Welcome! Log In Create A New Profile

Advanced

.htaccess deny access not working

Posted by jeffshead 
.htaccess deny access not working
February 09, 2021 08:07AM
The server is set up with Nginx -> Varnish -> Apache.

The following nginx vhost conf rule block is essentially causing .htaccess files to be ignored:


location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
root /home/<userAccount>/<site.tld>;
expires max;
try_files $uri @backend;
}

error_page 405 = @backend;
error_page 500 = @custom;
add_header X-Cache "HIT from Backend";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}


To be specific, if a .htaccess file, containing a "Require all denied" rule is placed in any directory, users can still view or download any file type that is listed in that nginx rule.

Since that nginx rule applies to the root of the website, can I simply add a block of code to the nginx conf file that will 'exempt' specified directories from that rule so .htaccess files can be used to forbid access to those specific directories? If so, can you please provide a code sample and where it should be placed in the conf file. In other words, I want to keep that rule as the default for the website but exempt specific directories from it.
Re: .htaccess deny access not working
February 10, 2021 08:30AM
After lots of testing, this seems to work but I would like to know if this is the most efficient solution:


location / {

#### MY NEW RULE ###
location ~ /(my_files/uploads/files|dir1|dir2) {
#deny all;
#return 404;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}
#### MY NEW RULE ###

location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
root /home/<userAccount>/<site.tld>;
expires max;
try_files $uri @backend;
}

error_page 405 = @backend;
error_page 500 = @custom;
add_header X-Cache "HIT from Backend";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}


Should I add/remove anything (other than the comments) to the new rule?
All that I'm trying to do is bypass that nginx static files rule for specific directories that rely on .htacces files.



Edited 3 time(s). Last edit at 02/10/2021 08:38AM by jeffshead.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 73
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready