[Resolved] htaccess file directives in subdirectories

[Park]

I have the following htaccess file configured for one of my user's websites in /home/username/public_html/store:
Options -Indexes
<Files ~ "\.php$">
order allow,deny
deny from all
</Files>

So this will basically block php files from being accessed in this directory and all subdirectories when I visit mydomain.com/store (and any subdirectories within it)

Now I have a subdirectory within /store called /store/myimages and need to access php files in here so I placed the following .htaccess file within /home/username/public_html/store/myimages:
Options +Indexes
<Files ~ "\.php$">
order allow,deny
allow from all
</Files>
allow from all

What should happen is that the htaccess in this subdirectory should override the file directive in the directory above it. However, this does not work. I tested this exact same setup in Apache and it does work, but not on Litespeed. Any suggestions?

 

[NiteWave]

a suggestion: using RewriteRule instead of Files,order,allow/deny from

in /home/username/public_html/store/.htaccess

Options -Indexes
RewriteEngine On
RewriteRule \.php$ - [F]

in /home/username/public_html/store/myimages/.htaccess

Options +Indexes
RewriteEngine On
RewriteRule \.php$ -

 

[mistwang]

Or, use

php_value engine off

and

php_value engine on

in .htaccess to control PHP support.

 

[aww]

Wait, litespeed doesn't support "deny from all" ?

Or it doesn't support Files/FilesMatch ?

(or both?)

 

[NiteWave]

yes, lsws suport these directives.

if you experience "not working", please refer
http://www.litespeedtech.com/docs/webserver/config/general/#allowOverride
to check AllowOverride setting for "Limit", "FileInfo" etc.

 

[aww]

Well I have all those override options checked.
And this simply doesn't do anything

<Files config.php>
  order allow,deny
  deny from all
</Files>

config.php can still be requested via http

possibly a parent rule interfering?
if I remember correctly litespeed has an issue with inherit

this works

RewriteCond %{SCRIPT_FILENAME} config\.php$ [NC] 
RewriteRule .* - [F]

however it bothers me there is not full apache compatibility via files/deny from all

 

[NiteWave]

I did more tests on 4.0.14 standard, using exactly same lines as yours:

<Files config.php>
  order allow,deny
  deny from all
</Files>

in vhost level when AllowOverride any one of Limit/Auth/FileInfo/Indexes/Options
is checked, "deny from all" will take effect, return
403 Forbidden
Access to this resource on the server is denied!

however, if "None" is checked, or no check at all, "deny from all" won't take effect, the result is what you experienced.

I'll test on apache soon.

 

[NiteWave]

appache 2.2.14

when AllowOverride Options/FileInfo/AuthConfig/Indexes (one of them)
return

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.
...

when AllowOverride All/Limit (one of them)
return

Forbidden
You don't have permission to access /test.html on this server.

when AllowOverride None ,return normal result. -- "deny from all" is ignored.

summary for apache, when virtual host level AllowOverride is set to All/Limit, "deny from all" take effect, will return "403 Forbidden" -- as expected. when AllowOverride Limit is not explicitly set but other AllowOverride option is set, the return result looks undefined -- "500 Internal Server Error" in my test.

here's apache's docs:
http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride
"When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem."
"Default: AllowOverride All"

 

[aww]

Sorry for not being clear, I am not checking "none" but all the others are checked.

I will try this on a clean vhost, there must be something else interfering, hard to track down.

 

[aww]

Okay I found the problem and it's likely my fault.

I had another rule with Order deny,allow (instead of allow,deny) AFTER this config.php rule.

So apparently the effect is cumulative and litespeed goes through ALL the rules before making a decision, instead of failing the file right away.

Not sure if that is how apache behaves (easyapache no longer builds for me so I can't test)

Does apache die immediately or wait to see what other rules do?

try putting this AFTER the config.php rule

<Files *>
order deny,allow 
deny from 4.4.4.4
</Files>

it works properly if I move it BEFORE the config.php

I guess I am used to mod-rewrite which will die immediately when told to do so.

ps. just out of curiosity does lsws support SetEnvIf and allow from env=

 

[NiteWave]

Not sure if that is how apache behaves (easyapache no longer builds for me so I can't test)

Does apache die immediately or wait to see what other rules do?

tested, apache is same behavior as litespeed.

my simple test show lsws not support "allow from env=" yet but should be able to do it through rewrite.

regarding "SetEnvIf", lsws not support it directly but can set env through rewrite rule. for example.
RewriteRule (.*) - [env=myenv:1]