.htaccess is not secure

B

blog

Verified User
Joined
Jan 28, 2011
Messages
131
Hi

I can open .htaccess via browser what is config issue?

my httpd.conf
Code: 
#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  

ServerRoot "/etc/httpd"
Listen 80

#LoadModule dummy_module /usr/lib/apache/mod_dummy.so
#LoadModule php5_module        /usr/lib/apache/libphp5.so
Include	/etc/httpd/conf/extra/httpd-phpmodules.conf

User apache
Group apache

ServerAdmin admin@localhost
DocumentRoot "/var/www/html"

# Options and AllowOverrides
Include conf/extra/httpd-directories.conf

<IfModule dir_module>
    DirectoryIndex index.html index.htm index.shtml index.php index.php5 index.php4 index.php3 index.phtml index.cgi
</IfModule>

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all

    Satisfy All
</FilesMatch>

ErrorLog /var/log/httpd/error_log
LogLevel warn

<IfModule log_config_module>
    #replace %b with %O for more accurate logging
    <IfModule mod_logio.c>
      LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
      LogFormat "%h %l %u %t \"%r\" %>s %O" common
      LogFormat "%O %I" bytes

      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog /var/log/httpd/access_log common
</IfModule>

<IfModule alias_module>
    # Include some DirectAdmin alias
    Include conf/extra/httpd-alias.conf
</IfModule>

DefaultType text/plain

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-gzip .tgz
    AddEncoding x-compress .Z
    AddEncoding x-gzip .gz .tgz
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddHandler cgi-script .cgi
    AddHandler type-map var
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
	AddType video/x-ms-asf .avi
	AddType video/mpeg .mpg
	AddType video/mpeg .mpeg
	AddType video/quicktime .mov
	AddType video/x-ms-wmv .wmv
</IfModule>

#EnableMMAP off
#EnableSendfile off

#######################################################################################
# For user configurations not maintained by DirectAdmin. Empty by default.
#######################################################################################

Include conf/extra/httpd-includes.conf


#######################################################################################
# Do not change anything in included files, because they are rewritten by DirectAdmin #
#######################################################################################

# This is needed for PHP
Include conf/extra/httpd-php-handlers.conf

# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf

# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
Include conf/extra/httpd-autoindex.conf

# Language settings
Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
Include conf/extra/httpd-info.conf

# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
Include conf/extra/httpd-dav.conf

# Various default settings
Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

# Deflate module settings
Include conf/extra/httpd-deflate.conf

# All the DirectAdmin vhosts
Include conf/extra/directadmin-vhosts.conf

# All suPHP directives
Include conf/extra/httpd-suphp.conf

#######################################################################################
# End of included files that are rewritten by DirectAdmin                             #
#######################################################################################

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

SetEnvIfNoCase User-Agent "^Wget" bad_bot
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot

<Location />
Order allow,deny
Allow from all
Deny from env=bad_bot
</Location>

<Directory /home/*>
    AllowOverride All
    Options -MultiViews -Indexes +FollowSymlinks +IncludesNoExec +Includes
<Limit GET POST OPTIONS PROPFIND>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
    Order deny,allow
    Deny from all
</LimitExcept>
</Directory>

<Directory />
    Options All
    AllowOverride All
</Directory>

<Directory "/var/www/html">
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
   <IfModule mod_suphp.c>
        suPHP_Engine On
        suPHP_UserGroup webapps webapps
	SetEnv PHP_INI_SCAN_DIR
   </IfModule>
</Directory>


<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

Header unset Pragma
Header unset ETag
FileETag None
 
resolved

remove

<Location />
Order allow,deny
Allow from all
Deny from env=bad_bot
</Location>
 
Is .htaccess run from top to bottom? Does it stop at the first allow?

Jeff
 
You must log in or register to reply here.
Back
Top