You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Bernd Web <be...@gmail.com> on 2005/11/29 11:59:12 UTC

[users@httpd] serving .htaccess files

Hi,

I have a query/suggestion regarding Satisfy and the server
configuration file (httpd.conf).

The default server configuration prevents .htaccess (names matching
.ht*) to be served (see below).
However, when using IP and password authentication with "Satisfy any"
in a .htaccess file these files are served! (see e.g.
http://httpd.apache.org/docs/1.3/misc/FAQ.html, FAQ3)
The "Satisfy any" also applies to the files matching the <Files>
directive (see below).

When only basic password authentication is used in the .htaccess but
Satisfy Any remains in this file,  the .ht* files are also served. So,
basically, .ht* files are served as soon as Satisfy is set to Any (in
combination with password authentication).

I think we never want to server these ".ht*" files.

Would it not be good to add "Satisfy all" to the directives below in
the default Apache sources (or am I missing something why .htaccess
serving happens?)

Regards,
Bernd

>From httpd.conf (Apache/2.0.46), RedHat
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

>From httpd-std.conf.in and httpd-win.conf (sources Apache/2.0.55)
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
</FilesMatch>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] serving .htaccess files

Posted by Joshua Slive <js...@gmail.com>.

On 11/29/05, Bernd Web <be...@gmail.com> wrote:
>
> Would it not be good to add "Satisfy all" to the directives below in
> the default Apache sources (or am I missing something why .htaccess
> serving happens?)
>

Yes, they probably should have "Satisfy all" if you are using "Satisfy
any" in other contexts in httpd.conf.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org