The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

htaccess file deny from all, redirects to 404 not found on 403.shtml

Discussion in 'General Discussion' started by batfastad, Sep 4, 2012.

  1. batfastad

    batfastad Member

    Joined:
    Jun 13, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm setting up a quick internal project in a new addon domain in cPanel. This particular one has an SSL cert installed. I was building my .htaccess up and added a <Files config.php> directive to deny from all so that my config.php file isn't accessible. I realise that storing it outside of the web root is the ideal option but I can't in this case.

    Normally I would expect that when going to www.domain.com/config.php in a browser that I would get Apache's default 403 Forbidden page. This is what happens on other domains on the same server. But in this case I'm being given a 404 not found error, stating:

    I would normally expect this if I was attempting to define custom error documents but in this case, I'm not! Not in my .htaccess or in cPanel's error documents section.

    The only thing that makes this domain different to all the others in the same cPanel account is the fact it has an SSL certificate. And this 404 error is the same regardless of navigating to config.php using http or https. I've tried clearing cache and still see the same result.

    Could it be anything to do with the way cPanel handles primary and addon domains?
    In a cPanel account you have a primary domain whose files live under public_html then you define addon domains (or subdomains) whose files live under public_html/addondomain.com/

    Would the .htaccess for the primary domain at public_html/.htaccess be affecting/overriding that of addon domains at public_html/addondomain.com/.htaccess?
    I know .htaccess does cascade down through directories but is that the case even above a particular domain's DocumentRoot, e.g.: the .htaccess in the primary domain affecting an addon domain?

    Here's the .htaccess file for the addon domain in question and I don't think anything in it should cause this behaviour...
    Code:
    DirectoryIndex /index.php
    
    Options -Indexes +FollowSymLinks
    ServerSignature Off
    
    # PARSE PHP IN OTHER FILES
    # AddType FOR PHP AS APACHE MODULE, AddHandler FOR CGI
    AddType application/x-httpd-php .ics .xml
    
    # ATTEMPT FORCE PDF DOWNLOAD
    AddType application/octet-stream .pdf
    
    # PREVENT ACCESS TO CONFIG
    <Files config.php>
    order allow,deny
    deny from all
    </Files>
    
    # CACHING
    # http://httpd.apache.org/docs/current/mod/mod_headers.html
    <FilesMatch "\.(js|css|ico|png|gif|jpg)$">
    Header set Cache-Control "max-age=172800, public, must-revalidate"
    #Header set Expires "Thu, 15 Apr 2011 20:00:00 GMT"
    </FilesMatch>
    
    # PREVENT ACCESS TO STATS UPDATE SCRIPT AS IT'S CLI ONLY
    <Files stats_update.php>
    order allow,deny
    deny from all
    </Files>
    
    Redirect 302 /preview http://otherdomain.com/documents/preview
    Redirect 302 /sample http://otherdomain.com/documents/preview
    
    RewriteEngine On
    
    # REWRITE NON-WWW TO WWW
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301]
    
    RewriteRule ^about/?$ /index.php [L]
    RewriteRule ^contact/?$ /contact.php [L]
    RewriteRule ^home/?$ /home.php [L]
    RewriteRule ^order/?$ /order.php [L]
    
    # MAINTAINANCE
    #RewriteCond %{REMOTE_HOST} !^123\.123\.123\.123
    #RewriteCond %{REQUEST_URI} !^/maintainance\.html$
    #RewriteRule ^(.*)$ /maintainance.html [R=302,L]
    Cheers, B
     
    #1 batfastad, Sep 4, 2012
    Last edited: Sep 5, 2012
  2. batfastad

    batfastad Member

    Joined:
    Jun 13, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Anyone got any idea on what could be going on here?

    Cheers, B
     
  3. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    It does appear, as you mentioned, that it is trying to use a custom 403.shtml page, and you do not have defined. I am not certain why it is not using the default Apache 403 page, so it would probably best if you submit a ticket, and we will be happy to take a look at your server for you.
     
