logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: .htaccess is visible via browser
Author
Mister Nice



Joined: 07 Nov 2016
Posts: 9
Location: USA

PostPosted: Wed 15 Nov '17 22:24    Post subject: .htaccess is visible via browser Reply with quote

Apache/2.2.15 (Unix)
--------------------

Hi,

I have a somewhat urgent question regarding .htaccess being visible on the web via a browser request.

I'm setting up a new server, and was attempting to prevent certain files being requested, and so I was testing out the <Files ...> directive, and the <FilesMatch ...> directives in .htaccess, but couldn't get them working. So, I started playing around a bit, and found another, more important issue.

I just casually requested .htaccess in the browser URL, expecting it to be denied, as I have the following code in httpd.conf:

Code:
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>


... but lo-and-behold the file was served up as plain text, and readable in the web browser. I've played with "AllowOveride All" and "AllowOveride None", but doesn't make any difference to either the original files problem or the .htaccess problem.

Well, confident that on my other servers, which have been up for years, I did not have this problem, I tried the same .htaccess request, and to my astonishment that server is also serving up .htaccess as plain text when requested.

Any idea what gives? I can't believe that it's not working, especially given that the code comes as standard in httpd.conf.

I have owner/group of apache on one .htaccess:
Code:
-rw-r--r--. 1 apache apache 4813 Oct 29 13:41 .htaccess

and owner/group of apache/web on the other:
Code:
-rw-r--r-- 1 apache web 177 Nov 15 20:07 .htaccess


Originally the second .htaccess (on the new server) was root/root, but same issue.

It's obviously very important for me to figure out what the issue is, and any assistance would be appreciated. Thanks!

Update:
Okay, I've managed to figure out how to prevent the hidden files being served, but I'm not sure why/how to fix properly. Turns out that on each machine, I had added a <Location "/"> section, in which I had code to deny bad-bots server-wide. That's all that was in the <Location "\"> section, and the bad bots code worked fine. However, removing that section entirely resolves the other issues (both the <FilesMatch ...> and <Files ...> directives now work, as does the original code in httpd.conf for denying the \.ht* hidden files.
However, I now have an issue in that I have no bad-bots code in my httpd.conf file, and would like to know how to correctly include a <Location "/"> section in httpd.conf without screwing up everything else. Any assistance appreciated!
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 16 Nov '17 0:28    Post subject: Reply with quote

Seeing in what order the sections of the config files are merged (Files before Location), something in that Location container is overriding this, you figured that much out of course. What it is however no one here will be able to figure out without knowing what is in said Location container.
Back to top
Mister Nice



Joined: 07 Nov 2016
Posts: 9
Location: USA

PostPosted: Thu 16 Nov '17 0:34    Post subject: Reply with quote

Apparently so, but there are no directives in the Location section other than the ones to ban bad bots.
Hence my question. I already looked at the Location doc's but can't see what it is that I may be doing incorrectly.
To all intents and purposes it seems set up fine.
If the order of the sections is relevant, as it sometimes can be, then I think they're in the correct order.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 16 Nov '17 1:43    Post subject: Reply with quote

Ah-ha, well maybe,

I added a <location /> container that simply had Require all allowed in it. I could then see my .htaccess file. Which I knew would happen.


So in yours you may be allowing access provided it not a bad bot (stupid assumption). We know location overrides files so if it's not a bad bot, it becomes fair game.
Back to top
Mister Nice



Joined: 07 Nov 2016
Posts: 9
Location: USA

PostPosted: Thu 16 Nov '17 6:00    Post subject: Reply with quote

Hmm ... I'll have another look tomorrow and test out the precedence of File and Location directives.
Back to top
Mister Nice



Joined: 07 Nov 2016
Posts: 9
Location: USA

PostPosted: Thu 16 Nov '17 18:26    Post subject: Reply with quote

Went a different route in the end, and used a different idea:
Code:
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} AhrefsBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} AlphaBot [NC,OR]
....
....
RewriteRule ^(.*)$ - [L,R=403]
</IfModule>

instead of using a Location section.
Back to top


Reply to topic   Topic: .htaccess is visible via browser View previous topic :: View next topic
Post new topic   Forum Index -> Apache