.htaccess viewable on net to all...

on our site... if you goto domain .com / .htaccess

the file is viewable on the net...

If i Chmod it to 640 - the site doesnt work
If i keep it at 644 it works but then anybody can see the file if they type in its url

what do i have to change to fix this? I'm assuming its a security risk...




I added the
require valid-user
to my .htaccess file....

Good news.. the .htaccess file comes up as 403 forbidden... BAD NEWS.. my site doesnt work - get a 500 server error...




This is whats in the .htaccess file....

RewriteEngine on
RewriteRule ^quixplorer.*$ - [L]
RewriteRule ^admin.*$ - [L]
RewriteRule ^paradise.*$ - [L]
RewriteRule ^upload.*$ - [L]
RewriteRule ^testing.*$ - [L]
RewriteRule ^client.*$ - [L]
RewriteRule ^_mmServerScripts.*$ - [L]
RewriteRule !\.(gif|jpg|png|css|swf)$ /home/username/public_html/index.php


and now in httpd.conf we have this:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

though... all these files are still viewable on the net. Thanks for any help guys....

change the settings to

<Files .htaccess>
order allow,deny
deny from all
</Files>

Now with this setting person trying to access this file should get a 403 error, other security measure u can have is to set permissions for your htaccess file via CHMOD, which would also prevent this from happening, as an added measure of security: 644 or RW-R--R-- .

Another different way to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later.

But still if the browser is showing the file, then there must be some problem with mod_rewrite. Maybe the configuration has not been done properly or maybe there is some bug in your Apache.

<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>


This is by defaul it httpd.conf. It prevents any files with mask .ht.... from being seen. Maybe it went missing somehow

Well I've got good news and I've got bad news....

Good news... sasha... is that the .htaccess file comes up as 403 like it's supposed too....

Bad news... my site via the .htaccess doesnt work... I get 404 errors on all links.

Now i'm assuming this means my mod_rewrite is possibly fubar... but I don't know how to change it to work....

any help there? thanks.....

okay.. now no matter what I do I can't get the site to work now... HELP...

I changed back httpd.conf but no worky.... wtf

.htaccess files aren't viewable by default apache installation.

can you show us the entry of "^.ht" , should be something like this

<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>


and can you show me your .htaccess contents is it pointing to the correct .htpasswd file?

the .htaccess file contents are described above in original post...

Not sure if it's pointing to a htpassword file...

I had to rebuild the httpd.conf from the .save file

cp /usr/local/apache/conf/httpd.conf.save /usr/local/apache/conf/httpd.conf

- so site works but still have same problem as begining of this thread.

ryno267:
can you post ls -l .htaccess

Very strange, this should not be displayed, can you find all instances of ".ht" in your conf file? Maybe you have a conflict of some sort...

Maybe, if the .htaccess you are looking it is in a subfolder, and if the parent has an .htaccess, you may want to check that...

Good luck :)

i'm going to export my httpd.conf so i can look at it in like textpad so i can use find / replace / etc. That way i can find any and all instances of ".ht" in it... But I mean I did a rebuild of that file and apache wouldn't replace it with a default one.. so... not sure whats up there...
But I did replace the one with a .save one and that at least got my site back running....

Sasha:
-rw-r--r-- 1 mediarx mediarx 465 Jun 26 11:10 .htaccess

I ran this in that root directory of /public_html/ of the one site that I can view the .htaccess file on.