How to Secure .htaccess Files in Apache

by Mike on April 25, 2009

in Web Server

Typically you will manage Apache using a centralized file in httpd.conf (apache2.conf for Ubuntu).  This centralized option is convenient and results in fewer mistakes.  .htaccess allows for decentralized management, overriding the default configuration file.  These hidden files allow you to manage the directory where they are placed as well as sub-directories.  You can override the inherited permissions in any sub-directory with a .htaccess file.  The Directory settings must contain this line:

AllowOverride Options

This allows you to customize permissions on each virtual host.

Options                       Description
AuthConfig               Permits the use of authorization directives.
FileInfo                      Allows directives controlling document types
Indexes                      Allows directives controlling directory indexes
Limit                           Allows directives to control host access
Options                     Allows directives that control specific directory functions
All                              Allows all options
None                         Denies all options


The Options line can be set in a number of ways but the two easiest are these:

Options None
Options All

The Options None does not allow any custom options.  The Options All allows all options except MultiViews.

Reasons to Avoid the .htaccess file
1. Performance – apache must look in every directory to be sure it does not miss the file
2. Performance – apache must look in higher level directories to understand all directives
3. Security – allows users, who own directories, to control server settings
In summary, if you use .htaccess files you will incur 4 additional file-system accesses even if those files are not present.

You can change the name of the .htaccess file by making a change to the directive AccessFileName, change it like this in the main configuration file:

AccessFileName .htcontrol

Typically the only situation that you would use the .htaccess file for is when a web hosting company needs to make configuration changes based on individual directories.  This then allows individual users to make changes to those directories.  Instead of using .htaccess files you could place these settings in a <Directory> section in the main configuration file.

Here is an example of placing information that was to be placed in a .htaccess file in a <Directory> location.

<Directory /var/www/html>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Here is the default on the httpd.conf for CentOS

<Directory />
Options FollowSymLinks
AllowOverride None

When you set up .htaccess files they will be effective for the directory that they are placed in as well as any subdirectories.  If you wanted to set up a directory so that it could execute CGI scripts you could use a .htaccess file to do that.  First you must make the default settings so that if will permit Options for the .htaccess files, like so:

<Directory />
Options FollowSymLinks
AllowOverride Options

So here the “None” was changed to “Options”.

Now in the .htaccess file you can place a line like this:

Options +ExecCGI

If you wanted to use .htaccess files to allow access you need to first change the default “None” to “AuthConfig”.

<Directory />
Options FollowSymLinks
AllowOverride AuthConfig

Now in the .htaccess file you can place your configuration for authentication.

AuthType Basic
AuthName “Security”
AuthUserFile /etc/httpd/passwords
Require valid-user

Save this .htaccess file to the directory above the one you want to protect.

This will require you to use htpasswd to create the file /etc/httpd/passwords to control the .htaccess file.  If you do not have access to the /etc/httpd file you will need to change the configuration in the .htaccess file and  create a .htpasswd file like so:

AuthType Basic
AuthName “Security”
AuthUserFile /path/to/your/directory/.htpasswd
Require valid-user

htpasswd -c .htaccess

chmod 644 .htaccess

Here is an example of a typical Joomla .htaccess file:

RewriteEngine On

########## Begin – Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
########## End – Rewrite rules to block out some common exploits

#  Uncomment following line if your webserver’s URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /

########## Begin – Joomla! core SEF Section
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
########## End – Joomla! core SEF Section

Previous post:

Next post: