The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess viewable on net to all...

Discussion in 'General Discussion' started by ryno267, May 30, 2004.

  1. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    on our site... if you goto www.domain.com/.htaccess

    the file is viewable on the net...

    If i Chmod it to 640 - the site doesnt work
    If i keep it at 644 it works but then anybody can see the file if they type in its url

    what do i have to change to fix this? I'm assuming its a security risk...

    thanks
     
  2. GeekPatrolMille

    GeekPatrolMille Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    McKinney, Texas, USA
    You must have solved it since it is not viewable now.

    What did you find that was causing your problem and what was required to solve. Please post a followup so the group benefits from your knowledge

    -greg
     
  3. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    Um... nothing was fixed.....

    i can chmod so that world doesnt see it (640) but then my site doesnt work at all. So I had to put it back to 644 where it was, which means that if you goto www.mydomain.com/.htaccess anybody can view it

    nothing is solved at all - i'm still in need of a fix.
     
  4. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    like is there a setting in cpanel / apache that hides .ht* files??

    EDIT

    in my httpd.conf i have this setting


    <Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>


    is that not right?
     
    #4 ryno267, May 30, 2004
    Last edited: May 30, 2004
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    That's correct, also make sure the following exists above that.

    AccessFileName .htaccess


    Also in your .htaccess make sure this exists.

    require valid-user


    If that is not there then .htaccess will be readable.
     
  6. GeekPatrolMille

    GeekPatrolMille Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    McKinney, Texas, USA
    Had another thought...

    This line as the first line of the .htaccess file will explicitly block the .htaccess file as well as a few others like FP ext.

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    Did not think of this when we were chatting

    -greg
     
  7. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    heres the deal

    I added the
    require valid-user
    to my .htaccess file....

    Good news.. the .htaccess file comes up as 403 forbidden... BAD NEWS.. my site doesnt work - get a 500 server error...

    Any other ideas...

    GeekPatrolMiller: I added that line... and all it did was show an extra line in .htaccess... did nothing

    *sigh* still looking for ideas.....

    thanks
     
  8. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    That is correct and file permission of 644 is also correct. I would check ownership of the .htaccess file to make sure account id:group is correct. Also, if you check you Apache logs while testing Browser access to the .htaccess file, it could reveal something helpful.
     
  9. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    well, if this is a server wide issue then i'm assuming the chown would be correct...

    I checked the dir -ls on this particular account and it was myusername:myusername
    I changed to root:root - but nothing changed.

    What should it be?
     
  10. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    I also was reading on newsgroups about the "satisfy all" line...

    I took that out and seemingly changed nothing...
    didn't help or break anything (that i can tell)


    I changed to this for testing:

    <Files ~ "^\.htaccess">
    Order allow,deny
    Deny from all
    </Files>


    but did nothing either

    *sigh* any more ideas?
     
    #10 ryno267, Jun 1, 2004
    Last edited: Jun 1, 2004
  11. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    bump... any ideas?
     
  12. GeekPatrolMille

    GeekPatrolMille Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    McKinney, Texas, USA
    I have exhausted my cache of ideas but that said, I am not the most knowlegable person around. I would be happy to poke around inside your system to see if I could figure out something more. I am certainly curious why this is happening but currently do not have a clue.

    Puzzled...???
    -greg
     
  13. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    I put in a ticket with cpanel and got this in responce after they ssh'ed in ....


    so i'm still stuck.. any apache guys out there? lol
     
  14. GeekPatrolMille

    GeekPatrolMille Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    McKinney, Texas, USA
    Can you post or send the htaccess file... If it contains private info, please do not post. I am still curious to know why...

    -greg
     
  15. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    sure... no problem

    Code:
    RewriteEngine on
    RewriteRule   ^quixplorer.*$  -                [L]
    RewriteRule   ^admin.*$       -                [L]
    RewriteRule   ^paradise.*$    -                [L]
    RewriteRule   ^upload.*$      -                [L]
    RewriteRule   ^testing.*$     -                [L]
    RewriteRule   ^client.*$      -                [L]
    RewriteRule   ^_mmServerScripts.*$  -          [L]
    RewriteRule !\.(gif|jpg|png|css|swf)$ /home/username/public_html/index.php
    those are folders that are allowed access because they are not to be made by the database... so we have titles of pages in the database... and then the url is this:
    www.domain.com/title-of-page

    so we put the folders we need to access in the .htaccess file...

    then the rewrite rule for the images is for hotlinking - which works fine...
     
  16. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    on IRC with #cpanel now... got some help but .htaccess is still viewable

    <Files ~ "^\.ht">
    order deny,allow
    deny from all
    </Files>



    ANYBODY know of ANY other reasons this would be viewable????
     
  17. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    this is slightly different... but... it had a greater effect than any others...

    Code:
    <Files ~ "^.ht">
        Order allow,deny
        Deny from all
        Satisfy All
    </Files>
    Well I've got good news and I've got bad news....

    Good news... is that the .htaccess file comes up as 403 like it's supposed too....

    Bad news... my site via the .htaccess doesnt work... I get 404 errors on all links.

    NOW no matter what I do I can't get the site to work now... HELP...

    I changed back httpd.conf but no worky.... wtf
     
  18. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    ok... rebuilt httpd.conf from save file

    THANK YOU STEVE for helping....

    back to normal.. where .htaccess is viewable...
     
  19. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    okay... I'm bumping this thread again.... My .htaccess file is STILL viewable to anybody with a web browser that accesses it directly.

    Now in /usr/local/apache/conf/httpd.conf I see this

    Now that last paragraph throws me off. Am I supposed to UNcomment that to make .htaccess not viewable or should it be working that way already?

    help ... again...
     
  20. Prince_Charming

    Joined:
    Aug 25, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    i would uncomment it , most sites have pragma-no cache anyway.
    And maybe that may fix your problem
     
Loading...

Share This Page