning it can be set
with an Options directive within a , or
section in httpd.conf, or (if AllowOverride is properly set) in
.htaccess files. Note that Options All does not set MultiViews; you
have to ask for it by name.
The effect of MultiViews is as follows: if the server receives a
request for /some/dir/foo, if /some/dir has MultiViews enabled, and
/some/dir/foo does not exist, then the server reads the directory
looking for files named foo.*, and effectively fakes up a type map
which names all those files, assigning them the same media types and
content-encodings it would have if the client had asked for one of
them by name. It then chooses the best match to the client's
requirements.
http://httpd.apache.org/docs/2.2/content-negotiation.html#multiviews
Using Apache 2.2 and PHP 5, what's the best way to run PHP without the .php extension? For example, I have a script called app.php and I like to invoke it as:
http://example.com/app
Please notice that I still want to keep the .php extension to the file and I don't have mod_rewrite. Don't want use index.php either because it requires too many directories.
I did find one way by adding this to my .htaccess,
AddHandler server-parsed .php
SetHandler application/x-httpd-php
AddHandler application/x-httpd-php .php
The page runs a little slower by using this. I suspect it invokes SSI on every PHP page. Wonder if there are any better ways to accomplish this.
An alternative is to use content negotiation. Turn on multiviews:
Options +MultiViews
If a named resource doesn't exist, Apache will glob for the file, then sort based on the media type and content encoding requirements send by the browser. If there's only one file (your PHP script), then that's what the URL resolves to.
You could also force the mime type of a specific file in your .htaccess:
<Files app>
ForceType application/x-httpd-php
</Files>
The short answer is that you aren't going to be able to do this the way you want to. PHP is going to require SOME extension in order to execute the files so you might as well leave it as *.php.
Unless you use mod_rewrite you are going to have to call the files using the full file and extension.
That is the beauty of mod_rewrite--it lets you do just such a thing.
I would pose the question back to you--why can't you use mod_rewrite? Is it an environment issue, a choice, are you using Lighttpd (lighty)?
Extension
Wrap your rewrite rules in something like this to keep it from blowing up if the server doesn't support mod_rewrite:
<IfModule mod_rewrite.c>
// DO REWREITE HERE
</IfModule>
If you believe it to be a security concern or something equally valid then you could also do the following check and send them to a custom 404 or even your documentation and give them examples of how to enable mod_rewrite and explain the need, etc. This second check is optional though--if you don't use it the users will simply see the .php extension but your pages should still work.
<IfModule !mod_rewrite.c>
ErrorDocument 404 /application/errors/404.php
// ERROR 404 ABOVE OR DO ANOTHER DIRECT REDIRECT TO AN INFORMATION PAGE
</IfModule>
when I used the SSL fot my website i got following error.
in error log. and site shows me default page instead of actual page.
I got following error.
.htaccess: RewriteEngine not allowed here
Is AllowOverride FileInfo or AllowOverride All on in your server configuration? Typically, HTTPS and HTTP sites use different configuration sections or files. Make sure your site is properly configured.