In the default .htaccess in Magento 2.2.2 there are in 2 of the things like below:
<Files cron.php>
<IfVersion < 2.4>
order allow,deny
deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
</Files>
There are someting about 20 of these for some files (eg. composer.json, composer.lock, .gitignore, etc)
When updating magento i gave a lot of errors, when i remove them out of the htaccess the problem was gone.
Wij are this versionchecks there, wat do the do and what can happen when i remove them?
I faced the same problem on Centos(Cpanel) Apache 2.4. The issue was resolved by enabling the mod_version module for Apache.
Earlier versions of Magento do not have support for Apache version >=2.4. I used to replace order allow,deny and deny from all lines with Require all denied in htaccess files manually to resolve the issue.
From the Magento 2.2.2 version, code is changed to support apache version >= 2.4 also. ( https://github.com/magento/magento2/pull/11459/files )
As per the info you have mentioned, I inferred that your Apache version is < 2.4 , rather than editing all 24 files, you can load mod_version.
You have to load version moudle from apache configuration file as below.
LoadModule version_module /usr/lib64/apache2/mod_version.so
otherwise you may get "Internal server error".
This is apache versioning.
You can get more details from the above GitHub link
https://github.com/magento/magento2/issues/10810
These changes are made as per security prospect to improve the direct file access algorithm.
Related
I am get issue with set WSGIPassAuthorization On directive in .htaccess.
any one can suggest how to add this variable to .htaccess ?
thank all so much.
You don't actually state what the specific error you get is when you try.
Has your Apache even been configured to allow use of .htaccess files?
Has your Apache even been configured to allow FileInfo overrides in .htaccess files?
AllowOverride FileInfo
Both would be required for WSGIPassAuthorization to work in a .htaccess file.
So please tell us what the error is you get in the browser and in the Apache error logs.
Indicate whether you have taken the steps above.
I tried many times with different methods, but i'm still unable to deny access to folder by .htaccess. Here is what i tried:
RewriteEngine On
<Directory />
Require all denied
</Directory>
Second try:
RewriteEngine On
<RequireAll>
Require all denied
</RequireAll>
Third try:
RewriteEngine On
Require all denied
What am i missing? Thanks
EDIT:
If this will help I'm using windows x64 version of apache. Downloaded here:
http://www.apachelounge.com/download/win64/
LAST EDIT:
The problem is misspeled .htaccess name it was .htacess. Thanks for all of your time.
You should be able to use this in your htaccess file in the directory; your 2nd and 3rd try.
Require all denied
The <directory> directive should be used in your conf file. Also this is not a rewrite so having RewriteEngine will not matter. This is part of mod_authz_core
It maybe ignoring your .htaccess file. Check your conf file and make sure that you have AllowOverride All because in 2.4 the default is None.
I'm having a difficult time hiding my .htaccess file -- I double-checked to ensure the following was present in httpd.conf:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
Other allow/deny directives on directories are working and the directives in the visible .htaccess file are working.
We are running Red Hat Enterprise Linux Server release 6.3 (Santiago) and Apache/2.2.15.
My question: Aside from the obvious of, "Why is the .htaccess file still visible?" Is there some other directive that would override this directive or might I have a module missing? (I would think apache would throw an error if this were the case.)
I restarted apache after any changes to this file and even rebooted as a sanity check. I also made some other changes to this file to ensure that I was working on the correct configuration file.
Have you taken a look at How <Directory>, <Location> and <Files> sections work? It seems that there might be another directive (probably Location) evaluated later, which overrides your Files directive. It's hard to diagnose more without further details of your Apache configuration.
I have copied one of my old applications and renamed it to New_application. I want to access .htaccess file that is inside the New_application folder. When I opened it with my text editor, it just showed Deny from all. I tried to open .htaccess in my old application, it showed Deny from all too. I remember I was able to edit it before but not sure what I can't now. Any thoughts? Thanks a lot.
Deny from all
is an .htaccess command (the actual content of that file you are trying to view). Not a denial of being able to edit the file. Just reopen the .htaccess file in the text viewer of choice and make the alterations as you so desire, save it, then reupload it to your folder of choice.
Though I think inadvertently you are blocking even yourself from viewing said application once uploaded.
I would do something like:
order deny,allow
deny from all
allow from 127.0.0.1
which will deny everyone but the IP in the allow from line, which you would change the IP to match your IP which you can obtain from http://www.whatismyip.com/ or similar site.
This syntax has changed with the newer Apache HTTPd server, please see upgrade to apache 2.4 doc for full details.
2.2 configuration syntax was
Order deny,allow
Deny from all
2.4 configuration now is
Require all denied
Thus, this 2.2 syntax
order deny,allow
deny from all
allow from 127.0.0.1
Would ne now written
Require local
You can edit it. The content of the file is literally "Deny from all" which is an Apache directive: http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny
A little alternative to #gaspĀ“s answer is to simply put the actual domain name you are running it from. Docs: https://httpd.apache.org/docs/2.4/upgrading.html
In the following example, there is no authentication and all hosts in
the example.org domain are allowed access; all other hosts are denied
access.
Apache 2.2 configuration:
Order Deny,Allow
Deny from all
Allow from example.org
Apache 2.4 configuration:
Require host example.org
I run a hosting service for student at my our faculty. We run PHP with suPHP and for security we need symlinks to be set to "SymLinksIfOwnerMatch".
This has the very unfortunate error that if people have htaccess "Options FollowSymLinks" or "Options None" they will receive an internal server error.
This is a huge problem since most dristributions of OSS-software for PHP has this included in their htaccess by default (Wordpress, Drupal, Joomla and many others), and most guides in htaccess-rules always recommend "FollowSymLinks" since it's needed for mod_rewrite - it does work just as well with SymLinksIfOwnerMatch.
Does anyone have this same issue, and do anyone know how to conquer it? I was hoping to make Apache ignore Options completely. Our default ones are completely sufficient.
You want to set AllowOverride in your main config file.
If you want to turn off all use of .htaccess set
AllowOverride None
If you just want to prevent students from using Options then this should do it:
AllowOVerride AuthConfig FileInfo Indexes Limit