Wierd behavior by apache and .htaccess: protecting pages and files - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Wierd behavior by apache and .htaccess: protecting pages and files

apache, .htaccess, protecting pages, wordpress

asap247

12:13 am on Jun 8, 2012 (gmt 0)

10+ Year Member

My website is on a Knownhost VPS Server and for some reason apache is not processing .htaccess files correctly. I have a wordpress membership site and I use Wishlist member (plugin) to protect content on the website. The specified PAGES are being protected; however, no FILES are being protected. Wishlist member puts a .htaccess file in the same folder the specified files are located in order for the files to be protected. I noticed there was an issue with the .htaccess file. It seems some features of .htaccess are not being processed by my server.

For example; I created a "test" folder and I placed a .htaccess file with following body in the folder:

<Limit GET POST>
deny from all
</Limit>

I then placed an examplefile.txt file in the folder. Within my test, I was able to access my file (http://www.example.com/test/examplefile.txt), even though I should NOT be able.

The folder directory "test" (http://www.example.com/test/) is being protected. But it is not working for the files inside the directory.

I understand that certain directives will work only if the required Apache module is installed. According the apache.org website, the "limit directive" should be able to be processed with the core of apache. Or is there another apache module that I need to install.

Does anybody know why my files are not being protected? Is this an .htaccess/apache problem or something totally unrelated?

lucy24

6:14 am on Jun 8, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I'm confused. If it's your own server, why are you mucking about with htaccess? Put everything in <Directory> sections in the config file.

Embarrassingly obvious question: What does your AllowOverrides line currently say?

asap247

1:44 am on Jun 16, 2012 (gmt 0)

10+ Year Member

Hi,

Thanks for the reply. I just moved my site over to my own server and I use a Wordpress plugin called wishlist member to manage protected pages/files. I constantly change user and file protections and wishlist member makes it easier to make these changes. That's why I'd prefer to use the Wishlist member plugin (Which I believe it uses .htaccess to manage protection status) than to manually edit everything in the <Directory> section of the config file every time I need to make a major change.

There are 3 instances of "AllowOverrides" in the httpd.conf file:
__________________________________________________________________

<Directory "/">
Options +ExecCGI +FollowSymLinks -Includes +IncludesNOEXEC +Indexes -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
</Directory>
_______________________________________________________________

<Directory "/usr/local/apache/htdocs">
Options Includes Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

</Directory>
____________________________________________________________

<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all

</Directory>

_____________________________________________________________

I believe the problem is outside of WordPress and the wishlist member plugin. Folders are being protected properly but the files inside the protected folders are not being protected. Should I change the other two instances of Allowoverride to "ALL"?

lucy24

8:24 am on Jun 16, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

There are alternatives to "all" and "none" but it depends on what exactly you need to let users change. "AllowOverride none" means that any htaccess files in the specified directory will be ignored.

:: detour to re-check ::

Uhm, yeah, thought I remembered that right. Apache [httpd.apache.org] says

For security and performance reasons, do not set AllowOverride to anything other than None in your <Directory /> block. Instead, find (or create) the <Directory> block that refers to the directory where you're actually planning to place a .htaccess file.

So you may have set it up exactly the opposite of what you need.

asap247

11:17 am on Jun 16, 2012 (gmt 0)

10+ Year Member

Even though the Allowoveride is set to ALL in the <Directory /> block, why is my .htaccess file not applying to the files inside that folder?

The .htaccess file is located inside "test" folder and currently says:

<Limit GET POST>
deny from all
</Limit>

The .htaccess file is blocking the "test" folder correctly but NOT the files inside.