Author Topic: .htaccess deny access not working  (Read 3500 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
.htaccess deny access not working
« on: February 09, 2021, 06:01:57 AM »
My CWP is set up with Nginx & Varnish & Apache.

I'm using a few different web apps that come with their own custom .htaccess files that do different things for different directories. One thing that was puzzling me is the fact that some .htaccess files were not denying access to some directories even though the files are properly coded. It took me a long time to figure out that the following block in the NGINX vhost config files is causing the issue:

Code: [Select]
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
root /home/<userAccount>/mysite.com;
expires max;
try_files $uri @backend;
}

error_page 405 = @backend;
error_page 500 = @custom;
add_header X-Cache "HIT from Backend";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}

So even if I have a proper .htaccess file which denies access to a directory, users can still view/download (via web browser) any of the file types that are specified in the code snippet above.

So what is the proper way to fix this situation of the .htaccess files being essentially bypassed?

Re: .htaccess deny access not working
« Reply #1 on: February 09, 2021, 11:46:39 AM »
So what is the proper way to fix this situation of the .htaccess files being essentially bypassed?
Don't use nginx or convert Apache .htaccess rules to nginx syntax.

Offline
*
Re: .htaccess deny access not working
« Reply #2 on: February 09, 2021, 12:48:43 PM »
...convert Apache .htaccess rules to nginx syntax.
Since that nginx rule applies to the root of the website, can a block of code be simply added to the nginx vhost conf file that will exempt specified directories from that rule so .htaccess files can be used to forbid access to those specific directories? If so, can you please provide a code sample and where it should be placed in the nginx conf file. In other words, I want to keep that rule as the default for the website but exempt specific directories from it.
« Last Edit: February 09, 2021, 01:41:46 PM by jeffshead »

Offline
*
Re: .htaccess deny access not working
« Reply #3 on: February 10, 2021, 01:34:37 PM »
After lots of testing, this seems to work but I would like to know if this is the most efficient solution:

Code: [Select]
location / {

#### MY NEW RULE ###
location ~ /(my_files/uploads/files|dir1|dir2) {
#deny all;
#return 404;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}
#### MY NEW RULE ###

location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
root /home/<userAccount>/<site.tld>;
expires max;
try_files $uri @backend;
}

error_page 405 = @backend;
error_page 500 = @custom;
add_header X-Cache "HIT from Backend";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}

Should I add/remove anything (other than the comments) to the new rule?
All that I'm trying to do is bypass that nginx static files rule for specific directories that rely on .htacces files.
« Last Edit: February 10, 2021, 01:37:59 PM by jeffshead »