Apache2 & .htaccess : Apache ignoring AccessFile

Question

Hi there here is my server configuration:

DEBIAN 32Bits / PHP 5 / Apache

Server version: Apache/2.2.3 - Server built: Mar 22 2008 09:29:10

The AccessFiles :

grep -ni AccessFileName *

apache2.conf:134:AccessFileName .htaccess apache2.conf:667:AccessFileName .httpdoverride 

All the AllowOverride statements in my apache2/ folder.

mods-available/userdir.conf:6: AllowOverride Indexes AuthConfig Limit mods-available/userdir.conf:16: AllowOverride FileInfo AuthConfig Limit mods-enabled/userdir.conf:6: AllowOverride Indexes AuthConfig Limit mods-enabled/userdir.conf:16: AllowOverride FileInfo AuthConfig Limit sites-enabled/default:8: AllowOverride All sites-enabled/default:14: AllowOverride All sites-enabled/default:19: AllowOverride All sites-enabled/default:24: AllowOverride All sites-enabled/default:42: AllowOverride All 

The sites-enabled/default file :

 1 <VirtualHost *> 2 ServerAdmin [email protected] 3 ServerName mysite.com 4 ServerAlias mysite.com 5 DocumentRoot /var/www/mysite.com/ 6 <Directory /> 7 Options FollowSymLinks 8 AllowOverride All 9 Order Deny,Allow 10 Deny from all 11 </Directory> 12 <Directory /var/www/mysite.com/> 13 Options Indexes FollowSymLinks MultiViews 14 AllowOverride All 15 Order allow,deny 16 allow from all 17 </Directory> 18 <Directory /var/www/mysite.com/test/> 19 AllowOverride All 20 </Directory> 21 22 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ 23 <Directory "/usr/lib/cgi-bin"> 24 AllowOverride All 25 Options ExecCGI -MultiViews +SymLinksIfOwnerMatch 26 Order allow,deny 27 Allow from all 28 </Directory> 29 30 ErrorLog /var/log/apache2/error.log 31 32 # Possible values include: debug, info, notice, warn, error, crit, 33 # alert, emerg. 34 LogLevel warn 35 36 CustomLog /var/log/apache2/access.log combined 37 ServerSignature Off 38 39 Alias /doc/ "/usr/share/doc/" 40 <Directory "/usr/share/doc/"> 41 Options Indexes MultiViews FollowSymLinks 42 AllowOverride All 43 Order deny,allow 44 Deny from all 45 Allow from 127.0.0.0/255.0.0.0 ::1/128 46 </Directory> 47 48 49 50 51 52 53 54 </VirtualHost> 

If i change any Allow from all in Deny from all , it works whenever i put it.

I've got one .htaccess at /mysite.com/.htaccess & one at /mysite.com/test/.htaccess with:

Order Deny,Allow Deny from all 

Neither of them work i can still see my website. I've got mod_rewrite enabled but i don't think it does anything here.

I've tried almost everything :/ It works on my local environnement (MAMP) but fails when on my Debian server.

Answer 1

.htaccess files can interact with the main config in unobvious ways. In your case your problem is that you have access control bot in your httpd.conf and your .htaccess file. And they get both applied.

You have in your config:

Order allow,deny allow from all 

And in your .htaccess file:

Order Deny,Allow Deny from all 

So the end result is as if the permissions are:

Order Deny, Allow Deny From All Allow From ALL 

Which means that everyone gets access. In this case you should use "Order Allow, Deny".

You should however not use .htaccess files at all if you have access to the main config. .htaccess files exist as a workaround for cases where you don't have the right to edit the main config (like shared hosting) but if you can edit the main config you should use that.

.htaccess files have a lot of disadvantages. They are only read at request time, and only after the server has translated the URL to a file system resource. They are not read when the server startes. This means that the .htaccess files are possibly read at every request (causing a performance hit), but sometimes not read ever.

Answer 2

I think when you are using deny from all in your root directory, you are blocking all, also your localhost.
You need to put localhost allow in your root.

<Directory /> Options FollowSymLinks AllowOverride All Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 <Directory> 

Then, reload and restart apache:
/etc/init.d/apache2 reload
/etc/init.d/apache2 restart

For reference and performance, look at apache documentation for htaccess and authorization