vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   How to protect .htaccess Files ? (https://vborg.vbsupport.ru/showthread.php?t=214512)

tlwwolfseye 05-25-2009 03:58 PM
How to protect .htaccess Files ?
 
Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:

Code:
<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>
According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye

UKBusinessLive 05-25-2009 04:38 PM
Quote:
Originally Posted by tlwwolfseye (Post 1816925)
Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:

Code:
<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>
According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye
Try this way ;)

Preventing someone from viewing my .htaccess file

The .htaccess file typically resides in your root directory and can be viewed through the web browser. Most of the time there is information contained the the .htaccess file that you don't want people knowing, like the rules for allowing or denying access. One way to prevent access to the .htaccess file is to disable access to that particular filename. You can add the following lines to your .htaccess file in the root directory to deny visitors from viewing all .htaccess files contained in your website:

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>

tlwwolfseye 05-25-2009 04:46 PM
Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.

This is my .htaccess File, or lets say part of it. Would be too many Bans in it to post here. ;)

Code:
php_value memory_limit 64M
php_value upload_max_filesize 50M
php_value max_execution_time 900

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://www.mydomain/hotlink.jpg [NC,R,L]

ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/403.html

<Files .htaccess>
order allow,deny
deny from all
</Files>

<Files *>
Order deny,allow

# Mixed IP Ranges
deny from 203.223.32.0/20
deny from 41.200.0.0/16
deny from 59.148.209.80/30
deny from 94.247.2.0/23
deny from 194.8.74.0/23
deny from 87.118.96.0/19
deny from 87.118.64.0/18
deny from 213.155.0.0/19
deny from 212.95.32.0/19
deny from 221.120.192.0/18
deny from 94.179.136.0/21
deny from 82.81.0.0/17
deny from 84.19.176.0/20
</files>

UKBusinessLive 05-25-2009 04:57 PM
Quote:
Originally Posted by tlwwolfseye (Post 1816956)
Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.
Now i know this will sound silly, But are you 100% sure the .htaccess file your editing is the only one one you have and its in the root of your server, The reason i ask is i've heard of a guy editing a htacess in his forum root not knowing he already had on in the server root :eek:

You need to make sure the code is like the one shown below not like your example, I know that works 100% on my site. Failing that it may be something that you'll need to take up with your host, as something is stopping you from adding this.

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>
have you already got an htaccess file ??

You can read up on htaccess files here http://httpd.apache.org/docs/1.3/howto/htaccess.html

Brandon Sheley 05-25-2009 04:59 PM
Are you sure you can browse the .htaccess file?
I've never heard of this
what is your site url?

tlwwolfseye 05-25-2009 04:59 PM
I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.

UKBusinessLive 05-25-2009 05:10 PM
Quote:
Originally Posted by tlwwolfseye (Post 1816962)
I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.
Thats well strange, There may be something in your file which conflicts with the new edit ??, Not 100% sure but i would certainly enquire with your host.

Here is a nice little htaccess creator for those of you that don't want to spend hours editting code http://www.htaccesseditor.com/en.shtml#a_fileList

let us know how you got on tlwwolfseye, I'll keep searching for you :D

Brandon Sheley 05-25-2009 05:11 PM
As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web

UKBusinessLive 05-25-2009 05:13 PM
Quote:
Originally Posted by Loco.M (Post 1816978)
As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web
When a visitor tries to obtain access to your .htaccess or .htpasswd file, the server automatically generates a 403 forbidden error, even with the file permissions at their default settings.

However, you can apply a bit more security to your .htaccess files by adding the following code:

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Contacting the host provider is the best solution as Loco says.

Another thing which people forget to do is when they write a .htaccess file they save it as htaccess.txt and then you need to upload this to your root. When its there you need to rename it to .htaccess removing the .txt extension. I think the reason you can view your htaccess file is perhaps you still have the .txt or some other extension still attached :rolleyes:

tlwwolfseye 05-25-2009 06:07 PM
No, its is as it should be. .htaccess , no other extension. :) Thats why I wonder. And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file. But I will check with my hoster later.

Thanks.

WOlfseye


All times are GMT. The time now is 10:24 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01239 seconds
  • Memory Usage 1,749KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_code_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete