Actually I may have mis understood what he was trying to say in the ZC forum.
This is what one of the Zen Cart .htaccess file states:
# @copyright Copyright 2003-2010 Zen Cart Development Team
# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
# @version $Id: .htaccess 16111 2010-04-29 22:39:02Z drbyte $
#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory
recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it
PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any
sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and
'Indexes' parameters to the AllowOverride configuration in your
apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS
directive below, you'll need to add 'Options' to the AllowOverride list, if
'All' is not specified.
# Example:
#<Directory "/usr/local/apache/htdocs">
# AllowOverride Limit Options Indexes
#</Directory>
###############################
# deny *everything*
<FilesMatch ".*">
Order Allow,Deny
Deny from all
</FilesMatch>
# but now allow just *certain* necessary files:
<FilesMatch ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF)$">
Order Allow,Deny
Allow from all
</FilesMatch>
IndexIgnore */*
## NOTE: If you want even greater security to prevent hackers from running
scripts in this folder, uncomment the following line (if your hosting company
will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI
And this is what the readme docs for the new Zen Cart version states:
For added security, Zen Cartâ„¢ comes with several .htaccess files already
included in various folders to help provide protection against unwanted
visitors and even against mis-use of your site in the unfortunate situation of
your site being hacked. These protections prevent hackers from using your site
as phishing sources.
However, for these built-in protections to work, your web hosting server administrator
MUST set the AllowOverride directive in the server's apache configuration (the server's
master httpd.conf file) to "All" or at least ensure it includes these
parameters: 'Limit Indexes'.
ie: AllowOverride All
or: AllowOverride Limit Indexes
(NOTE: You must also add "Options" if uncommenting OPTIONS directives in your
.htaccess files)
Without these settings, you will likely encounter "500 Internal Server Error"
messages when attempting to access various parts of your site, including perhaps the
zc_install installer script.
Storeowners hosting on Windows Servers using IIS instead of Apache may need to
remove the .htaccess files and rework them into suitable equivalents within
your IIS configuration. See Microsoft's IIS website for specific assistance.
So from what I am understanding now, all I need to do is to edit httpd.conf and
add in the block:
ie: AllowOverride All
or: AllowOverride Limit Indexes
and not add any entries into my conf.d apache config files for the domain(s) in
question?
I was thinking that I should substitute<Directory "/usr/local/apache/htdocs">
with the path of the domain that owns that web space and put the directives in all my
individual apache config files for those domains running a store, which I did.
Now it appears that they are to be left in the .htaccess file and I just edit
the main httpd.conf file. Do you get this impression as well?
--- On Fri, 9/3/10, Rich Bowen<rbo...@rcbowen.com> wrote:
From: Rich Bowen<rbo...@rcbowen.com>
Subject: Re: [us...@httpd] Revisited: 500 internal server error, new problem
To: users@httpd.apache.org
Date: Friday, September 3, 2010, 4:11 PM
If someone is telling you that "deny
*everything*" is valid Apache httpd syntax, you can rest
assured that they don't know what they're talking about, and
you might want to find support elsewhere.
Additionally,<Directory> blocks are not permitted in
.htaccess files.
I would strongly encourage you to point this "developer"
here, as they might benefit from our help.
Meanwhile, I would encourage you to read these:
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow
Only problem is, the developer is now claiming that by
taking that one line out, that I may as well take the entire
directive set that they recommend out of my conf.d config
file for this domain, because that one line if removed,
disables all the protections provided in their new .htaccess
files that came with Zen Cart. Funny though, I could
not get his install scripts to run without all the rest of
the directives I left in.
So anyway he claims that there is a way to configure
my Apache 2.2.3 server which would make use of the deny
*everything* line in my conf.d file and provide full
protection. So I am now wondering what I need to do to
set the switch to enable Apache to use this line and provide
full protection. Something in the main httpd.conf
file?
He claims that this is out of the scope of their
support arena, the server settings that utilize his above
suggested (actually required for install) directives.
Thanks for any advice here.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache
HTTP Server Project.
See<URL:http://httpd.apache.org/userslist.html> for more
info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest:
users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
--
Rich Bowen
rbo...@rcbowen.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server Project.
See<URL:http://httpd.apache.org/userslist.html> for more
info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See<URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org