Develop Reference

What in .htaccess can block cron

I'm making my own shop with Magento, and I'm not really comfortable with programation, even if I know some basics. I'm running CE 1.9.3.1 with SUPEE 9652 patch.
I set up my .htaccess with
Order allow,deny
Allow from 123.45.678.90 (example IP server Address)
Deny from all
However, the cron is still blocked by .htaccess, as when I remove (or rename) .htaccess, it's running (white page with mydomain/cron.php). My cron is set from my hosting pannel with Cronjob, but displaying a 403 error with my .htaccess.
Can someone point me what else could be blocking the cron in my .htaccess?
############################################
## uncomment these lines for CGI mode
## make sure to specify the correct cgi php binary file name
## it might be /cgi-bin/php-cgi
# Action php5-cgi /cgi-bin/php5-cgi
# AddHandler php5-cgi .php
############################################
## GoDaddy specific options
# Options -MultiViews
## you might also need to add this line to php.ini
## cgi.fix_pathinfo = 1
## if it still doesn't work, rename php.ini to php5.ini
############################################
## this line is specific for 1and1 hosting
#AddType x-mapp-php5 .php
#AddHandler x-mapp-php5 .php
############################################
## default index file
DirectoryIndex index.php
<IfModule mod_php5.c>
############################################
## adjust memory limit
# #php_value memory_limit 64M
#php_value memory_limit 256M
#php_value max_execution_time 18000
############################################
## disable magic quotes for php request vars
#php_flag magic_quotes_gpc off
############################################
## disable automatic session start
## before autoload was initialized
#php_flag session.auto_start off
############################################
## enable resulting html compression
##php_flag zlib.output_compression on
###########################################
# disable user agent verification to not break multiple image upload
#php_flag suhosin.session.cryptua off
###########################################
# turn off compatibility with PHP4 when dealing with objects
#php_flag zend.ze1_compatibility_mode Off
</IfModule>
<IfModule mod_security.c>
###########################################
# disable POST processing to not break multiple image upload
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
<IfModule mod_deflate.c>
############################################
## enable apache served files compression
## http://developer.yahoo.com/performance/rules.html#gzip
# Insert filter on all content
###SetOutputFilter DEFLATE
# Insert filter on selected content types only
#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
# Netscape 4.x has some problems...
#BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
#BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
#BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images
#SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
#Header append Vary User-Agent env=!dont-vary
</IfModule>
<IfModule mod_ssl.c>
############################################
## make HTTPS env vars available for CGI mode
SSLOptions StdEnvVars
</IfModule>
<IfModule mod_rewrite.c>
############################################
## enable rewrites
Options +SymLinksIfOwnerMatch
RewriteEngine on
############################################
## you can put here your magento root folder
## path relative to web root
#RewriteBase /magento/
############################################
## uncomment next line to enable light API calls processing
# RewriteRule ^api/([a-z][0-9a-z_]+)/?$ api.php?type=$1 [QSA,L]
############################################
## rewrite API2 calls to api.php (by now it is REST only)
RewriteRule ^api/rest api.php?type=rest [QSA,L]
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
############################################
## TRACE and TRACK HTTP methods disabled to prevent XSS attacks
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
############################################
# X-Content-Type-Options: nosniff disable content-type sniffing on some browsers.
Header set X-Content-Type-Options: nosniff
############################################
# This header forces to enables the Cross-site scripting (XSS) filter in browsers (if disabled)
BrowserMatch \bMSIE\s8 ie8
Header set X-XSS-Protection: "1; mode=block" env=!ie8
</IfModule>
</IfModule>
############################################
## redirect for mobile user agents
#RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
#RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
#RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]
############################################
## always send 404 on missing files in these folders
RewriteCond %{REQUEST_URI} !^/(media|skin|js)/
############################################
## never rewrite for existing files, directories and links
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
############################################
## rewrite everything else to index.php
RewriteRule .* index.php [L]
</IfModule>
############################################
## Prevent character encoding issues from server overrides
## If you still have problems, use the second line instead
AddDefaultCharset Off
#AddDefaultCharset UTF-8
<IfModule mod_expires.c>
############################################
## Add default Expires header
## http://developer.yahoo.com/performance/rules.html#expires
ExpiresDefault "access plus 1 year"
</IfModule>
############################################
## By default allow all access
# Order allow,deny
# Allow from all
###########################################
## Deny access to release notes to prevent disclosure of the installed Magento version
<Files RELEASE_NOTES.txt>
order allow,deny
deny from all
</Files>
############################################
## If running in cluster environment, uncomment this
## http://developer.yahoo.com/performance/rules.html#etags
#FileETag none
###########################################
## Deny access to cron.php
<Files cron.php>
############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.
AuthName "Cron auth"
AuthUserFile ../.htpasswd
AuthType basic
Require valid-user
############################################
Order allow,deny
Allow from 123.45.678.90 (example IP server Address)
Deny from all
</Files>
Thanks for your help!

Finally figured it out... it was a mistake from my part.
I commented lines
AuthName "Cron auth"
AuthUserFile ../.htpasswd
AuthType basic
Require valid-user
as they deserve to protect the code with a password. Someone from my hosting provider had suggested me to uncomment them (!)
But the main matter was coming from
<Files cron.php>
as my Magento install is in a folder, I had to modify it as following:
<Files folder/cron.php>
The server logs errors helped me to understand it...

how can I cache all files forever in .htaccess except .html and .php

Here is my current .htaccess file
#tell browser how to deal with compressed content
<Files *.css.gz>
AddType "text/css" .gz
AddEncoding gzip .gz
</Files>
<Files *.js.gz>
AddType "application/javascript" .gz
AddEncoding gzip .gz
</Files>
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 2592000 seconds"
ExpiresByType text/html "access plus 1 seconds"
</ifModule>
<ifModule mod_headers.c>
<filesMatch "\.(js|css|png|jpg|ico|pdf)$">
Header set Cache-Control "max-age=2592000, public"
</filesMatch>
</ifModule>
RewriteEngine on
RewriteBase /
#Cache-Friendly File Names
RewriteRule ^(.*)-([0-9]+)\.(.*)$ $1.$3
#try to use precompressed files whenever possible
RewriteCond %{HTTP:Accept-Encoding} .*gzip.*
RewriteRule ^(.*)\.css$ web_inc/$1.css.gz
RewriteRule ^(.*)\.js$ web_inc/$1.js.gz
The web page is mostly static .html files and large .js and .css files that use ajax calls for any dynamic content. Since all files in the html are refereed to by name-01.js if I make an update to the .js I just increase the version number and the browser recaches.
I wish to prevent the web browser from ever redownloading any file type except .html or .php. Is there a way to not have to list every file type I use and how can I explicitly set php to 0 sec for mod_expires?

Envoyer.io, Laravel - Attempting to access contents of directory under /public

UPDATE
It seems like any PHP files placed under /storage/app/thirdpartydirectory are not being executed, instead the Laravel NotFoundHttpException is thrown. Simple text files, images, etc are accessible via http://example.com/thirdpartydirectory.
Original question
I am building a Laravel 5 site using Envoyer.io for code deployments. The way Envoyer works, new code is pushed to the site and placed under a /releases directory, then symlinked to /current from the top level (so /current always points to the latest /releases subdirectory).
The problem is that anything I put in my site's /public directory is included in the Envoyer deployments, thus replicated every single time I push new code. I am trying to use a third party app that must have its index.php and other files/directories directly exposed to the outside world. When the app is first loaded, an installation process begins and it installs additional config files into its various folders. When I deploy my next batch of code, /public is pushed again WITHOUT the installation and cache files generated by the third party app - thus causing a loop of having to run the installation process over and over again.
I reached out to Taylor Otwell regarding this and his suggestion was to place the app in /storage/app/thirdpartyapp and then make a symlink from each release's public directory before activating each new deployment -
cd {{release}}
ln -s /home/eyf/storage/app/thirdpartyapp public/thirdpartyapp
This creates a symlink without any issues but when I try to access the app (http://example.com/thirdpartyapp), I get stuck on the Laravel NotFoundHttpException page. The app has an index.php, if I go to http://example.com/thirdpartyapp/index.php, the Laravel site's index page is loaded instead - almost as if it's totally ignoring the symlink and /thirdpartyapp in the URL.
The app does ship with the following .htaccess, not sure if it makes any difference in all of this:
<IfModule mod_alias.c>
# by default disallow access to the base git folder
RedirectMatch /\.git(/|$) /404
</IfModule>
# cache images for a while
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
</IfModule>
# compress output if we can
<IfModule mod_deflate.c>
# Set output filter for zipping content
SetOutputFilter DEFLATE
# Netscape 4.x and 4.06-4.08 have issues
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE can be an issue, for now catch all MSIE
BrowserMatch \bMSIE[56] !no-gzip !gzip-only-text/html
# Exclude file types from compression
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf|zip|tar|rar|gz|dmg|mp3|mp4|m4a|m4p|mov|mpe?g|qt|swf)$ no-gzip dont-vary
# Make sure proxy servers deliver what they're given
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine ON
# Set this if you have your installation in a subdirectory
# RewriteBase /openvbx
# By default always use SSL
#RewriteCond %{HTTPS} !=on
#RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php?vbxsite=$1 [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L,QSA]
#RewriteRule ^(.*) index.php/$1 [L,QSA]
ErrorDocument 404 /fallback/rewrite.php
</IfModule>

Apparently PHP code placed under /storage in a Laravel app isn't executed. I moved the third party app's directory to the parent folder and symlinked to that, now everything works.

How to allow subdomain access but not folder access in Apache, htaccess?

I am using a standard web hosting service with for my own projects.
It used the main domain wwwand several subdomains. I didn't need to use any Apache ReWrite rules in my .htaccess files, and the only thing I had to do was make sure that I had my CNAME records updated. All worked fine, I just used permissions to limit access to files and folders..
I recently installed Elgg at the main wwwlevel and now all my subdomains, which remain unchanged, give a 403error. The message points to my htaccess file being the culprit.
I would like to know how I can configure the htaccess file to allow subdomains like gadgets.mydomain.com to work again but not allow access to other folders under the same domain? None of the permissions were changed they remain as 755.
This is the standard Elgg htaccess file. How would I edit it?
# Elgg htaccess directives
<Files "htaccess_dist">
order allow,deny
deny from all
</Files>
# Don't allow listing directories
Options -Indexes
# Follow symbolic links
Options +FollowSymLinks
# Default handler
DirectoryIndex index.php
############################
# BROWSER CACHING
# The expires module controls the Expires and Cache-Control headers. Elgg sets
# these for dynamically generated files so this is just for static files.
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 year"
</IfModule>
# Conditional requests are controlled through Last-Modified and ETag headers.
# Elgg sets these on dynamically generated cacheable files so this is just for
# static files. Note: Apache sends Last-Modified by default on static files so
# I don't think we need to be sending ETag for these files.
<FilesMatch "\.(jpg|jpeg|gif|png|mp3|flv|mov|avi|3pg|html|htm|swf|js|css|ico)$">
FileETag MTime Size
</FilesMatch>
############################
# PHP SETTINGS
<IfModule mod_php5.c>
# limit the maximum memory consumed by the php script to 64 MB
php_value memory_limit 64M
# register_globals is deprecated as of PHP 5.3.0 - disable it for security reasons.
php_value register_globals 0
# post_max_size is the maximum size of ALL the data that is POST'ed to php at a time (8 MB)
php_value post_max_size 8388608
# upload_max_filesize is the maximum size of a single uploaded file (5 MB)
php_value upload_max_filesize 5242880
# on development servers, set to 1 to display errors. Set to 0 on production servers.
php_value display_errors 0
</IfModule>
############################
# COMPRESSION
# Turn on mod_gzip if available
<IfModule mod_gzip.c>
mod_gzip_on yes
mod_gzip_dechunk yes
mod_gzip_keep_workfiles No
mod_gzip_minimum_file_size 1000
mod_gzip_maximum_file_size 1000000
mod_gzip_maximum_inmem_size 1000000
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/javascript$
mod_gzip_item_include mime ^application/x-javascript$
# Exclude old browsers and images since IE has trouble with this
mod_gzip_item_exclude reqheader "User-Agent: .*Mozilla/4\..*\["
mod_gzip_item_exclude mime ^image/.*
</IfModule>
## Apache2 deflate support if available
##
## Important note: mod_headers is required for correct functioning across proxies.
##
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.[0678] no-gzip
BrowserMatch \bMSIE !no-gzip
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
# The following is to disable compression for actions. The reason being is that these
# may offer direct downloads which (since the initial request comes in as text/html and headers
# get changed in the script) get double compressed and become unusable when downloaded by IE.
SetEnvIfNoCase Request_URI action\/* no-gzip dont-vary
SetEnvIfNoCase Request_URI actions\/* no-gzip dont-vary
</IfModule>
############################
# REWRITE RULES
<IfModule mod_rewrite.c>
RewriteEngine on
# If Elgg is in a subdirectory on your site, you might need to add a RewriteBase line
# containing the path from your site root to elgg's root. e.g. If your site is
# http://example.com/ and Elgg is in http://example.com/sites/elgg/, you might need
#
#RewriteBase /sites/elgg/
#
# here, only without the # in front.
#
# If you're not running Elgg in a subdirectory on your site, but still getting lots
# of 404 errors beyond the front page, you could instead try:
#
#RewriteBase /
# If your users receive the message "Sorry, logging in from a different domain is not permitted"
# you must make sure your login form is served from the same hostname as your site pages.
# See http://docs.elgg.org/wiki/Login_token_mismatch_error for more info.
#
# If you must add RewriteRules to change hostname, add them directly below (above all the others)
# In for backwards compatibility
RewriteRule ^pg\/([A-Za-z0-9\_\-]+)$ engine/handlers/page_handler.php?handler=$1&%{QUERY_STRING} [L]
RewriteRule ^pg\/([A-Za-z0-9\_\-]+)\/(.*)$ engine/handlers/page_handler.php?handler=$1&page=$2&%{QUERY_STRING} [L]
RewriteRule ^tag\/(.+)\/?$ engine/handlers/page_handler.php?handler=search&page=$1 [L]
RewriteRule ^action\/([A-Za-z0-9\_\-\/]+)$ engine/handlers/action_handler.php?action=$1&%{QUERY_STRING} [L]
RewriteRule ^cache\/(.*)$ engine/handlers/cache_handler.php?request=$1&%{QUERY_STRING} [L]
RewriteRule ^services\/api\/([A-Za-z0-9\_\-]+)\/(.*)$ engine/handlers/service_handler.php?handler=$1&request=$2&%{QUERY_STRING} [L]
RewriteRule ^export\/([A-Za-z]+)\/([0-9]+)\/?$ engine/handlers/export_handler.php?view=$1&guid=$2 [L]
RewriteRule ^export\/([A-Za-z]+)\/([0-9]+)\/([A-Za-z]+)\/([A-Za-z0-9\_]+)\/$ engine/handlers/export_handler.php?view=$1&guid=$2&type=$3&idname=$4 [L]
RewriteRule xml-rpc.php engine/handlers/xml-rpc_handler.php [L]
RewriteRule mt/mt-xmlrpc.cgi engine/handlers/xml-rpc_handler.php [L]
# rule for rewrite module test during install - can be removed after installation
RewriteRule ^rewrite.php$ install.php [L]
# Everything else that isn't a file gets routed through the page handler
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([A-Za-z0-9\_\-]+)$ engine/handlers/page_handler.php?handler=$1 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([A-Za-z0-9\_\-]+)\/(.*)$ engine/handlers/page_handler.php?handler=$1&page=$2 [QSA,L]
</IfModule>

