httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Able to view .htaccess and .htpasswd files via user-agent under default configuration (Apache 2.4, Win32)
Date Mon, 03 Dec 2012 20:07:59 GMT
On 04/12/2012 5:41 AM, "Ben Johnson" <ben@indietorrent.org> wrote:
>
> Hello, everyone,
>
> I am able to view .htaccess and .htpasswd files on my development server
> from within a Web browser.
>
> My understanding is that the following configuration directive, which is
> included in the default configuration file, should prevent this:
>
> -----------------------
> #
> # The following lines prevent .htaccess and .htpasswd files from being
> # viewed by Web clients.
> #
> <Files ".ht*">
>     Require all denied
> </Files>
> -----------------------
>
> I have made very few changes to the default configuration file; it is
> almost entirely "stock".
>
> Apache's mod_info output mentions the string "*.ht" only once, on line
> 291 (apologies for the text wrapping), so it seems that the directive is
> indeed effective:
>
> -----------------------
> Module Name: mod_authz_core.c
> Content handlers: none
> Configuration Phase Participation: Create Directory Config, Merge
> Directory Configs, Create Server Config
> Request Phase Participation: Check Access, Verify User Access
> Module Directives:
> <AuthzProviderAlias> - container for grouping an authorization
> provider's directives under a provider alias
> Require - specifies authorization directives which one must pass (or
> not) for a request to suceeed
> <RequireAll> - container for grouping authorization directives of which
> none must fail and at least one must pass for a request to succeed
> <RequireAny> - container for grouping authorization directives of which
> one must pass for a request to succeed
> <RequireNone> - container for grouping authorization directives of which
> none must pass for a request to succeed
> AuthMerging - controls how a <Directory>, <Location>, or similar
> directive's authorization directives are combined with those of its
> predecessor
> AuthzSendForbiddenOnFailure - Controls if an authorization failure
> should result in a '403 FORBIDDEN' response instead of the
> HTTP-conforming '401 UNAUTHORIZED'
> Current Configuration:
> In file: C:/Program Files/apache/conf/httpd.conf
>  233: <Directory />
>  235:   Require all denied
>     : </Directory>
>  251: <Directory "C:/Users/Ben/Documents/Apache">
>  276:   Require all granted
>     : </Directory>
>  291: <Files ".ht*">
>  292:   Require all denied
>     : </Files>
>  383: <Directory "C:/Program Files/apache/cgi-bin">
>  386:   Require all granted
>     : </Directory>
> In file: C:/Program Files/apache/conf/auth.conf
>   19: <Location />
>   23:   Require valid-user
>     : </Location>
> In file: C:/Program Files/apache/conf/httpd.conf
>  638: <Location /server-info>
>  639:   Require all granted
>     : </Location>
> -----------------------
>
> I must be overlooking something obvious here, and any help is much
> appreciated.
>
> Thank you!
>
> -Ben
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Remove Indexes from Options. Also remove the world readable permission from
the files.

Mime
View raw message