I'm hardening my Apache server config and wondering if it uses any other "^.ht.+" files besides .htaccess and .htpasswd?
Asked
Active
Viewed 684 times
0
Jeff
- 1,406
- 3
- 26
- 46
-
Shouldn't you be blocking web access to all dot files, regardless of what Apache uses? – ceejayoz Oct 19 '12 at 16:20
-
1Rhetorical? Subjective. Unfortunately that doesn't help answer my question. – Jeff Oct 19 '12 at 16:22
-
The default in most Apache2 distros' configs is `
` -> 403 – Jeff Oct 19 '12 at 16:25
3 Answers
1
.htaccess is the default AccessFileName used by apache. There is nothing special about `.htpasswd' just that most people use it so it makes the ACL to block access to them easier. There is nothing that says you need to use those filenames, and if you have access to the httpd.conf file, you really shouldn't use them at all as they slow down access to the directories. They are good to allow override access to people that don't have access to the server config.
That being said, if you haven't changed the defaults by using AccessFileName directive in your config, and have named all your password files .htpasswd than you should be good with the dotfiles.
Doon
- 1,441
- 9
- 9
1
Does Apache? No.
The only one it does normally use is .htaccess, but that's really only due to the default of AccessFileName being AccessFileName .htaccess - change that configuration and Apache will have no special interest whatsoever in files that start with .ht.
.htpasswd isn't a normal standard, and really isn't even a good idea; the general recommendation is to keep the auth files out of your web root, since there are other ways (remote file inclusion vulnerabilities) to potentially get at the contents of the file, bypassing Apache's access restrictions.
Do other people? Maybe.
Common usage of .ht* as "this is a restricted/inaccessible file of some kind" is expected/abused by some people/content/web applications, for many of the same reasons that .htaccess is misunderstood by many people as the "right" place to put access controls and rewrite rules, despite the fact that it's not intended for that. So, if you disable the default behavior of <Files ~ "^\.ht"> (why would you need to do this for hardening?), make sure your content isn't abusing that file name convention to hide things.
Shane Madden
- 112,982
- 12
- 174
- 248
-
I think the .htpasswd came up since it would be blocked by my default ACLS, and there are lots of hosting situations where you don't have access to anything outside the DocRoot. since in that scenario, .htpasswd makes sense. – Doon Oct 19 '12 at 16:47
0
here is how you can check if you're using any other .htaccess: core - Apache HTTP Server, also this is what should be used by any apache as it would prevent people accessing it:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
alexus
- 12,342
- 27
- 115
- 173