If I want to prevent a random user from using the URL to browse to a web file, I need to use an .htaccess file.
I have added my code below. I have created an .htaccess file and placed it within my include folder to prevent users from navigating to and reading my database.php file.
Following the instructions found here: https://www.plothost.com/kb/how-to-deny-access-to-a-specific-file-on-your-site-via-htaccess/
Of course I made some slight alterations.
Here is the code in my .htaccess file:
<files database.php>
Order Allow,Deny
Deny from all
</files>
Using the above, I am still able to URL right to the database.php file. I need to prevent this from happening.
What am I doing wrong?
Please check the following:
Make sure, your .htaccess file is really called ".htaccess"
The .htaccess file must be in the correct directory or the path of the file must be relative to the .htaccess file.
I just ran this on my machine. The same code you have used.
My structure:
The files are identical. I commented out the content in the .htaccess file in the root dir. So now I can call localhost:8080/database.php but not localhost:8080/test/database.php => I get an Error 403 (access denied).
EDIT
How about this guide here?
setup htaccess
Looks legit. This is my config. According to the guide, it is just about setting up this config file and restart.
EDIT 2
I found out, that the httpd.conf I had opened is not the correct one.
I found the correct one under: Application/XAMPP/xamppfiles/etc/httpd.conf.
In this file you have to search for:
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/Applications/XAMPP/xamppfiles/htdocs"
<Directory "/Applications/XAMPP/xamppfiles/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/trunk/mod/core.html#options
# for more information.
#
#Options Indexes FollowSymLinks
# XAMPP
Options Indexes FollowSymLinks ExecCGI Includes
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
#AllowOverride None
# since XAMPP 1.4:
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
Here you find this:
#AllowOverride None # this does deactivate .htaccess
# since XAMPP 1.4:
AllowOverride All # this does activate .htaccess
At least for me this was solely responsible for the .htaccess rewrite. When I set it to AllowOverride None the .htaccess is completely ignored.
You may do this using a mod_rewrite rule in site root .htaccess:
RewriteEngine On
RewriteCond %{THE_REQUEST} /database\.php[?\s/] [NC]
RewriteRule ^ - [F]
I have laravel instaled CentOS 7 server. PHP, MariaDB and HTTPD are installed and works. All services are up and works. Browse the document root shows
Forbidden
You don't have permission to access / on this server.
this is the document root of my server
DocumentRoot "/var/www/html/api/public"
Document root configurations
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
This is welcome.conf file ( /etc/httpd/conf.d/welcome.conf)
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
What can I do for this issue?
Create and put this .htaccess file in your app folder.
RewriteEngine on
RewriteCond %{REQUEST_URI} !^public
RewriteRule ^(.*)$ public/$1 [L]
Below server configurations are fixed the issue with me.
Grant Folder Permission and Set ownership
chown -R apache:apache /var/www/html/laravel
chmod -R 755 /var/www/html/laravel/storage
Restore Security
restorecon -R /var/www
Disable SELinux
setenforce 0
I have a slight of problem.
I used simple php framework on github and have worked on it and added new functions and so on.
The framework that i have had help with is this:
https://github.com/panique/mini
Everything works perfectly in a MAMP environment, but now when i was going to test it on a live website and apache environment it does not work that good.
It obviously can read the index file since i point the directory to the directory that should be used for apache.
But when i am going to make a call to a controller (domain.com/login) it results in apache giving me :
"Not Found: The requested URL /login was not found on this server."
I have enabled rewrite with: service a2enmod rewrite, and i double checked and it is a Loaded module when looking in phpinfo().
The .htaccess file that is located in the "/var/www/html/php-project/public" directory(where i have pointed to in my virtual host file"
is the following:
# Necessary to prevent problems when using a controller named "index" and having a root index.php
Options -MultiViews
# Activates URL rewriting
RewriteEngine On
# Prevent people from looking directly into folders
Options -Indexes
# If the following conditions are true, then rewrite the URL:
# If the requested filename is not a directory,
RewriteCond %{REQUEST_FILENAME} !-d
# and if the requested filename is not a regular file that exists,
RewriteCond %{REQUEST_FILENAME} !-f
# and if the requested filename is not a symbolic link,
RewriteCond %{REQUEST_FILENAME} !-l
# then rewrite the URL in the following way:
# Take the whole request filename and provide it as the value of a
# "url" query parameter to index.php. Append any query string from
# the original URL as further query parameters (QSA), and stop
# processing this .htaccess file (L).
RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
00-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.domain.com
ServerAlias domain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/php-project/public
<Directory />
AllowOverride All
</Directory>
#DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
apache.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
AccessFileName .htaccess
I dont think the problem is within the php itself.
Thats why i don't added my code since its so many classes, but the code is as i said based on the framework in the beginning of the question.
Do any of you see any obvious problems in the conf's?
I have searched and searched for answers, but i don't seem to get it right. So i would really really appreciate some help.
Any questions, just ask on.
Thanks
Please follow the proper way of access rewrite module in apache2.
First enable the rewrite module in apache using below command-:
$ sudo a2enmod rewrite
Open the apache2.conf file
$ nano /etc/apache2/apache2.conf
Update the section
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Remove the section from 00-default.conf
Remove the below lines
<Directory />
AllowOverride All
</Directory>
Then finally restart your apache2.
$ sudo service apache2 restart
or
$ sudo /etc/init.d/apache2 restart
I know this question has been asked a bunch of times but I'm not finding any answer that helps.
