1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 1:28 pm May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Deny,Allow and Require valid-user are making .ht files accessible?

         

fmchris

6:29 am on Mar 22, 2009 (gmt 0)

10+ Year Member



Hey all, I'm running a live Apache server that can be accessed via domain.com.

Below the primary server host in httpd.conf, I have the following: 

<VirtualHost *:80>
 DocumentRoot /var/www/html/intranet
 ServerName intranet.domain.com
</VirtualHost>

<Directory /var/www/html/intranet>
 Order Deny,Allow
 Deny from All
 AuthName "Protected Intranet"
 AuthUserFile /var/www/html/intranet/.htpasswd
 AuthType Basic
 Require valid-user
 Allow from 192.168.1
 Satisfy Any
</Directory>

This is basically to set up an "intranet"-like folder on the live server that can only be accessed locally (via intranet.domain.com which is added on my network's local DNS server). If you're not local, it should prompt for a password.

That works fine. However, I noticed ONLY in this directory, any .htaccess or .htpasswd files are readable to visitors, which is not a good thing. The following rule works on every other directory except this one: 

<Files ~ "^\.ht">
 Order allow,deny
 Deny from all
</Files>

So, my question is, how do I hide these files, and why are they not hidden? I tried the following: 

<Files /var/www/html/intranet/.htpasswd>
 Order allow,deny
 Deny from all
</Files>

<Files .htpasswd>
 Order allow,deny
 Deny from all
</Files>

And several variations (IE dropping the Order) but met with no success.

g1smd

8:49 am on Mar 22, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I had this once and added this in .htaccess to do a similar job: 

Rewriterule ^\.ht - [F]

which simply returns a 403 Forbidden response for that request.

jdMorgan

4:47 pm on Mar 22, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Have you tried "Order Deny,Allow" on the .htpasswd access control? The problem might be a conflict with the Order inherited from the <Directory>.

Jim

fmchris

5:47 pm on Mar 22, 2009 (gmt 0)

10+ Year Member



Yes, I tried Order Deny,Allow just now. I also tried including the Files block nested inside the VirtualHost and the Directory blocks but neither worked.

Caterham

7:30 pm on Mar 22, 2009 (gmt 0)

10+ Year Member



Satisfy Any

Make sure you set Satisfy all as well. 

<Files ~ "^\.ht">
Satisfy all
Order allow,deny
Deny from all
</Files>

fmchris

12:58 am on Mar 23, 2009 (gmt 0)

10+ Year Member



Hey, good catch! That did the trick. I just added Satisfy All to that as in your post and it works great now.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 1:28 pm May 2, 2026