.htaccess lockdown configuration - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess lockdown configuration

Highest level of security using .htaccess?

WitchKing

1:23 am on Nov 27, 2004 (gmt 0)

10+ Year Member

Hi there,

I have a sub-domain (the "default" one, in case one have no real domains) with my host that simply can't be eliminated. So I made it point to a sub-folder of my www folder, and wrote an .htaccess for that folder, which I'll post below.

I should point out that I don't have access to

httpd.conf

. So, I just wanted to know if there were any fatal mistakes in there, or if anyone had any other suggestions. My intention is to make this sub-domain practically invisible if possible.

- Is it perhaps better to leave the directory empty with no .htaccess file at all?
- Is it possible to make Apache pretend it doesn't even exist? (not a 404, but something like an "unresolved" response)?

Anyway:


Options -Indexes
Options -FollowSymLinks


CheckSpelling Off
RewriteEngine Off
ServerSignature Off


<FilesMatch "^.*$">
Order Allow,Deny
Deny From All
</FilesMatch>


<LimitExcept GET>
Order Allow,Deny
Deny From All
</LimitExcept>

PS: Is there any way to

Limit

ALL methods, including GET?

Thanks for any help!
Cheers, WK.

jdMorgan

1:32 am on Nov 27, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Since you've got <FilesMatch ".*"> you don't need <Limit>. It's redundant.

If you want to eliminate it entirely, edit your DNS zone file so that the 'extra' domain does not resolve to your IP.

Jim

WitchKing

2:39 am on Nov 27, 2004 (gmt 0)

10+ Year Member

Thanks!

One problem is I can't access the DNS zone for that annoying sub-domain. It's a mystery to me why they won't allow me to turn it off.

What about this other peculiarity: I have a /logs/ folder that also can't be deleted. So any request for www.example.com/logs/ yields a 401, instead of what I expect, which is a 403, or what would be even better a 404. I've tried various .htaccess tricks, but the locked sub-directory refuses to follow them. Any clues about that?

Cheers, WK.

jdMorgan

3:25 am on Nov 27, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

> DNS zone for that annoying sub-domain

There is no such thing as a DNS zone for a subdomain. A DNS zone is associated with a domain only, and it defines the domain and all valid sub-domains of that domain. This might be done explicitly, on a subdomain-by-subdomain basis, or with wildcard DNS, where "*.yourdomain.com" is pointed to your IP address.

For example, to define www.yourdomain.com and yourdomain.com, where "www" is a subdomain of the domain "yourdomain.com", you'd have:

www.yourdomain.com. IN A 192.168.0.11 
yourdomain.com.    IN A 192.168.0.11

-or-

*.yourdomain.com. IN A 192.168.0.11 
yourdomain.com.   IN A 192.168.0.11

The second example would define *any* subdomain -- or none -- as a valid name to be pointed to the given IP address.

The "locked" stats folder issue should be taken up with your host.

Jim