Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Force Apache2.4 to read .htaccess in parent directory |
|
| Author |
|
spitzerspace
Joined: 24 Dec 2014
Posts: 7
|
 Posted: Thu 31 Mar '22 3:39 Post subject: Force Apache2.4 to read .htaccess in parent directory |
 |
|
Is there a way to force apache to read the parent .htaccess before the current directory .htaccess? Even if I put "Require all denied" in the document root, apache will still allow access to child folders.
Config:
| Code: | <Directory /var/www/>
Options -Indexes
AllowOverride All
</Directory>
<Directory /var/www/owncloud>
AllowOverride FileInfo Indexes Options
</Directory>
|
Contents of /var/www/.htaccess
| Code: | <RequireAll>
Require all denied
</RequireAll>
|
Contents of /var/www/owncloud/.htaccess
| Code: | <IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_lsapi.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
Header unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
Header unset X-XSS-Protection
Header always set X-XSS-Protection "0"
Header unset X-Robots-Tag
Header always set X-Robots-Tag "none"
Header unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
Header unset X-Download-Options
Header always set X-Download-Options "noopen"
Header unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true
</IfModule>
# Let browsers cache CSS, JS files for half a year
<FilesMatch "\.(css|js)$">
Header unset Cache-Control
Header always set Cache-Control "max-age=15778463"
</FilesMatch>
# Let browsers cache WOFF files for a week
<FilesMatch "\.woff$">
Header unset Cache-Control
Header always set Cache-Control "max-age=604800"
</FilesMatch>
</IfModule>
<IfModule mod_php5.c>
php_value always_populate_raw_post_data -1
php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_php7.c>
php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
RewriteRule ^core/signature\.json - [R=404,L]
RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
|
|
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 312
Location: UK
|
| Posted: Thu 31 Mar '22 18:09 Post subject: |
|
|
What release of Apache are you using? I cannot reproduce the problem you describe with Apache 2.4.53 and your configuration settings.
Indeed, without "Require All Granted" defined for the top level directory, I cannot access any content in sub-directories, which is why it's present in the default configuration.
If you read this section of the documentation (https://httpd.apache.org/docs/current/howto/htaccess.html#when), it confirms Apache does read and process htaccess files from all parent directories before the current directory (AllowOverride permitting). |
|
| Back to top |
|
|
|
|
|
|