So I have two pages, index.php and refer.php. I put a rule into my httpd.conf that used mod_rewrite to get rid of the .php extension when a user goes to the page. Refer.php worked fine to show up as just refer, but trying to go to index.php gives me a Forbidden error.
Error log shows this:
AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive.
Here's the relevant part of my httpd.conf:
<Directory "/var/www">
AllowOverride All
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
The file index.php exists, of course. Any help?
Edit:
The url is just the root url - like domain.com. It should access index.php, which it did fine before I did the mod_rewrite. So I expect the index page to come up, which it doesn't because of the errors that I described above. .htaccess file is just all defaults except for:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule (.*) $1.php [L]
Probably this error has a pretty easy solution but I've been looking way to long at this and still don't get the error. I think I've tried whatever I could.
Problem: when I enable pretty permalinks on my wordpress installation (so, that it is using /%postname%/), it doesn't work. I get a 404 on all pages except for the homepage.
This page http://codex.wordpress.org/Permalinks tells me the requirements for permalinks to work:
Apache web server with the mod_rewrite module installed
In WordPress's home directory,
The FollowSymLinks option enabled
FileInfo directives allowed (e.g. AllowOverride FileInfo or AllowOverride All)
An .htaccess file (if this file is missing, WordPress will try to create it when you activate "pretty" permalinks)
If you want WordPress to update the .htaccess file automatically, WordPress will need write access to the file.
Apache web server has been installed, the mod_rewrite module has been loaded with a2enmod rewrite command (and the server has been restarted multiple times after). So, under /etc/apache2/mods-enabled, the symlink to rewrite.load is present. Also, when I run phpinfo command, I see that the mod_rewrite module has been loaded. You can check this as well here: http://namorti.com/phpinfo.php
Then, in /etc/apache2/sites-enabled, there was no "default" present. I copied 000-default.conf to default and edited default afterwards. It contains the following:
DocumentRoot /var/www
<Directory />
Options FollowSymLinks Indexes
AllowOverride FileInfo
</Directory>
So as far as I'm concerned, FollowSymLinks has been enabled and FileInfo directives are allowed.
As for the last two points, in my wordpress home directory (/var/www), .htaccess is present and writeable by Wordpress (I updated the permalink structure a couple of times and it updates the .htaccess file accordingly). Right now it contains the following:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
So, as far as I know, it SHOULD be working. I restarted the server (service apache2 restart) several times. I don't see what I'm missing. Anyone has a clue here?
Thanks in advance!
* EDIT *
So, I did what calcinai told me to do... I edited my /etc/apache2/sites-enabled/default file (containing the vhost). It now looks like this:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin www.namorti.com
DocumentRoot /var/www
<Directory /var/www>
Options MultiViews
AllowOverride None
Order allow,deny
allow from all
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I've restarted apache again, but unfortunately it still doesn't work. Honestly it would have surprised me, because moving the directives from the .htaccess file to the vhost would work if the htaccess on itself would work, as everything else seemed correct enough to me...
Any other suggestions? Thanks for the effort!
Make sure the AllowOverrides directive is set to all in the vhost - that's what tells apache to look for .htaccess files in the webroot.
A better solution is actually to put your rewrite directives in the vhost, as you clearly have write access to the file. When you have AllowOverrides on, apache will look in the directory and all parent directories for .htaccess files on every request, which can be a big performance hit.
For Wordpress, your vhost should look something like:
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/site
<Directory /var/www/site>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</Directory>
</VirtualHost>
Solved it myself.
It had to do with the file "000-default.conf" - I copied it to "default" and edited "default", like I already mentioned in my question.
Apparently the service is using the file "000-default.conf" on itself. By copying the "default" file back to "000-default.conf" and restarting the apache service, everything works now.
One caveat: calcinai's suggestion seems like it should work, but with his suggestion in my vhost in the correct "000-default.conf" file, I got a 403 Forbidden error. When I replaced his content with my original content
DocumentRoot /var/www
<Directory />
Options FollowSymLinks Indexes
AllowOverride FileInfo
</Directory>
And then once again restarting the apache service, it all worked.
Thanks calcinai for your effort to try to help me :)
Permalink Problem
Inside of this file, we want to change all things.
sudo nano /etc/apache2/sites-available/000-default.conf
000-default.conf
- should look something like this:
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
If you dont see like this then paste the above code inside virtual host
When you are finished, save and close the file.
Next, we need to enable the rewrite module, which allows you to modify URLs. You can do this by typing:
sudo a2enmod rewrite
After you have made these changes, restart Apache:
sudo service apache2 restart
This may help you solve this:
sudo chown -R www-data:www-data /var/www
After spending really lots of time, here is what worked successfully in my Linux machine's LAMP server. Following changes are needed for me to make it work perfectly,
Add this to your /etc/hosts file.
127.0.0.1 sitename.com
Add host entry as follows in the path /etc/apache2/sites-available/sitename.com.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sitename.com
DocumentRoot /var/www/sitename.com/public_html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/sitename.com/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Create symlink to sites-enabled.
sudo ln -s /etc/apache2/sites-available/sitename.com.conf /etc/apache2/sites-enabled/sitename.com.conf
Restart apache by using the command,
sudo service apache2 restart
This works perfectly for me. Instructions for adding host entry taken from, https://www.digitalocean.com/community/questions/wordpress-permalinks-not-working-on-ubuntu-14-04