On 04/12/2012 5:41 AM, "Ben Johnson" <ben@xxxxxxxxxxxxxxxx> wrote:
>
> Hello, everyone,
>
> I am able to view .htaccess and .htpasswd files on my development server
> from within a Web browser.
>
> My understanding is that the following configuration directive, which is
> included in the default configuration file, should prevent this:
>
> -----------------------
> #
> # The following lines prevent .htaccess and .htpasswd files from being
> # viewed by Web clients.
> #
> <Files ".ht*">
> Require all denied
> </Files>
> -----------------------
>
> I have made very few changes to the default configuration file; it is
> almost entirely "stock".
>
> Apache's mod_info output mentions the string "*.ht" only once, on line
> 291 (apologies for the text wrapping), so it seems that the directive is
> indeed effective:
>
> -----------------------
> Module Name: mod_authz_core.c
> Content handlers: none
> Configuration Phase Participation: Create Directory Config, Merge
> Directory Configs, Create Server Config
> Request Phase Participation: Check Access, Verify User Access
> Module Directives:
> <AuthzProviderAlias> - container for grouping an authorization
> provider's directives under a provider alias
> Require - specifies authorization directives which one must pass (or
> not) for a request to suceeed
> <RequireAll> - container for grouping authorization directives of which
> none must fail and at least one must pass for a request to succeed
> <RequireAny> - container for grouping authorization directives of which
> one must pass for a request to succeed
> <RequireNone> - container for grouping authorization directives of which
> none must pass for a request to succeed
> AuthMerging - controls how a <Directory>, <Location>, or similar
> directive's authorization directives are combined with those of its
> predecessor
> AuthzSendForbiddenOnFailure - Controls if an authorization failure
> should result in a '403 FORBIDDEN' response instead of the
> HTTP-conforming '401 UNAUTHORIZED'
> Current Configuration:
> In file: C:/Program Files/apache/conf/httpd.conf
> 233: <Directory />
> 235: Require all denied
> : </Directory>
> 251: <Directory "C:/Users/Ben/Documents/Apache">
> 276: Require all granted
> : </Directory>
> 291: <Files ".ht*">
> 292: Require all denied
> : </Files>
> 383: <Directory "C:/Program Files/apache/cgi-bin">
> 386: Require all granted
> : </Directory>
> In file: C:/Program Files/apache/conf/auth.conf
> 19: <Location />
> 23: Require valid-user
> : </Location>
> In file: C:/Program Files/apache/conf/httpd.conf
> 638: <Location /server-info>
> 639: Require all granted
> : </Location>
> -----------------------
>
> I must be overlooking something obvious here, and any help is much
> appreciated.
>
> Thank you!
>
> -Ben
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
Remove Indexes from Options. Also remove the world readable permission from the files.
|