Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:


<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye

Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:


<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye
Try this way ;)

Preventing someone from viewing my .htaccess file

The .htaccess file typically resides in your root directory and can be viewed through the web browser. Most of the time there is information contained the the .htaccess file that you don't want people knowing, like the rules for allowing or denying access. One way to prevent access to the .htaccess file is to disable access to that particular filename. You can add the following lines to your .htaccess file in the root directory to deny visitors from viewing all .htaccess files contained in your website:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.

This is my .htaccess File, or lets say part of it. Would be too many Bans in it to post here. ;)


php_value memory_limit 64M
php_value upload_max_filesize 50M
php_value max_execution_time 900

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://www.mydomain/hotlink.jpg [NC,R,L]

ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/403.html

<Files .htaccess>
order allow,deny
deny from all
</Files>

<Files *>
Order deny,allow

# Mixed IP Ranges
deny from 203.223.32.0/20
deny from 41.200.0.0/16
deny from 59.148.209.80/30
deny from 94.247.2.0/23
deny from 194.8.74.0/23
deny from 87.118.96.0/19
deny from 87.118.64.0/18
deny from 213.155.0.0/19
deny from 212.95.32.0/19
deny from 221.120.192.0/18
deny from 94.179.136.0/21
deny from 82.81.0.0/17
deny from 84.19.176.0/20
</files>

Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.

Now i know this will sound silly, But are you 100% sure the .htaccess file your editing is the only one one you have and its in the root of your server, The reason i ask is i've heard of a guy editing a htacess in his forum root not knowing he already had on in the server root :eek:

You need to make sure the code is like the one shown below not like your example, I know that works 100% on my site. Failing that it may be something that you'll need to take up with your host, as something is stopping you from adding this.

<Files .htaccess>
order allow,deny
deny from all
</Files>

have you already got an htaccess file ??

You can read up on htaccess files here http://httpd.apache.org/docs/1.3/howto/htaccess.html

Are you sure you can browse the .htaccess file?
I've never heard of this
what is your site url?

I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.

I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.

Thats well strange, There may be something in your file which conflicts with the new edit ??, Not 100% sure but i would certainly enquire with your host.

Here is a nice little htaccess creator for those of you that don't want to spend hours editting code http://www.htaccesseditor.com/en.shtml#a_fileList

let us know how you got on tlwwolfseye, I'll keep searching for you :D

As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web

As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web

When a visitor tries to obtain access to your .htaccess or .htpasswd file, the server automatically generates a 403 forbidden error, even with the file permissions at their default settings.

However, you can apply a bit more security to your .htaccess files by adding the following code:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Contacting the host provider is the best solution as Loco says.

Another thing which people forget to do is when they write a .htaccess file they save it as htaccess.txt and then you need to upload this to your root. When its there you need to rename it to .htaccess removing the .txt extension. I think the reason you can view your htaccess file is perhaps you still have the .txt or some other extension still attached :rolleyes:

No, its is as it should be. .htaccess , no other extension. :) Thats why I wonder. And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file. But I will check with my hoster later.

Thanks.

WOlfseye

No, its is as it should be. .htaccess , no other extension. :) Thats why I wonder. And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file. But I will check with my hoster later.

Thanks.

WOlfseye

Remember to post back, if you fix it, i for one am interested on what the problem is, and it could help others.

And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file.

Did you put


<Files .htaccess>
order allow,deny
deny from all
</Files>


Inside the htaccess itself or the Webserver configuration ? The second option is the way to go.

Into the .htaccess File. I am now waiting for a reply from our Hoster. Might not be there before tomorrow that I here from him. I will post here when I know whats the issues.

--------------- Added 1243319257 at 1243319257 ---------------

Ok, i found the issue by accident. Seems besides the


<Files .htaccess>
order allow,deny
deny from all
</Files>

I used another

<Files *>
order allow,deny



</Files>


around the actual Banned IP?s and when I removed that one and just kept the above Code to prevent browsing the .htaccess, it worked. So it seems 2x kinda similiar code isn?t appreciated by the .htaccess File. ;)

Just a couple of minutes ago my hoster confirmed that, he says that the second <Files> setting will overwrite the first.

I added-

<FilesMatch "\.(htaccess|htpasswd|htgroup)$">
order allow,deny
deny from all
</FilesMatch>

:up:

I checked mine and I could see it. I had the same issue as post #13.

It does pay to read the forums!

If you can see htaccess, I'd run far, far away from your host.

htaccess should be a system level protected file. If it's not, the server's security is in major question.