.htaccess install question

[nadsab]

Hi,

Quick question, are the .htaccess files in includes and zc-install dirs new to 1.3.9?

Having a 500 internal server error on install and I don't remember setting up AllowOverride configuration in my httpd.conf for those 1.3.8a stores, can't even find it in httpd.conf.

[nadsab]

I'm assuming here if I am using individual apache config files i.e. conf.d files for individual domains, that I could place the AllowOverride configurations in there instead of the main httpd.conf?

I was confused because I did not see any such directives for 1.3.8a stores I set up earlier in httpd conf files, don't remember including them.

Anyway, to make sure I have this correct, for the error log I am getting in apache when I use browser to go to www.mydomain.com/store/zc-install, according to what I am seeing in my apache error log, i.e.:

Code:

[Fri Sep 03 12:52:45 2010] [alert] [client 12.34.7.89]   /home/webspace/www/catalog/includes/.htaccess: order not allowed here, referer: http://www.mydomain.com/catalog/

[Fri Sep 03 12:52:45 2010] [alert] [client 12.34.7.89] /home/webspace/www/catalog/zc_install/.htaccess: DirectoryIndex not allowed here, referer: http://www.mydomain.com/catalog/

I am assuming that for the path you specify below from the zen-cart .htaccess files i.e. usr/local/apache/htdocs, that I substitute in the above paths /home/webspace/www/catalog/includes/ and /home/webspace/www/catalog/zc_install/

for /usr/local/apache/htdocs in the below and place it in httpd config file for that individual domain? As in the below and do an httpd restart?

Code:

<Directory "/home/webspace/www/catalog/includes/">
AllowOverride Limit Options Indexes
</Directory>

<Directory "/home/webspace/www/catalog/zc_install/">
AllowOverride Limit Options Indexes
</Directory>

deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<FilesMatch ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF)$">
  Order Allow,Deny
  Allow from all
</FilesMatch>

IndexIgnore */*

DirectoryIndex index.php

<FilesMatch ".*\..*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png|html)$)">
  Order Allow,Deny
  Allow from all
</FilesMatch>

IndexIgnore */*

[DrByte]

Quick question, are the .htaccess files in includes and zc-install dirs new to 1.3.9?

Having a 500 internal server error on install and I don't remember setting up AllowOverride configuration in my httpd.conf for those 1.3.8a stores, can't even find it in httpd.conf.

From the documentation included with Zen Cart's zip file (/docs/ folder), and from the release announcements:

*** SECURITY REQUIREMENT ***

For added security, Zen Cart™ comes with several .htaccess files already included in various folders to help provide protection against unwanted visitors and even against mis-use of your site in the unfortunate situation of your site being hacked. These protections prevent hackers from using your site as phishing sources.

However, for these built-in protections to work, your web hosting server administrator MUST set the AllowOverride directive in the server's apache configuration (the server's master httpd.conf file) to "All" or at least ensure it includes these parameters: 'Limit Indexes'.

Code:

ie:    AllowOverride All

or:    AllowOverride Limit Indexes

(NOTE: You must also add "Options" if uncommenting OPTIONS directives in your .htaccess files)

Without these settings, you will likely encounter "500 Internal Server Error" messages when attempting to access various parts of your site, including perhaps the zc_install installer script.
Storeowners hosting on Windows Servers using IIS instead of Apache may need to remove the .htaccess files and rework them into suitable equivalents within your IIS configuration. See Microsoft's IIS website for specific assistance.

ADDITIONAL NOTE ABOUT .htaccess FILES

Inside some folders is an .htaccess file that lists certain *permitted* filetypes which may be accessed. (Anything else is blocked to prevent abuse on your site).

The side-effect of this is that if you choose to use media types that are not already listed in the *permitted* list, then your visitors will not be able to see those resources.

Thus, if you are using product images that are not in the list of permitted types in your /images/.htaccess, you will need to add those types to the list.

