Actually I may have mis understood what he was trying to say in the ZC forum.
This is what one of the Zen Cart .htaccess file states:
# @copyright Copyright 2003-2010 Zen Cart Development Team
# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
# @version $Id: .htaccess 16111 2010-04-29 22:39:02Z drbyte $
#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified.
# Example:
#<Directory "/usr/local/apache/htdocs">
# AllowOverride Limit Options Indexes
#</Directory>
###############################
# deny *everything*
<FilesMatch ".*">
Order Allow,Deny
Deny from all
</FilesMatch>
# but now allow just *certain* necessary files:
<FilesMatch ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF)$">
Order Allow,Deny
Allow from all
</FilesMatch>
IndexIgnore */*
## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI
And this is what the readme docs for the new Zen Cart version states:
For added security, Zen Cart™ comes with several .htaccess files already included in various folders to help provide protection against unwanted visitors and even against mis-use of your site in the unfortunate situation of your site being hacked. These protections prevent hackers from using your site as phishing sources.
However, for these built-in protections to work, your web hosting server administrator MUST set the AllowOverride directive in the server's apache configuration (the server's master httpd.conf file) to "All" or at least ensure it includes these parameters: 'Limit Indexes'.
ie: AllowOverride All
or: AllowOverride Limit Indexes
(NOTE: You must also add "Options" if uncommenting OPTIONS directives in your .htaccess files)
Without these settings, you will likely encounter "500 Internal Server Error" messages when attempting to access various parts of your site, including perhaps the zc_install installer script.
Storeowners hosting on Windows Servers using IIS instead of Apache may need to remove the .htaccess files and rework them into suitable equivalents within your IIS configuration. See Microsoft's IIS website for specific assistance.
So from what I am understanding now, all I need to do is to edit httpd.conf and add in the block:
ie: AllowOverride All
or: AllowOverride Limit Indexes
and not add any entries into my conf.d apache config files for the domain(s) in question?
I was thinking that I should substitute <Directory "/usr/local/apache/htdocs"> with the path of the domain that owns that web space and put the directives in all my individual apache config files for those domains running a store, which I did.
Now it appears that they are to be left in the .htaccess file and I just edit the main httpd.conf file. Do you get this impression as well?
--- On Fri, 9/3/10, Rich Bowen <rbowen@xxxxxxxxxxx> wrote:
> From: Rich Bowen <rbowen@xxxxxxxxxxx>
> Subject: Re: Revisited: 500 internal server error, new problem
> To: users@xxxxxxxxxxxxxxxx
> Date: Friday, September 3, 2010, 4:11 PM
> If someone is telling you that "deny
> *everything*" is valid Apache httpd syntax, you can rest
> assured that they don't know what they're talking about, and
> you might want to find support elsewhere.
>
> Additionally, <Directory> blocks are not permitted in
> .htaccess files.
>
> I would strongly encourage you to point this "developer"
> here, as they might benefit from our help.
>
> Meanwhile, I would encourage you to read these:
>
> http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny
> http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow
>
>
>
> > Only problem is, the developer is now claiming that by
> taking that one line out, that I may as well take the entire
> directive set that they recommend out of my conf.d config
> file for this domain, because that one line if removed,
> disables all the protections provided in their new .htaccess
> files that came with Zen Cart. Funny though, I could
> not get his install scripts to run without all the rest of
> the directives I left in.
> >
> > So anyway he claims that there is a way to configure
> my Apache 2.2.3 server which would make use of the deny
> *everything* line in my conf.d file and provide full
> protection. So I am now wondering what I need to do to
> set the switch to enable Apache to use this line and provide
> full protection. Something in the main httpd.conf
> file?
> >
> > He claims that this is out of the scope of their
> support arena, the server settings that utilize his above
> suggested (actually required for install) directives.
> >
> > Thanks for any advice here.
> >
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache
> HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > " from the digest:
> users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
>
> --
> Rich Bowen
> rbowen@xxxxxxxxxxx
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|