Apache doesn't serve files that start with ".htaccess"

[tuaris]

I'm not sure what I am doing wrong, but I have the following files in a directory served by Apache:

2 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 htaccess.bz2
2 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 .taccess.bz2
2 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 .htaccess1.bz2
4 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 .htaccess.bz2
2 drwxr-xr-x  60 root    wheel    1.5k May 15 21:02 ..
2 drwxr-xr-x   2 www     www      512B May 15 21:25 .

When every file except htaccess.bz2 and .taccess.bz2 return the following error when I try to download them:

client denied by server configuration: /usr/local/www/test/.htaccess1.bz2

I tried adding the following directives into the virtual host configuration:

AccessFileName .mysettings
<Directory "/usr/local/www/test">
    Options All Indexes FollowSymLinks    
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
<Files ".htaccess.bz2">
ForceType application/octet-stream
Header set Content-Disposition attachment
</Files>

The problem is still the same. What am I doing wrong? Is it not possible to download files whose names start with .htaccess?

 

[Anonymous]

Have a look at /usr/local/etc/apache22/httpd.conf, and locate the following section:

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

Understand it, and think twice before you change something here.

 

[ShelLuser]

I just want to add some weight on this by mentioning that it is an extremely bad idea to change the way Apache handles its .htaccess files, this is a recipe for disaster. Because allowing this behaviour will also provide potential attackers with a lot more information on how they can bypass or abuse certain website limitations.

Worse yet: if you set up some loose permissions then there's also a reasonable chance people might be able to apply settings of their own, something you really wouldn't want to happen.

 

[tuaris]

Thanks for putting this in. I was afraid someone else was going to find this thread and change the Apache httpd.conf file without thinking about the potential hazards.

I totally agree that it's a bad idea. This is only for a very specific need and is limited only to one virtual host.

For example:

<VirtualHost *:80>
DocumentRoot "/usr/local/www/test"
ServerName test.domain.net
AccessFileName .mysettings
<FilesMatch "^.ht">
    Order allow,deny
    Allow from all
</FilesMatch>
</VirtualHost>

 

[aurora]

The usage of .htaccess files is simple and clear: To adjust server settings, w.o. without having to restart the server. I sometimes use them for this purpose, and it works. Bad idea trying to use them for any other purpose.