  4. batfastad

    batfastad Member

    Joined:
    Jun 13, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi everyone

    Not contacted cPanel support directly yet as I've managed to get some further info.

    It looks like it might be something to do with the following in my htaccess...
    Code:
    # REWRITE NON-WWW TO WWW
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301]
    When requesting http://domain.com/config.php, that's when I was seeing the 404 when attempting to load the default 403 error page. Requesting http://www.domain.com/config.php worked fine and shows Apache's default 403 page.

    Commenting/removing that section from my .htaccess, clearing cache, then requesting http://domain.com/config.php and I now I get Apache's default 403 page instead of the 404 on /403.shtml

    Anyone else seen this before and able to replicate?
    So is there a better way for rewriting the URL to add the www. that might avoid this problem?

    Cheers, B
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you add the 403.shtml file (you can create it in cPanel > Error pages area) for that account, does it work with that .htaccess rule in place? While I realize you can remove the rule for the rewrite, finding out if this doesn't happen without it and if the custom error page is in place would be helpful.
     
  6. batfastad

    batfastad Member

    Joined:
    Jun 13, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    If I add a 403.shtml for this domain then that custom 403 page gets shown rather than the 404 not found on 403.shtml when requesting www.domain.com/config.php and domain.com/config.php
    That's with my www. rewrite in place

    What's probably happening is that when requesting http://domain.com/config.php Apache is appending 403.shtml then the rewrite is happening to add www. so the request becomes http://www.domain.com/403.shtml which is not found.
    Whereas requesting http://www.domain.com/config.php directly just shows the default error page.

    Cheers, B
     
    #6 batfastad, Sep 12, 2012
    Last edited: Sep 12, 2012
  7. batfastad

    batfastad Member

    Joined:
    Jun 13, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Right, after almost a day of further mucking around I've tracked down what's causing this! :mad:
    And it's not something I can get around, it's hard-coded into cPanel's design.

    So I was running a curl command to try and debug what was happening with no browser cache or anything getting in the way...
    Code:
    root@vps [/home/username]#curl -i 'http://www.mydomain.com/config.php'
        HTTP/1.1 403 Forbidden
        Date: Sun, 16 Sep 2012 19:05:10 GMT
        Server: Apache
        Content-Length: 331
        Content-Type: text/html; charset=iso-8859-1
         
        <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
        <html><head>
        <title>403 Forbidden</title>
        </head><body>
        <h1>Forbidden</h1>
        <p>You don't have permission to access /config.php
        on this server.</p>
        <p>Additionally, a 404 Not Found
        error was encountered while trying to use an ErrorDocument to handle the request.</p>
        </body></html>
         
    
        root@vps [/home/username]# curl -i 'http://mydomain.com/config.php'
        HTTP/1.1 301 Moved Permanently
        Date: Sun, 16 Sep 2012 19:05:20 GMT
        Server: Apache
        Location: http://www.mydomain.com/403.shtml
        Content-Length: 244
        Content-Type: text/html; charset=iso-8859-1
         
        <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
        <html><head>
        <title>301 Moved Permanently</title>
        </head><body>
        <h1>Moved Permanently</h1>
        <p>The document has moved <a href="http://www.mydomain.com/403.shtml">here</a>.</p>
        </body></html>
    The first command for http://www.mydomain.com/config.php shows the correct 403 response and the default 403 page.
    The second command for http://mydomain.com/config.php is doing the 301 redirect per my non-www to www rewrite but the request has been modified to go to 403.shtml

    At no point have I set any ErrorDocument directives.

    But it seems that cPanel includes a config file...
    Code:
    /usr/local/apache/conf/includes/errordocument.conf
    ...
    # 403 - Forbidden
    ErrorDocument 403 /403.shtml
    Which sets all the error documents for you rather than using Apache's internal defaults. These default error documents are visually the same as Apache's defaults but cPanel probably handles them individually for localisation.

    So there we are. It was nothing to do with me but cPanel all along. It doesn't cause a problem but it just looks confusing. I will set my own 403 page to avoid this confusion.

    Hope this helps someone out

    Cheers, B
     
Loading...

Share This Page