[us...@httpd] still see .htaccess and .htpasswd trough virtual host
Hello list, I have become little confused and hope to get some help. I have a suse 11.2 server running Apache/2.2.10 (Linux/SUSE) with some virtual hosts. I already have the following in httpd.conf file `` AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Files ~ ^\.ht Order allow,deny Deny from all /Files `` But still I can read the .htaccess and .htpasswd file through browser, when visit the virtual host. But if I add the above config at the virtual host itself, it works well. So the virtualhosts bypass the config already there in httpd.conf. Do I need to write the code for each and every virtualhost then ? Not possible to define at any common point just once ? Please let me know, Thanks - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] still see .htaccess and .htpasswd trough virtual host
On Thu, 2010-07-08 at 13:40 +0530, J. Bakshi wrote: Hello list, I have become little confused and hope to get some help. I have a suse 11.2 server running Apache/2.2.10 (Linux/SUSE) with some virtual hosts. I already have the following in httpd.conf file `` AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Files ~ ^\.ht Order allow,deny Deny from all /Files `` But still I can read the .htaccess and .htpasswd file through browser, when visit the virtual host. But if I add the above config at the virtual host itself, it works well. So the virtualhosts bypass the config already there in httpd.conf. Do I need to write the code for each and every virtualhost then ? Not possible to define at any common point just once ? Are you sure you're not seeing cached copies? FilesMatch ^\.ht Order allow,deny Deny from all /FilesMatch This prevents you from opening (GET /.htaccess) those files. If you want to prevent them from being seen in a directory listing, use IndexIgnore http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexignore Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part
Re: [us...@httpd] still see .htaccess and .htpasswd trough virtual host
On Thu, 08 Jul 2010 09:20:36 +0100 Mark Watts m.wa...@eris.qinetiq.com wrote: On Thu, 2010-07-08 at 13:40 +0530, J. Bakshi wrote: Hello list, I have become little confused and hope to get some help. I have a suse 11.2 server running Apache/2.2.10 (Linux/SUSE) with some virtual hosts. I already have the following in httpd.conf file `` AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Files ~ ^\.ht Order allow,deny Deny from all /Files `` But still I can read the .htaccess and .htpasswd file through browser, when visit the virtual host. But if I add the above config at the virtual host itself, it works well. So the virtualhosts bypass the config already there in httpd.conf. Do I need to write the code for each and every virtualhost then ? Not possible to define at any common point just once ? Are you sure you're not seeing cached copies? FilesMatch ^\.ht Order allow,deny Deny from all /FilesMatch This prevents you from opening (GET /.htaccess) those files. Hello Mark, Thanks for your reply. I have just checked with another browser but same here. I can see the contents of .htpasswd as well as .htaccess Even I have added the config you have mentioned above but no luck. I am very confused now. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] still see .htaccess and .htpasswd trough virtual host
Hello, please configure your mailer to wrap lines below 80 characters per line. 72 to 75 is usually OK. Thank you. On 08.07.10 13:40, J. Bakshi wrote: I already have the following in httpd.conf file `` AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Files ~ ^\.ht Order allow,deny Deny from all /Files `` But still I can read the .htaccess and .htpasswd file through browser, when visit the virtual host. But if I add the above config at the virtual host itself, it works well. So the virtualhosts bypass the config already there in httpd.conf. Do I need to write the code for each and every virtualhost then ? Not possible to define at any common point just once ? is this in server config or in some virtualhost or directory section? Is there any Files section of the host you are referring to? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One World. One Web. One Program. - Microsoft promotional advertisement Ein Volk, ein Reich, ein Fuhrer! - Adolf Hitler - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] still see .htaccess and .htpasswd trough virtual host
Hello Mark, Thanks for your reply. I have just checked with another browser but same here. I can see the contents of .htpasswd as well as .htaccess Even I have added the config you have mentioned above but no luck. I am very confused now. Where in your configuration file(s) do you have these directives? (the Files or FilesMatch block) ? Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part
Re: [us...@httpd] still see .htaccess and .htpasswd trough virtual host
On Thu, 8 Jul 2010 10:57:23 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: snip is this in server config or in some virtualhost or directory section? Is there any Files section of the host you are referring to? /snip Hello Mark and Matus, Thanks for your responses, the Files section is at httpd.conf .I think it would be the best if I show you two files; httpd.conf and a vhost ## httpd.conf ### -- # run under this user/group id Include /etc/apache2/uid.conf # - how many server processes to start (server pool regulation) # - usage of KeepAlive Include /etc/apache2/server-tuning.conf # ErrorLog: The location of the error log file. ErrorLog /var/log/apache2/error_log # generated from APACHE_MODULES in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/loadmodule.conf # IP addresses / ports to listen on Include /etc/apache2/listen.conf # predefined logging formats Include /etc/apache2/mod_log_config.conf # generated from global settings in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/global.conf # optional mod_status, mod_info Include /etc/apache2/mod_status.conf Include /etc/apache2/mod_info.conf # optional cookie-based user tracking # read the documentation before using it!! Include /etc/apache2/mod_usertrack.conf # configuration of server-generated directory listings Include /etc/apache2/mod_autoindex-defaults.conf # associate MIME types with filename extensions TypesConfig /etc/apache2/mime.types DefaultType text/plain Include /etc/apache2/mod_mime-defaults.conf # set up (customizable) error responses Include /etc/apache2/errors.conf # global (server-wide) SSL configuration, that is not specific to # any virtual host Include /etc/apache2/ssl-global.conf # forbid access to the entire filesystem by default Directory / Options None AllowOverride None Order deny,allow Deny from all /Directory AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Files ~ ^\.ht Order allow,deny Deny from all /Files ### Virtual server configuration Include /etc/apache2/vhosts.d/*.conf ` And now here is one vhsost ``` VirtualHost example.com:80 ServerName http://www.example.com ServerAlias http://example.com ServerAdmin y...@example.com #don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts #UseCanonicalName Off DocumentRoot /srv/www/htdocs/example.com DirectoryIndex index.php ScriptAlias /cgi-bin/ /srv/www/cgi-bin/ Directory /srv/www/htdocs/example.com/ Options +FollowSymLinks -Indexes # .htaccess slows down apache; only use it when required # AllowOverride All Order allow,deny Allow from all ### Begin: Rewrite stuff ### IfModule mod_rewrite.c # Enable URL rewriting RewriteEngine On RewriteBase / # If the file/symlink/directory does not exist = Redirect to index.php # Important note: If you copy/paste this into httpd.conf instead # of .htaccess you will need to add '%{DOCUMENT_ROOT}' left to each # '%{REQUEST_FILENAME}' part. RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-l RewriteRule .* index.php [L] ### End: Rewrite stuff ### /IfModule /Directory ScriptAlias /awstats /usr/local/awstats/wwwroot/cgi-bin/awstats.pl Location /awstats AuthType Basic AuthName awstats requires a password AuthUserFile /srv/www/htdocs/example.com/.htpasswd Require valid-user /Location /VirtualHost ` If I visit example.com; I can see the contents of both .htaccess and .htpasswd :-( - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] still see .htaccess and .htpasswd trough virtual host
any clue please ? On Thu, 8 Jul 2010 16:38:04 +0530 J. Bakshi joyd...@infoservices.in wrote: On Thu, 8 Jul 2010 10:57:23 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: snip is this in server config or in some virtualhost or directory section? Is there any Files section of the host you are referring to? /snip Hello Mark and Matus, Thanks for your responses, the Files section is at httpd.conf .I think it would be the best if I show you two files; httpd.conf and a vhost ## httpd.conf ### -- # run under this user/group id Include /etc/apache2/uid.conf # - how many server processes to start (server pool regulation) # - usage of KeepAlive Include /etc/apache2/server-tuning.conf # ErrorLog: The location of the error log file. ErrorLog /var/log/apache2/error_log # generated from APACHE_MODULES in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/loadmodule.conf # IP addresses / ports to listen on Include /etc/apache2/listen.conf # predefined logging formats Include /etc/apache2/mod_log_config.conf # generated from global settings in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/global.conf # optional mod_status, mod_info Include /etc/apache2/mod_status.conf Include /etc/apache2/mod_info.conf # optional cookie-based user tracking # read the documentation before using it!! Include /etc/apache2/mod_usertrack.conf # configuration of server-generated directory listings Include /etc/apache2/mod_autoindex-defaults.conf # associate MIME types with filename extensions TypesConfig /etc/apache2/mime.types DefaultType text/plain Include /etc/apache2/mod_mime-defaults.conf # set up (customizable) error responses Include /etc/apache2/errors.conf # global (server-wide) SSL configuration, that is not specific to # any virtual host Include /etc/apache2/ssl-global.conf # forbid access to the entire filesystem by default Directory / Options None AllowOverride None Order deny,allow Deny from all /Directory AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Files ~ ^\.ht Order allow,deny Deny from all /Files ### Virtual server configuration Include /etc/apache2/vhosts.d/*.conf ` And now here is one vhsost ``` VirtualHost example.com:80 ServerName http://www.example.com ServerAlias http://example.com ServerAdmin y...@example.com #don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts #UseCanonicalName Off DocumentRoot /srv/www/htdocs/example.com DirectoryIndex index.php ScriptAlias /cgi-bin/ /srv/www/cgi-bin/ Directory /srv/www/htdocs/example.com/ Options +FollowSymLinks -Indexes # .htaccess slows down apache; only use it when required # AllowOverride All Order allow,deny Allow from all ### Begin: Rewrite stuff ### IfModule mod_rewrite.c # Enable URL rewriting RewriteEngine On RewriteBase / # If the file/symlink/directory does not exist = Redirect to index.php # Important note: If you copy/paste this into httpd.conf instead # of .htaccess you will need to add '%{DOCUMENT_ROOT}' left to each # '%{REQUEST_FILENAME}' part. RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-l RewriteRule .* index.php [L] ### End: Rewrite stuff ### /IfModule /Directory ScriptAlias /awstats /usr/local/awstats/wwwroot/cgi-bin/awstats.pl Location /awstats AuthType Basic AuthName awstats requires a password AuthUserFile /srv/www/htdocs/example.com/.htpasswd Require valid-user /Location /VirtualHost ` If I visit example.com; I can see the contents of both .htaccess and .htpasswd :-( - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: