Home > OS >  .htaccess: Require all denied not respected
.htaccess: Require all denied not respected

Time:04-07

I've read a baker's dozen of similar questions and the common issues found therein have not helped me resolve this. I could really use some help figuring this out. What should I try next? Is there a way to troubleshoot why these rules are not being respected?

This is a Wordpress environment on an Inmotion Hosting vps with WHM/cPanel and Apache 2.4. Nginx is not being used to cache this account.

I need to deny access to PDFs in a sub-directory, specifically:

/public_html/wp-content/uploads/gravity_forms/fillablepdfs/

My web root .htaccess is as follows.

/public_html/.htaccess

AllowOverride All

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# Wordfence WAF
<Files ".user.ini">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>

# END Wordfence WAF

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

I have tried many combinations in the web-root .htaccess and in the sub-directories in the path to the directory in question.

These did not work:

/public_html/wp-content/uploads/gravity_forms/fillablepdfs/.htaccess

Order deny,allow
Deny from all
Require all denied
<Files "*.pdf">
    Order deny,allow
    Deny from all
</Files>
<Files "*.pdf">
    Require all denied
</Files>

After those failed to work I moved up the directories attempting the same until I reached the web-root .htaccess again, where I tried the following.

/public_html/.htaccess

AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
    Require all denied
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
    Order deny,allow
    Deny from all
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
 . . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "./wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>
# END fillable-pdfs

None of these worked.

There are two other .htaccess files along the path. They are:

/public_html/wp-content/uploads/.htaccess

# BEGIN WebP Express
# The rules below have been dynamically created by WebP Express in accordance with the plugin settings
# DO NOT EDIT MANUALLY (unless you are prepared that your changes might be overridden by WebP Express)
# The following parameters have been in play to produce the rules:
#
# WebP Express options:
# - Operation mode: varied-image-responses
# - Redirection to existing webp: enabled
# - Redirection to converter: enabled
# - Redirection to converter to create missing webp files upon request for the webp: enabled
# - Destination folder: separate
# - Destination extension: append
# - Destination structure: image-roots
# - Image types: jpeg, png
# - Alter HTML enabled?: yes
#
# Wordpress/Server configuration:
# - Document root availablity: Available and its "realpath" is available too. Can be used for structuring cache dir.
#
# .htaccess capability test results:
# - mod_header working?: yes
# - pass variable from .htaccess to script through header working?: no
# - pass variable from .htaccess to script through environment variable working?: yes
#
# Role of the dir that this .htaccess is located in:
# - Is this .htaccess in a dir containing source images?: yes
# - Is this .htaccess in a dir containing webp images?: no

# Rules for handling requests for source images
# ---------------------------------------------

<IfModule mod_rewrite.c>
  RewriteEngine On

  # Escape hatch #1: Adding ?dontreplace to an url can be used to bypass redirection
  RewriteCond %{QUERY_STRING} dontreplace$
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteRule . - [L]

  # Escape hatch #2: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".dontreplace" appended will bypass redirection
  RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
  RewriteCond %1%2\.dontreplace -f
  RewriteRule . - [L]

  # Deprecated escape hatch: Adding ?original to an url can be used to bypass redirection
  RewriteCond %{QUERY_STRING} original$
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteRule . - [L]

  # Deprecated escape hatch: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".do-not-convert" appended will bypass redirection
  RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
  RewriteCond %1%2\.do-not-convert -f
  RewriteRule . - [L]

  # Avoid redirecting to webp files that are bigger than the original
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
  RewriteCond /home/***/public_html/wp-content/webp-express/webp-images-bigger-than-source/uploads/%2%3.webp -f
  RewriteRule . - [L]

  # Redirect to existing converted image in cache-dir (if browser supports webp)
  RewriteCond %{HTTP_ACCEPT} image/webp
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
  RewriteCond /home/***/public_html/wp-content/webp-express/webp-images/uploads/%2%3.webp -f
  RewriteRule (?i)(.*)(\.jpe?g|\.png)$ /wp-content/webp-express/webp-images/uploads/%2%3\.webp [T=image/webp,E=EXISTING:1,E=ADDVARY:1,L]

  # Redirect images to webp-on-demand.php (if browser supports webp)
  RewriteCond %{HTTP_ACCEPT} image/webp
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
  RewriteRule (?i).*$ /wp-content/plugins/webp-express/wod/webp-on-demand.php [E=WE_WP_CONTENT_REL_TO_WE_PLUGIN_DIR:../../,E=WE_SOURCE_REL_HTACCESS:$0,E=WE_HTACCESS_ID:uploads,NC,L]

  # Make sure that browsers which does not support webp also gets the Vary:Accept header
  # when requesting images that would be redirected to webp on browsers that does.
  <IfModule mod_headers.c>
    <FilesMatch "(?i)\.(jpe?g|png)$">
      Header append "Vary" "Accept"
    </FilesMatch>
  </IfModule>

</IfModule>

# END WebP Express

/public_html/wp-content/uploads/gravity_forms/.htaccess

# BEGIN Gravity Forms
# The directives (lines) between "BEGIN Gravity Forms" and "END Gravity Forms" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
# Disable parsing of PHP for some server configurations. This file may be removed or modified on certain server configurations by using by the gform_upload_root_htaccess_rules filter. Please consult your system administrator before removing this file.
<Files *>
  SetHandler none
  SetHandler default-handler
  Options -ExecCGI
  RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
<IfModule headers_module>
  Header set X-Robots-Tag "noindex"
</IfModule>
# END Gravity Forms

CodePudding user response:

Nginx was configured to bypass Apache to "Accelerate static content". Disabling this allows .htaccess files to function on .txt, .pdf, etc...

  • Related