htaccess file deny from all, redirects to 404 not found on 403.shtml

batfastad

Member
Jun 13, 2012
12
0
1
cPanel Access Level
Root Administrator
I'm setting up a quick internal project in a new addon domain in cPanel. This particular one has an SSL cert installed. I was building my .htaccess up and added a <Files config.php> directive to deny from all so that my config.php file isn't accessible. I realise that storing it outside of the web root is the ideal option but I can't in this case.

Normally I would expect that when going to www.domain.com/config.php in a browser that I would get Apache's default 403 Forbidden page. This is what happens on other domains on the same server. But in this case I'm being given a 404 not found error, stating:

Not Found
The requested URL /403.shtml was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
I would normally expect this if I was attempting to define custom error documents but in this case, I'm not! Not in my .htaccess or in cPanel's error documents section.

The only thing that makes this domain different to all the others in the same cPanel account is the fact it has an SSL certificate. And this 404 error is the same regardless of navigating to config.php using http or https. I've tried clearing cache and still see the same result.

Could it be anything to do with the way cPanel handles primary and addon domains?
In a cPanel account you have a primary domain whose files live under public_html then you define addon domains (or subdomains) whose files live under public_html/addondomain.com/

Would the .htaccess for the primary domain at public_html/.htaccess be affecting/overriding that of addon domains at public_html/addondomain.com/.htaccess?
I know .htaccess does cascade down through directories but is that the case even above a particular domain's DocumentRoot, e.g.: the .htaccess in the primary domain affecting an addon domain?

Here's the .htaccess file for the addon domain in question and I don't think anything in it should cause this behaviour...
Code:
DirectoryIndex /index.php

Options -Indexes +FollowSymLinks
ServerSignature Off

# PARSE PHP IN OTHER FILES
# AddType FOR PHP AS APACHE MODULE, AddHandler FOR CGI
AddType application/x-httpd-php .ics .xml

# ATTEMPT FORCE PDF DOWNLOAD
AddType application/octet-stream .pdf

# PREVENT ACCESS TO CONFIG
<Files config.php>
order allow,deny
deny from all
</Files>

# CACHING
# http://httpd.apache.org/docs/current/mod/mod_headers.html
<FilesMatch "\.(js|css|ico|png|gif|jpg)$">
Header set Cache-Control "max-age=172800, public, must-revalidate"
#Header set Expires "Thu, 15 Apr 2011 20:00:00 GMT"
</FilesMatch>

# PREVENT ACCESS TO STATS UPDATE SCRIPT AS IT'S CLI ONLY
<Files stats_update.php>
order allow,deny
deny from all
</Files>

Redirect 302 /preview http://otherdomain.com/documents/preview
Redirect 302 /sample http://otherdomain.com/documents/preview

RewriteEngine On

# REWRITE NON-WWW TO WWW
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301]

RewriteRule ^about/?$ /index.php [L]
RewriteRule ^contact/?$ /contact.php [L]
RewriteRule ^home/?$ /home.php [L]
RewriteRule ^order/?$ /order.php [L]

# MAINTAINANCE
#RewriteCond %{REMOTE_HOST} !^123\.123\.123\.123
#RewriteCond %{REQUEST_URI} !^/maintainance\.html$
#RewriteRule ^(.*)$ /maintainance.html [R=302,L]
Cheers, B
 
Last edited:

JaredR.

Well-Known Member
Feb 25, 2010
1,834
24
143
Houston, TX
cPanel Access Level
Root Administrator
It does appear, as you mentioned, that it is trying to use a custom 403.shtml page, and you do not have defined. I am not certain why it is not using the default Apache 403 page, so it would probably best if you submit a ticket, and we will be happy to take a look at your server for you.
 

batfastad

Member
Jun 13, 2012
12
0
1
cPanel Access Level
Root Administrator
Hi everyone

Not contacted cPanel support directly yet as I've managed to get some further info.

It looks like it might be something to do with the following in my htaccess...
Code:
# REWRITE NON-WWW TO WWW
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301]
When requesting http://domain.com/config.php, that's when I was seeing the 404 when attempting to load the default 403 error page. Requesting http://www.domain.com/config.php worked fine and shows Apache's default 403 page.

Commenting/removing that section from my .htaccess, clearing cache, then requesting http://domain.com/config.php and I now I get Apache's default 403 page instead of the 404 on /403.shtml

Anyone else seen this before and able to replicate?
So is there a better way for rewriting the URL to add the www. that might avoid this problem?

Cheers, B
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
If you add the 403.shtml file (you can create it in cPanel > Error pages area) for that account, does it work with that .htaccess rule in place? While I realize you can remove the rule for the rewrite, finding out if this doesn't happen without it and if the custom error page is in place would be helpful.
 

batfastad

Member
Jun 13, 2012
12
0
1
cPanel Access Level
Root Administrator
If I add a 403.shtml for this domain then that custom 403 page gets shown rather than the 404 not found on 403.shtml when requesting www.domain.com/config.php and domain.com/config.php
That's with my www. rewrite in place

What's probably happening is that when requesting http://domain.com/config.php Apache is appending 403.shtml then the rewrite is happening to add www. so the request becomes http://www.domain.com/403.shtml which is not found.
Whereas requesting http://www.domain.com/config.php directly just shows the default error page.

Cheers, B
 
Last edited:

batfastad

Member
Jun 13, 2012
12
0
1
cPanel Access Level
Root Administrator
Right, after almost a day of further mucking around I've tracked down what's causing this! :mad:
And it's not something I can get around, it's hard-coded into cPanel's design.

So I was running a curl command to try and debug what was happening with no browser cache or anything getting in the way...
Code:
[email protected] [/home/username]#curl -i 'http://www.mydomain.com/config.php'
    HTTP/1.1 403 Forbidden
    Date: Sun, 16 Sep 2012 19:05:10 GMT
    Server: Apache
    Content-Length: 331
    Content-Type: text/html; charset=iso-8859-1
     
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /config.php
    on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
     

    [email protected] [/home/username]# curl -i 'http://mydomain.com/config.php'
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 16 Sep 2012 19:05:20 GMT
    Server: Apache
    Location: http://www.mydomain.com/403.shtml
    Content-Length: 244
    Content-Type: text/html; charset=iso-8859-1
     
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>301 Moved Permanently</title>
    </head><body>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a href="http://www.mydomain.com/403.shtml">here</a>.</p>
    </body></html>
The first command for http://www.mydomain.com/config.php shows the correct 403 response and the default 403 page.
The second command for http://mydomain.com/config.php is doing the 301 redirect per my non-www to www rewrite but the request has been modified to go to 403.shtml

At no point have I set any ErrorDocument directives.

But it seems that cPanel includes a config file...
Code:
/usr/local/apache/conf/includes/errordocument.conf
...
# 403 - Forbidden
ErrorDocument 403 /403.shtml
Which sets all the error documents for you rather than using Apache's internal defaults. These default error documents are visually the same as Apache's defaults but cPanel probably handles them individually for localisation.

So there we are. It was nothing to do with me but cPanel all along. It doesn't cause a problem but it just looks confusing. I will set my own 403 page to avoid this confusion.

Hope this helps someone out

Cheers, B