[Resolved] htaccess file directives in subdirectories

Discussion in 'General' started by Park, Mar 4, 2010.

  1. Park

    Park New Member

    I have the following htaccess file configured for one of my user's websites in /home/username/public_html/store:
    Options -Indexes
    <Files ~ "\.php$">
    order allow,deny
    deny from all
    </Files>

    So this will basically block php files from being accessed in this directory and all subdirectories when I visit mydomain.com/store (and any subdirectories within it)

    Now I have a subdirectory within /store called /store/myimages and need to access php files in here so I placed the following .htaccess file within /home/username/public_html/store/myimages:
    Options +Indexes
    <Files ~ "\.php$">
    order allow,deny
    allow from all
    </Files>
    allow from all

    What should happen is that the htaccess in this subdirectory should override the file directive in the directory above it. However, this does not work. I tested this exact same setup in Apache and it does work, but not on Litespeed. Any suggestions?
    Last edited by a moderator: May 12, 2010
  2. NiteWave

    NiteWave Administrator

    a suggestion: using RewriteRule instead of Files,order,allow/deny from

    in /home/username/public_html/store/.htaccess
    Code:
    Options -Indexes
    RewriteEngine On
    RewriteRule \.php$ - [F]
    
    in /home/username/public_html/store/myimages/.htaccess
    Code:
    Options +Indexes
    RewriteEngine On
    RewriteRule \.php$ -
    
  3. mistwang

    mistwang LiteSpeed Staff

    Or, use

    php_value engine off

    and

    php_value engine on

    in .htaccess to control PHP support.
  4. aww

    aww New Member

    Wait, litespeed doesn't support "deny from all" ?

    Or it doesn't support Files/FilesMatch ?

    (or both?)
  5. NiteWave

    NiteWave Administrator

  6. aww

    aww New Member

    Well I have all those override options checked.
    And this simply doesn't do anything
    Code:
    <Files config.php>
      order allow,deny
      deny from all
    </Files>
    
    config.php can still be requested via http

    possibly a parent rule interfering?
    if I remember correctly litespeed has an issue with inherit

    this works
    Code:
    RewriteCond %{SCRIPT_FILENAME} config\.php$ [NC] 
    RewriteRule .* - [F]
    
    however it bothers me there is not full apache compatibility via files/deny from all
    Last edited: May 10, 2010
  7. NiteWave

    NiteWave Administrator

    I did more tests on 4.0.14 standard, using exactly same lines as yours:
    Code:
    <Files config.php>
      order allow,deny
      deny from all
    </Files>
    in vhost level when AllowOverride any one of Limit/Auth/FileInfo/Indexes/Options
    is checked, "deny from all" will take effect, return
    403 Forbidden
    Access to this resource on the server is denied!

    however, if "None" is checked, or no check at all, "deny from all" won't take effect, the result is what you experienced.

    I'll test on apache soon.
  8. NiteWave

    NiteWave Administrator

    appache 2.2.14

    when AllowOverride Options/FileInfo/AuthConfig/Indexes (one of them)
    return
    when AllowOverride All/Limit (one of them)
    return
    when AllowOverride None ,return normal result. -- "deny from all" is ignored.

    summary for apache, when virtual host level AllowOverride is set to All/Limit, "deny from all" take effect, will return "403 Forbidden" -- as expected. when AllowOverride Limit is not explicitly set but other AllowOverride option is set, the return result looks undefined -- "500 Internal Server Error" in my test.

    here's apache's docs:
    http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride
    "When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem."
    "Default: AllowOverride All"
  9. aww

    aww New Member

    Sorry for not being clear, I am not checking "none" but all the others are checked.

    I will try this on a clean vhost, there must be something else interfering, hard to track down.
  10. aww

    aww New Member

    Okay I found the problem and it's likely my fault.

    I had another rule with Order deny,allow (instead of allow,deny) AFTER this config.php rule.

    So apparently the effect is cumulative and litespeed goes through ALL the rules before making a decision, instead of failing the file right away.

    Not sure if that is how apache behaves (easyapache no longer builds for me so I can't test)

    Does apache die immediately or wait to see what other rules do?

    try putting this AFTER the config.php rule

    Code:
    <Files *>
    order deny,allow 
    deny from 4.4.4.4
    </Files>  
    
    it works properly if I move it BEFORE the config.php

    I guess I am used to mod-rewrite which will die immediately when told to do so.

    ps. just out of curiosity does lsws support SetEnvIf and allow from env=
    Last edited: May 10, 2010
  11. NiteWave

    NiteWave Administrator

    tested, apache is same behavior as litespeed.

    my simple test show lsws not support "allow from env=" yet but should be able to do it through rewrite.

    regarding "SetEnvIf", lsws not support it directly but can set env through rewrite rule. for example.
    RewriteRule (.*) - [env=myenv:1]
    Last edited: May 10, 2010

Share This Page