Hello, everyone,
I am able to view .htaccess and .htpasswd files on my development server
from within a Web browser.
My understanding is that the following configuration directive, which is
included in the default configuration file, should prevent this:
-----------------------
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
-----------------------
I have made very few changes to the default configuration file; it is
almost entirely "stock".
Apache's mod_info output mentions the string "*.ht" only once, on line
291 (apologies for the text wrapping), so it seems that the directive is
indeed effective:
-----------------------
Module Name: mod_authz_core.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge
Directory Configs, Create Server Config
Request Phase Participation: Check Access, Verify User Access
Module Directives:
<AuthzProviderAlias> - container for grouping an authorization
provider's directives under a provider alias
Require - specifies authorization directives which one must pass (or
not) for a request to suceeed
<RequireAll> - container for grouping authorization directives of which
none must fail and at least one must pass for a request to succeed
<RequireAny> - container for grouping authorization directives of which
one must pass for a request to succeed
<RequireNone> - container for grouping authorization directives of which
none must pass for a request to succeed
AuthMerging - controls how a <Directory>, <Location>, or similar
directive's authorization directives are combined with those of its
predecessor
AuthzSendForbiddenOnFailure - Controls if an authorization failure
should result in a '403 FORBIDDEN' response instead of the
HTTP-conforming '401 UNAUTHORIZED'
Current Configuration:
In file: C:/Program Files/apache/conf/httpd.conf
233: <Directory />
235: Require all denied
: </Directory>
251: <Directory "C:/Users/Ben/Documents/Apache">
276: Require all granted
: </Directory>
291: <Files ".ht*">
292: Require all denied
: </Files>
383: <Directory "C:/Program Files/apache/cgi-bin">
386: Require all granted
: </Directory>
In file: C:/Program Files/apache/conf/auth.conf
19: <Location />
23: Require valid-user
: </Location>
In file: C:/Program Files/apache/conf/httpd.conf
638: <Location /server-info>
639: Require all granted
: </Location>
-----------------------
I must be overlooking something obvious here, and any help is much
appreciated.
Thank you!
-Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|