vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   How to protect .htaccess Files ? (https://vborg.vbsupport.ru/showthread.php?t=214512)

tlwwolfseye 05-25-2009 03:58 PM
How to protect .htaccess Files ?
 
Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:

Code:
<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>
According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye

UKBusinessLive 05-25-2009 04:38 PM
Quote:
Originally Posted by tlwwolfseye (Post 1816925)
Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:

Code:
<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>
According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye
Try this way ;)

Preventing someone from viewing my .htaccess file

The .htaccess file typically resides in your root directory and can be viewed through the web browser. Most of the time there is information contained the the .htaccess file that you don't want people knowing, like the rules for allowing or denying access. One way to prevent access to the .htaccess file is to disable access to that particular filename. You can add the following lines to your .htaccess file in the root directory to deny visitors from viewing all .htaccess files contained in your website:

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>

tlwwolfseye 05-25-2009 04:46 PM
Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.

This is my .htaccess File, or lets say part of it. Would be too many Bans in it to post here. ;)

Code:
php_value memory_limit 64M
php_value upload_max_filesize 50M
php_value max_execution_time 900

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://www.mydomain/hotlink.jpg [NC,R,L]

ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/403.html

<Files .htaccess>
order allow,deny
deny from all
</Files>

<Files *>
Order deny,allow

# Mixed IP Ranges
deny from 203.223.32.0/20
deny from 41.200.0.0/16
deny from 59.148.209.80/30
deny from 94.247.2.0/23
deny from 194.8.74.0/23
deny from 87.118.96.0/19
deny from 87.118.64.0/18
deny from 213.155.0.0/19
deny from 212.95.32.0/19
deny from 221.120.192.0/18
deny from 94.179.136.0/21
deny from 82.81.0.0/17
deny from 84.19.176.0/20
</files>

UKBusinessLive 05-25-2009 04:57 PM
Quote:
Originally Posted by tlwwolfseye (Post 1816956)
Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.
Now i know this will sound silly, But are you 100% sure the .htaccess file your editing is the only one one you have and its in the root of your server, The reason i ask is i've heard of a guy editing a htacess in his forum root not knowing he already had on in the server root :eek:

You need to make sure the code is like the one shown below not like your example, I know that works 100% on my site. Failing that it may be something that you'll need to take up with your host, as something is stopping you from adding this.

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>
have you already got an htaccess file ??

You can read up on htaccess files here http://httpd.apache.org/docs/1.3/howto/htaccess.html

Brandon Sheley 05-25-2009 04:59 PM
Are you sure you can browse the .htaccess file?
I've never heard of this
what is your site url?

tlwwolfseye 05-25-2009 04:59 PM
I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.

UKBusinessLive 05-25-2009 05:10 PM
Quote:
Originally Posted by tlwwolfseye (Post 1816962)
I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.
Thats well strange, There may be something in your file which conflicts with the new edit ??, Not 100% sure but i would certainly enquire with your host.

Here is a nice little htaccess creator for those of you that don't want to spend hours editting code http://www.htaccesseditor.com/en.shtml#a_fileList

let us know how you got on tlwwolfseye, I'll keep searching for you :D

Brandon Sheley 05-25-2009 05:11 PM
As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web

UKBusinessLive 05-25-2009 05:13 PM
Quote:
Originally Posted by Loco.M (Post 1816978)
As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web
When a visitor tries to obtain access to your .htaccess or .htpasswd file, the server automatically generates a 403 forbidden error, even with the file permissions at their default settings.

However, you can apply a bit more security to your .htaccess files by adding the following code:

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Contacting the host provider is the best solution as Loco says.

Another thing which people forget to do is when they write a .htaccess file they save it as htaccess.txt and then you need to upload this to your root. When its there you need to rename it to .htaccess removing the .txt extension. I think the reason you can view your htaccess file is perhaps you still have the .txt or some other extension still attached :rolleyes:

tlwwolfseye 05-25-2009 06:07 PM
No, its is as it should be. .htaccess , no other extension. :) Thats why I wonder. And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file. But I will check with my hoster later.

Thanks.

WOlfseye

UKBusinessLive 05-25-2009 06:14 PM
Quote:
Originally Posted by tlwwolfseye (Post 1817025)
No, its is as it should be. .htaccess , no other extension. :) Thats why I wonder. And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file. But I will check with my hoster later.

Thanks.

WOlfseye
Remember to post back, if you fix it, i for one am interested on what the problem is, and it could help others.

Angel-Wings 05-25-2009 06:54 PM
Quote:
Originally Posted by tlwwolfseye (Post 1817025)
And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file.
Did you put

Quote:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Inside the htaccess itself or the Webserver configuration ? The second option is the way to go.

tlwwolfseye 05-25-2009 08:09 PM
Into the .htaccess File. I am now waiting for a reply from our Hoster. Might not be there before tomorrow that I here from him. I will post here when I know whats the issues.

--------------- Added [DATE]1243319257[/DATE] at [TIME]1243319257[/TIME] ---------------

Ok, i found the issue by accident. Seems besides the

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>
I used another

Code:
<Files *>
order allow,deny



</Files>
around the actual Banned IP?s and when I removed that one and just kept the above Code to prevent browsing the .htaccess, it worked. So it seems 2x kinda similiar code isn?t appreciated by the .htaccess File. ;)

Just a couple of minutes ago my hoster confirmed that, he says that the second <Files> setting will overwrite the first.

GoneBushX 08-28-2013 05:05 PM
I added-
Code:
<FilesMatch "\.(htaccess|htpasswd|htgroup)$">
order allow,deny
deny from all
</FilesMatch>
:up:

Krusty1231 10-17-2013 11:18 AM
I checked mine and I could see it. I had the same issue as post #13.

It does pay to read the forums!

nhawk 10-17-2013 05:53 PM
If you can see htaccess, I'd run far, far away from your host.

htaccess should be a system level protected file. If it's not, the server's security is in major question.


All times are GMT. The time now is 02:17 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01297 seconds
  • Memory Usage 1,764KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (9)bbcode_code_printable
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (16)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete