I have a structure like this on a shared host:
~/above_public_html/public_html/directory_i_want_forbidden
I have an ~/above_public_html/.htaccess with the following:
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
When I navigate to a file or folder that doesn't exist, I get the 404.html popping up, no problems.
When I navigate to a subfolder or file that exists but has chmod 700 permissions (including the directory_i_want_forbidden), I get:
Forbidden
You don't have permission to access /directory_i_want_forbidden on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at www.mydomain.com Port 80
What do I need to do in order to make the ErrorDocument 403 /403.html work correctly?
Something was screwy with the .htaccess or httpd.conf upstream. I had no control over it since I was on shared hosting. I have since started my own Amazon EC2 server-instance and everything is working as it should.
Related
The first few lines of my .htaccess file are as follows.
ErrorDocument 400 https://www.rydercragie.com
ErrorDocument 401 https://www.rydercragie.com
ErrorDocument 403 https://www.rydercragie.com
ErrorDocument 404 https://www.rydercragie.com
ErrorDocument 500 https://www.rydercragie.com
They all work apart from https://RyderCragie.com/.htaccess. Any ideas why an error is still shown on that page and how to fix it? Thanks.
Requests for .htaccess are quite likely blocked by directives in the server config - before the ErrorDocument in .htaccess is processed.
In order to catch this, you would need to define the ErrorDocument earlier in the main server config, not .htaccess. The same applies to other requests that are blocked early by Apache, such as requests that contain encoded slashes in the URL-path, and most 500 errors.
Although any request for .htaccess in the wild is unquestionably malicious, so a minimal (default) server response is probably the best response.
However, implementing all your ErrorDocument directives as external redirects to the document root is generally a bad idea (you lose details of the request that triggered the response, bad experience for users, etc.)
Give your user a meaningful error response, without the redirect. Error documents should be served via an internal subrequest. For example:
ErrorDocument 403 /error-documents/e403.html
Reference:
https://httpd.apache.org/docs/2.4/mod/core.html#errordocument
My problem:
For some reason my custom 401 error page is not displaying on login and is just displaying the generic 401 error page:
Unauthorized
This server could not verify that you are authorized to access the document requested.
Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't
understand how to supply the credentials required.
Additionally, a 401 Unauthorized error was encountered while trying to use an
ErrorDocument to handle the request.
Now in saying this my custom 404 error page and others are displaying just fine, just not for the 401. The "error.php" (custom error page) file is in my public_html directory.
My current .htaccess file in public_html directory:
ErrorDocument 400 /error.php
ErrorDocument 401 /error.php
ErrorDocument 402 /error.php
ErrorDocument 403 /error.php
ErrorDocument 404 /error.php
ErrorDocument 500 /error.php
ErrorDocument 501 /error.php
ErrorDocument 502 /error.php
ErrorDocument 503 /error.php
ErrorDocument 504 /error.php
ErrorDocument 505 /error.php
ErrorDocument 506 /error.php
ErrorDocument 507 /error.php
ErrorDocument 510 /error.php
RewriteEngine On
DirectoryIndex .index.php .style.css .sorttable
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|zip|rar)$ - [F,NC]
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php73” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php73 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
#----------------------------------------------------------------cp:ppd
# Section managed by cPanel: Password Protected Directories -cp:ppd
# - Do not edit this section of the htaccess file! -cp:ppd
#----------------------------------------------------------------cp:ppd
AuthType Basic
AuthName "Protected 'public_html'"
AuthUserFile "/home/dark/.htpasswds/public_html/passwd"
Require valid-user
#----------------------------------------------------------------cp:ppd
# End section managed by cPanel: Password Protected Directories -cp:ppd
#----------------------------------------------------------------cp:ppd
Now my directories are password protected as you can see in the .htaccess. I tried the following fixes but still no luck on displaying the custom 401 error page:
Created the error page in a different directory.
Specified the complete url of the error page in the .htaccess file.
Turned off the directory password function.
Changed the error file extension to .shtml.
Tried many other codes and questions on the stackoverflow website.
Now to recap, all other custom error pages are displaying fine, just not the 401 on login and i'm stumped.
My cPanel Sever Information:
Hosting Package Gold
Server Name server
cPanel Version 88.0 (build 14)
Apache Version 2.4.46
PHP Version 7.3.21
MySQL Version 10.3.24-MariaDB-cll-lve
Architecture x86_64
Operating System linux
Shared IP Address 45.95
Local IP Address 192.168
Path to Sendmail /usr/sbin/sendmail
Path to Perl /usr/bin/perl
Perl Version 5.16.3
Kernel Version 3.10.0-962.3.2.lve1.5.32.el7.x86_64
Thanks!
For the 401 ErrorDocument to be served, it needs to be accessible. If everything is blocked behind HTTP authentication then it's not going to be accessible when authentication fails and you get the additional part in the default server 401 response:
Additionally, a 401 Unauthorized error was encountered while trying to use an
ErrorDocument to handle the request.
You need to "punch a hole" in your authentication and allow public access to this document.
For example:
<Files "error.php">
Require all granted
</Files>
Created the error page in a different directory.
That should have worked, providing the "different directory" was not also protected by HTTP authentication. For instance, a subdirectory would not help.
Specified the complete url of the error page in the .htaccess file.
That would trigger an external 302 redirect and lose the 401 response. This is not permitted. As noted in the Apache docs:
if you use an ErrorDocument 401 directive, then it must refer to a local document.
Turned off the directory password function.
If you turned "off the directory password function" then there's nothing to trigger the 401 so your error document would be accessible, but then how are your triggering/testing your 401 error document? This seems a bit chicken/egg.
Changed the error file extension to .shtml.
Changing the type of file would make no difference here.
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|zip|rar)$ - [F,NC]
To clarify, you're not serving any images on any pages? Any request that contains one of these file extensions will trigger a 403 Forbidden.
UPDATE: If your error documents use additional resources then it would be easier for these all to be self contained in their own subdirectory (eg. /errordocs) - you can then just permit public access to this subdirectory without having to identify every file.
You then create an additional .htaccess file in the /errordocs subdirectory with just a one liner:
Require all granted
I have a folder on my webserver and want to deny all access to that folder and all the files in it. Additionally, the visitor must be redirected to a specific error page on the same server.
The secured folder path is:
https://www.mywebsite.com/some_folder/files
The error page is located here:
https://www.mywebsite.com/some_folder/error.php
I tried placing a .htaccess file in the 'files' folder. This does prevent visitors from accessing the folder and files, but the redirect does not take place. I suspect that the syntax of the relative path is not correct.
This is my .htaccess:
ErrorDocument 403 /../error.php
Order deny,allow
Deny from all
When hitting the secured folder URL, the browser gives me this error message: "A 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."
Does someone have an example of what my .htacces should be?
You may try this in some_folder/.htaccess:
RewriteEngine On
RewriteEngine !^error\.php$ error.php [L,NC]
This will rewrite all requests that start with /some_folder/ to some_folder/error.php though browser won't see status code 403.
Inside error.php you may use this php code to return 403:
http_response_code(403);
We are running a WordPress site on a AWS EC2 Linux instance and have created custom 403 and 404 error files (both html files). The files are located in the root of the website.
The root .htaccess file has been amended to include the following section:
# Custom Documents
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
The site uses a theme and within this there is a 404.php file. The problem is that any 404 requests are being routed to this file instead of the 404.html file.
The httpd.conf file has all access set for the root folder var/www/html so there’s nothing in it that I can see that would be blocking the .htaccess file. As a double check I added some 301 redirects into the .htaccess file just to check if they were getting hit and they were working.
Also checked if there were any other .htaccess files which might be overriding the one in , there were some in a plugin but from what I can see they shouldn’t have any impact.
Is there anything else which could be overriding the .htaccess file?
ErrorDocument 404 doesn't work in Wordpress like regular pages. Wordpress by default shows 404.php content from inside your selected theme. You can put your custom code in that 404.php file.
Here is official Wordpress guide for Creating an Error 404 Page
I have a site hosted on an Apache server. I have created some custom error pages and the following text at the top of my .htaccess file:
ErrorDocument 404 404.html
ErrorDocument 500 500.html
ErrorDocument 401 401.html
I have also tried,
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html
ErrorDocument 401 /401.html
Both the htaccess file and the custom pages are in the root directory of the server.
The problem is that when I enter a garbage url (where I would expect to see my custom 404 page) I'm simply being redirected to my index page.
Try if your server is properly set up to parse and process .htaccess files in the first place (i.e., check if AllowOverride + AccessFileName directives are correct). For example, write some stuff in that you know will work and look if it actually gets executed (like a ridiculous rewrite rule). Also, look up your httpd log files for errors.
If it does get executed properly, the problem might be that your server is setup not to allow all kinds of overrides with .htaccess files. Your syntax however, is basically correct.