.htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Fri Feb 17, 2017 11:14 pm

Hi, we have several sites on a VPS that run with Opencart 2.3.0.2.
For several weeks, I think after an update of Apache on Cpanel (Apache 2.4) we have on the log of all no sites the error that looks like this:

Code: Select all

[Fri Feb 17 00:59:03.443730 2017] [authz_core:error] [pid 22881:tid 139983518115584] [client xx.xxx.xx.xxx:xxxxx] AH01630: client denied by server configuration: /home/xxxxxxxxxx/public_html/024C4EE2AD8798A8312EDA215D965D70.txt
Now we do not have a file.txt present

Here's what Cpanel tells us
# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.ini|\.log|(?<!robots)\.txt))">
Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>
Hello,

This entry is likely blocking access attempts to the .txt files, which are required as part of the verification process for the AutoSSL feature. Try removing the code that blocks TXT files within the .htaccess file to see if the issue persists.

Thank you.
Have you ever had this kind of back?

Thanks for help.

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by uksitebuilder » Sat Feb 18, 2017 1:24 am

Change it to:

Code: Select all

<FilesMatch "(?i)((\.tpl|\.ini|\.log)">
Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>
User avatar
uksitebuilder
Guru Member
Posts
7716
Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Sat Feb 18, 2017 3:05 am

Thank you for your reply, I will try and keep you informed :)

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Sat Feb 18, 2017 3:24 am

Error 500 with :

Code: Select all

<FilesMatch "(?i)((\.tpl|\.ini|\.log)">
Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>
It lacks one ") " at end
I try

Code: Select all

# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.ini|\.log))">
Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by uksitebuilder » Sat Feb 18, 2017 3:34 am

Yes, you are right, apologies.
User avatar
uksitebuilder
Guru Member
Posts
7716
Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Sat Feb 18, 2017 2:10 pm

HI. Apparently no / more error on the 2 sites on which I changed the .htaccess. Thank you very much. A small question I imagine that if originally it is recommended to insert in the .htaccess for .txt files is that there is a security interest? What can happen without (? <! Robots) \ .txt? A parade

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by uksitebuilder » Sun Feb 19, 2017 1:08 am

I don't think there is any security risk with OpenCart and people/bots requesting non-existent .txt files.
User avatar
uksitebuilder
Guru Member
Posts
7716
Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Mon Feb 20, 2017 1:50 am

The errors have disappeared. On the other hand we have on some site an error (apparently at the same time as the Apache update 2.4) on the server, an idea?

Code: Select all

[Sun Feb 19 17:54:43.289100 2017] [autoindex:error] [pid 2687:tid 140296499197696] [client 104.238.248.15:1757] AH01276: Cannot serve directory /home/xxxxxxxxxx/public_html/: No matching DirectoryIndex (index.html,index.php,index.html.var,index.htm,index.shtml,index.xhtml,index.wml,index.perl,index.pl,index.plx,index.ppl,index.cgi,index.jsp,index.js,index.jp,index.php4,index.php3,index.phtml,default.htm,default.html,home.htm,index.php5,Default.html,Default.htm,home.html) found, and server-generated directory index forbidden by Options directive

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by uksitebuilder » Mon Feb 20, 2017 4:59 am

Maybe this will help

https://www.liquidweb.com/kb/apache-err ... nd-solved/
User avatar
uksitebuilder
Guru Member
Posts
7716
Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Mon Feb 20, 2017 5:48 am

Thank you for this quick response. I have just checked Apache and I have all that to parameterize:

Code: Select all

index.html,index.php,index.html.var,index.htm,index.shtml,index.xhtml,index.wml,index.perl,index.pl,index.plx,index.ppl,index.cgi,index.jsp,index.js,index.jp,index.php4,index.php3,index.phtml,default.htm,default.html,home.htm,index.php5,Default.html,Default.htm,home.html

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by uksitebuilder » Mon Feb 20, 2017 4:07 pm

Turns out you need to disable DirectoryIndex in Apache 2.4 to get auto Indexes.

DirectoryIndex disabled
Options Indexes
User avatar
uksitebuilder
Guru Member
Posts
7716
Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Mon Feb 20, 2017 6:18 pm

In fact, this is the exact problem. I have a shop related to a commercial management through a connector. The shop generates type errors

Code: Select all

[Sun Feb 19 13:29:30.137609 2017] [autoindex:error] [pid 29997:tid 140296572626688] [client 51.254.41.129:52150] AH01276: Cannot serve directory /home/xxxxxxx/public_html/catalog/view/theme/: No matching DirectoryIndex (index.html,index.php,index.html.var,index.htm,index.shtml,index.xhtml,index.wml,index.perl,index.pl,index.plx,index.ppl,index.cgi,index.jsp,index.js,index.jp,index.php4,index.php3,index.phtml,default.htm,default.html,home.htm,index.php5,Default.html,Default.htm,home.html) found, and server-generated directory index forbidden by Options directive
And Dolibarr our commercial management:

Code: Select all

[Sun Feb 19 19:06:48.228464 2017] [autoindex:error] [pid 2454:tid 140128647288576] [client 79.137.85.189:44796] AH01276: Cannot serve directory /home/xxxxxxxx/public_html/: No matching DirectoryIndex (index.html,index.php,index.html.var,index.htm,index.shtml,index.xhtml,index.wml,index.perl,index.pl,index.plx,index.ppl,index.cgi,index.jsp,index.js,index.jp,index.php4,index.php3,index.phtml,default.htm,default.html,home.htm,index.php5,Default.html,Default.htm,home.html) found, and server-generated directory index forbidden by Options directive, referer: http://anonymizeme.pro/go/hide.cgi?sg7j8b6vc2fd1g4u7h4b12f5q5y2c12n1l4f5s5i1g1fd5s2x2ds5f5h2j5f4s44d
The error of the shop in connection with Dolibarr tip / catalog / view / theme /. The shop runs on the Journal2 template like other shops but we do not have this type of errors. In addition to or out this url http://anonymizeme.pro/go/hide.cgi? In the error of the business management server? This is not our url

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Mon Feb 20, 2017 6:20 pm

uksitebuilder wrote:
Mon Feb 20, 2017 4:07 pm
 Turns out you need to disable DirectoryIndex in Apache 2.4 to get auto Indexes.

DirectoryIndex disabled
Options Indexes
What is strange is that all of our sites have the same .htaccess (# Prevent Directoy listing
Options -Indexes), all work on the same server, and we have that problem on only one shop.

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by uksitebuilder » Mon Feb 20, 2017 6:24 pm

I think it is more so the first line of what I posted that needs to be added.
User avatar
uksitebuilder
Guru Member
Posts
7716
Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Mon Feb 20, 2017 6:29 pm

Thanks. Like this ? :

Code: Select all

# Prevent Directoy listing
Options -Indexes
DirectoryIndex disabled
For all shop or only one ?

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by uksitebuilder » Mon Feb 20, 2017 8:07 pm

That code looks fine - you can test with that

If your other shops are exhibiting the same behaviour, then try it on one first to see if it fixes the problem, then rinse and repeat if it fixes the problem.
User avatar
uksitebuilder
Guru Member
Posts
7716
Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom
Top

Re: .htaccess Prevent Direct Access to files

Quote

Post by stef83136 » Wed Feb 22, 2017 1:08 am

As mentioned above after research with Cpanel developers, the problem is related to the :
This entry is likely blocking access attempts to the .txt files, which are required as part of the verification process for the AutoSSL feature.
With Cpanel we tried this in order to keep track of the .txt files but the errors still appeared.

Code: Select all

# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.ini|\.log|(?<!robots)\.txt))">
  Require host secure.comodo.net
  Require ip $Local-IP
  Require all denied
</FilesMatch>
So in finality for the moment on this code avoids errors:

Code: Select all

# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.ini|\.log))">
Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>
I guess if the developers of Opencart had placed! Robots) \ txt there was probably a reason, I hope I will not have any security problem. Thank you for the help you have given me.

Opencart 3.0.3.2
Journal 3

Aquamagasin votre spécialiste du Traitement d'eau et des Adoucisseurs d'eau

stef83136
Active Member
Posts
177
Joined
Tue Dec 09, 2014 3:29 am
Location - France
Top
Post Reply
Return to “General Support”
Who is online

Users browsing this forum: No registered users and 347 guests