Problems with .htaccess support.

[pixelpadre]

Not sure why I am getting this error. .htaccess files are in all directories except the main directory. And apache says deny everyone all files that start with .ht

So why am I getting this? I grabbed it from sourceforge with wget. I feel like I should wait before installing.

<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

[DrByte]

If you're referring to zc_install telling you that it discovered problems with .htaccess support, you'll find that it is explained in more detail by clicking on that message.

One of the protections that the .htaccess rules provides is to deny access to certain files that normal visitors ought not to ever be able to access. So zc_install makes an external call to attempt to access some of those normally-forbidden files using CURL to simulate a rogue visitor. When the response to that is a "200 OK" instead of a "403 Forbidden" it reports back the "Problems with .htaccess" message.

It does this by attempting to access one of the /includes/xxxxxxxx.php files. If yours is allowing access to that file, then your .htaccess rules aren't working, and you'll need to adapt your Apache configuration to allow it.

You're free to proceed with installation as long as you don't care that your server is not preventing visitors from accessing parts of the ZC file structure that they shouldn't be able to.

[pixelpadre]

Its just the main directory where the access file is missing. I unzipped .e and there is no such file in the main directory.

[Website Rob]

See if this works for you.

public_html/.htaccess

Code:

<Files ".ht*">
Deny from all
Allow from localhost
</Files>

Also, a good idea to set 444 permissions on any/all .htaccess files. You just have to remember that to edit an .htaccess file change permissions to 644.

[RodG]

Its just the main directory where the access file is missing. I unzipped .e and there is no such file in the main directory.

This is because with a default install, an .htaccess file isn't needed in the main directory (root folder). The .htaccess files in *other* folders are to prevent spiders/crawlers/hackers from accessing those folders (or certain files within those folders), but the root folder (for any site) should be 'open for all' (else there isn't really a point of running a website).

The .htaccess files themselves generally (and should always) have restricted access (IOW - 'deny from all'). The webserver itself can/will still be able to read these files, but people/bots/hackers can't.

If the *server* is unable to access the .htaccess file(s) they will be ignored. The only reason why a server would not be able to read them is if the folder or file *permissions* prevent it from doing so. It is *very* unlikely that the root folder would have unsuitable permissions else the site probably wouldn't be working at all, so problems in this regard will boil down to ownership/permissions of the .htaccess file(s) themselves.

Please keep in mind though, that the root folder doesn't need an .htaccess file (which is why none is supplied). You want the files in this folder to be readable by all, ergo, .htaccess not needed.

Hope this clarifies rather than confuses?

Cheers
RodG

[pixelpadre]

I just can't figure out why the install warned me about no htaccess. Apache is configured for default values.

Found this apache article very interesting

https://httpd.apache.org/docs/2.4/howto/htaccess.html

[pixelpadre]

So it looks like the apache 2.4 config file has allowoverides set to none, but vhost config has allowoverides set to all. So which has priority?

[RodG]

So it looks like the apache 2.4 config file has allowoverides set to none, but vhost config has allowoverides set to all. So which has priority?

The vhost configs and the apache config are basically the same config in that all directives are read/set when the server starts.

When a server is 1st set up it only knows itself (vhosts dont exist) which is fine for a VPS and typically in this scenario the "default" apache settings would need to be changed from AllowOverrides none to AllowOverrides something.

A vhost is best considered as directory settings, each vhost having its own directory and document root that is different than the main server settings. In this scenario the main server is often treated as a "catchall placeholder" and only used to display an error type response along the lines of "the vhost you have requested doesnt exist on this server". This is generally a static page and Overrides arent needed, which is why it is typical for the allowoverrides to be none... for this default directory.
The vhosts (same config files) generally do need overides, so in the directory settings for those hosts you will find the allowoverides something. This enables each vhost owner the abilty to use settings based on their needs via the .htaccess files.

In other words, the apache defualt setting and the vhost setting for the allowoveride settings isnt a matter of which takes priority because they are both equal, it is the directory(s) that determine whether allowed or not.

A curiosity worth noting at this stage is that if the main config has allowoveride none it is not possible to use the .htaccess files to override this (pretty obvious), but if the main config file (which includes the vhost settings) have an allowoverride all, then it is possible for the vhost owner to override this with an allowoverride none.

So in summary, the default apache setting (default server) and the vhost settings have the same priority. The contents of the .htaccess files can be considered as having a higher priority in that these are read/used *after* the main server/vhost configs, but only if those same main configs are set to allow it.

If you find this confusing then I'd suggest you not even worry about it because unless running your own server you have no control over the main settings (to allowoverides or not) and your hosting provider would almost certainly have set this so that at least *some* overrides are possible for your vhosts via your .htaccess files.

Cheers
RodG

[pixelpadre]

I am running my own server on Linode.

The whole discussion started because everytime I install ZC it tells me that htaccess not supported even though the vhost config file allows overides. I just wanted to clear this error during install, thats all.

[RodG]

ZC it tells me that htaccess not supported even though the vhost config file allows overides. I just wanted to clear this error during install, thats all.

Apologies, but I need to be a little pedantic here. Although the ZC message reads like "There is a problem with .htaccess support on your server" this is *not* the same as saying .htaccess is *not* supported" . The difference may be subtle, but I can assure you that .htaccess *is* supported, it is just that ZC has performed a test (for security purposes) and determined that is just isn't working for some reason.

IOW - Supported but not working.

One of the reasons for the ZC to report this message is if you don't have the supplied .htaccess file in the /includes/ folder (which AFAIK is the only test made). This can *easily* happen if uploading the files via FTP and these files remain 'hidden' (by default, any file with a name starting with a '.' is a 'hidden file on *nix systems (I dunno about Windows, but that's unimportant here), so the 1st thing to check is to see if /includes/.htaccess does actually exist.

You have told us that it doesn't exist in the main directory (doesn't need it there), but unless I missed it, you've not told us whether one exists in the /includes/ directory or not - So the solution to your problem (clear the error) could be as simple as uploading this missing file.

The allowoveride none directive will have the same effect as missing .htaccess files, but you have assured us that your vhost config allows it, so that is *not* going to be the cause of your problem. The allowoveride directive for the default server (not a vhost) doesn't even come into play. It is effectively a different 'host' entirely - and as I detailed earlier, this is typically set to 'none' because strictly speaking there is no need for it (it is better to simply set the needed directives in the main config).

Assuming the vhost allowoveride is set to 'all' and assuming the /includes/.htaccess file does actually exist, and assuming it is an unchanged copy of the .htaccess supplied by Zencart, and assuming it is readable by the server process, then you won't be having this problem. The fact that you *are* having the problem means that at least one of these assumptions is incorrect. Only you are in the position to identify which it actually is.

My money is on the /includes/.htaccess file doesn't exist (and if it doesn't, please check on the *other* ZC-supplied .htaccess files to ensure they aren't also missing), because without these files to prevent access to *restricted* folders you are opening yourself up to a bucketload of abuse)

Please don't ignore the ZC warning. You *can* complete the installation in spite of this, and even fix the problem *after* the install (assuming you remember to do so), but you really, *really* shouldn't - The ZC check ensures that all is good. Fixing it after the install means that you need to do your own manual testing to ensure it is working and the site is secured.

Cheers
RodG