OK I worked out what had cause the problem.
It was this line
# Default handler
DirectoryIndex index.php
Basically unless your directory uses a file called index.phpby default, the subdomain doesn't work. I commented this line. Another option would be to make sure all my index files had the .phpextension.

ExpiresHeader .htaccess

I am currently trying to improve website loading times and I am using the following:
<IfModule mod_expires.c>
############################################
## Add default Expires header
## http://developer.yahoo.com/performance/rules.html#expires
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
Header set Expires "Thu, 15 Apr 2020 20:00:00 GMT"
</FilesMatch>
</IfModule>
That works great ... I was wondering if it is possible not to have a fixed date there. Can I do something like this?
<IfModule mod_expires.c>
############################################
## Add default Expires header
## http://developer.yahoo.com/performance/rules.html#expires
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
ExpiresDefault "access plus 10 years"
</FilesMatch>
</IfModule>
Doesn't seem to work ATM :S
Thanks
Regards
Gabriel

To enable ExpiresDefault, you need to set ExpiresActive to on as in:
<IfModule mod_expires.c>
ExpiresActive On
############################################
## Add default Expires header
## http://developer.yahoo.com/performance/rules.html#expires
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
ExpiresDefault "access plus 10 years"
</FilesMatch>
</IfModule>
The above answer should solve your question. For other cases: mod_expires is not a default Apache module, it's an extension. Make sure that it is enabled, which you can do using phpinfo() on a PHP-enabled server. If you have shell access, you can run apachectl -t -D DUMP_MODULES.