Similarly, if you are using certain media types in music product previews, you will need to make sure those are in your /media/.htaccess

And, if you are using filetypes for downloadable products that are not already listed in your /pub/.htaccess and /download/.htaccess you will need to add those as well.

[nadsab]

For the record the apache directives I posted above worked for me, new store is installed, excelpt I took out

Code:

deny *everything*

in the above, still kept getting 500 errors with that in, now it's out of conf.d apache file, store installed great after httpd restart.

Only problem now, is that I can't access admin in browser even though my permissions are set to 755 on that dir and owned by correct user. Even tried chmod 777 for a minute. Mozilla claims I don't have permission for admin.

Is there anything in .htaccess in ZC files which would prevent me from getting to the admin page in a 1.3.9H store?

[DrByte]

For the record the apache directives I posted above worked for me, new store is installed, excelpt I took out

Code:

deny *everything*

LOL ... taking out the "deny everything" section completely kills all the security benefit provided by the supplied files.

If your server can't handle them and the server admin doesn't want to reconfigure the server to allow them, and you're content living without the protections offered, then just skip them. As it stands now you've got no protection anyway.

[nadsab]

OK DrByte thanks

So are you saying that if the below directives are set up in httpd config in a correctly configured Apache server, it will work and provide protections and that there are no errors in what I posted below ? For an Apache 2.2.3 server? I had an apache guy tell me there was a problem with the

deny *everything*

entry as did the error logs.

Code:

<Directory "/home/webspace/www/catalog/includes/">
AllowOverride Limit Options Indexes
</Directory>

<Directory "/home/webspace/www/catalog/zc_install/">
AllowOverride Limit Options Indexes
</Directory>

deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<FilesMatch ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF)$">
  Order Allow,Deny
  Allow from all
</FilesMatch>

IndexIgnore */*

DirectoryIndex index.php

<FilesMatch ".*\..*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png|html)$)">
  Order Allow,Deny
  Allow from all
</FilesMatch>

IndexIgnore */*

[DrByte]

As I quoted earlier, the following are the appropriate changes to make to your httpd.conf file. The stuff you just mentioned is a hodge podge of several things combined, and is just going to make it necessary for you to manually update that over and over if any future additions are added to the zc-supplied .htaccess scripts.

From my earlier quote:

However, for these built-in protections to work, your web hosting server administrator MUST set the AllowOverride directive in the server's apache configuration (the server's master httpd.conf file) to "All" or at least ensure it includes these parameters: 'Limit Indexes'.

Code:

ie:    AllowOverride All

or:    AllowOverride Limit Indexes

(NOTE: You must also add "Options" if uncommenting OPTIONS directives in your .htaccess files)

[nadsab]

Ok sorry I guess I mis understood.

So all I need is this in my httpd.conf file:

Code:

ie:    AllowOverride All

or:    AllowOverride Limit Indexes

And nothing inside my apache tags for specific domains either in httpd.conf, or if set up that way I need nothing in my seperate apache config files for the specific domains a store is on?

I was placing those directives in my apache config file for the domain I am setting up my new store on...

[DrByte]

Specifically you need to adjust your httpd.conf settings so that the FilesMatch and DirectoryIndex and IndexIgnore and Options directives can be used in the .htaccess files within your domain's public_html folder/subfolders.

However you decide to do that is up to you. If you need to study how to set httpd.conf parameters, you can find official documentation on the Apache website.
If your server administrator doesn't know how to do that, then I suggest you get them to ask around in places where that's the topic of discussion, such as webhostingtalk.com

[nadsab]

OK DrByte, to make sure I am understanding you correctly and to back up a bit...do you mean that I need an .htaccess file in my webroot folder which I myself either create or copy, using the suggestions in your docs, in addition to the .htaccess files which already come with Zen Cart 1.3.9f - and edit httpd.conf accordingly to allow for such?

Or are you saying that I need to edit httpd.conf such that I just allow for the directives that you already supply in your .htaccess Zen Cart files, and that no additional .htaccess files other than what already comes with Zen Cart are needed?