On 03/09/2010 5:20 PM, J Wilson wrote:
Actually I may have mis understood what he was trying to say in the ZC forum. This is what one of the Zen Cart .htaccess file states: # @copyright Copyright 2003-2010 Zen Cart Development Team # @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0 # @version $Id: .htaccess 16111 2010-04-29 22:39:02Z drbyte $ # # This is used with Apache WebServers # # The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions # It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled. # Will also prevent people from seeing what is in the dir. and any sub-directories # # For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file. # Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified. # Example: #<Directory "/usr/local/apache/htdocs"> # AllowOverride Limit Options Indexes #</Directory> ############################### # deny *everything* <FilesMatch ".*"> Order Allow,Deny Deny from all </FilesMatch> # but now allow just *certain* necessary files: <FilesMatch ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF)$"> Order Allow,Deny Allow from all </FilesMatch> IndexIgnore */* ## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS): # OPTIONS -Indexes -ExecCGI And this is what the readme docs for the new Zen Cart version states: For added security, Zen Cart™ comes with several .htaccess files already included in various folders to help provide protection against unwanted visitors and even against mis-use of your site in the unfortunate situation of your site being hacked. These protections prevent hackers from using your site as phishing sources. However, for these built-in protections to work, your web hosting server administrator MUST set the AllowOverride directive in the server's apache configuration (the server's master httpd.conf file) to "All" or at least ensure it includes these parameters: 'Limit Indexes'. ie: AllowOverride All or: AllowOverride Limit Indexes (NOTE: You must also add "Options" if uncommenting OPTIONS directives in your .htaccess files) Without these settings, you will likely encounter "500 Internal Server Error" messages when attempting to access various parts of your site, including perhaps the zc_install installer script. Storeowners hosting on Windows Servers using IIS instead of Apache may need to remove the .htaccess files and rework them into suitable equivalents within your IIS configuration. See Microsoft's IIS website for specific assistance. So from what I am understanding now, all I need to do is to edit httpd.conf and add in the block: ie: AllowOverride All or: AllowOverride Limit Indexes and not add any entries into my conf.d apache config files for the domain(s) in question? I was thinking that I should substitute<Directory "/usr/local/apache/htdocs"> with the path of the domain that owns that web space and put the directives in all my individual apache config files for those domains running a store, which I did. Now it appears that they are to be left in the .htaccess file and I just edit the main httpd.conf file. Do you get this impression as well? --- On Fri, 9/3/10, Rich Bowen<rbowen@xxxxxxxxxxx> wrote:From: Rich Bowen<rbowen@xxxxxxxxxxx> Subject: Re: Revisited: 500 internal server error, new problem To: users@xxxxxxxxxxxxxxxx Date: Friday, September 3, 2010, 4:11 PM If someone is telling you that "deny *everything*" is valid Apache httpd syntax, you can rest assured that they don't know what they're talking about, and you might want to find support elsewhere. Additionally,<Directory> blocks are not permitted in .htaccess files. I would strongly encourage you to point this "developer" here, as they might benefit from our help. Meanwhile, I would encourage you to read these: http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allowOnly problem is, the developer is now claiming that bytaking that one line out, that I may as well take the entire directive set that they recommend out of my conf.d config file for this domain, because that one line if removed, disables all the protections provided in their new .htaccess files that came with Zen Cart. Funny though, I could not get his install scripts to run without all the rest of the directives I left in.So anyway he claims that there is a way to configuremy Apache 2.2.3 server which would make use of the deny *everything* line in my conf.d file and provide full protection. So I am now wondering what I need to do to set the switch to enable Apache to use this line and provide full protection. Something in the main httpd.conf file?He claims that this is out of the scope of theirsupport arena, the server settings that utilize his above suggested (actually required for install) directives.Thanks for any advice here.---------------------------------------------------------------------The official User-To-User support forum of the ApacheHTTP Server Project.See<URL:http://httpd.apache.org/userslist.html> for moreinfo.To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest:users-digest-unsubscribe@xxxxxxxxxxxxxxxxFor additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx-- Rich Bowen rbowen@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See<URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See<URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
A leading # indicates a comment. Be careful to replicate the configuration lines *exactly* as they are given to you.
Frank --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|