Problem with htaccess inside of downloads folder

[Feznizzle]

Hi,

Our host recently "upgraded" our server. This involved some sort of "in-place migration", meaning the IPs attached to our VPS did not change. However, certain problems have cropped up.

Many of our product pages link to pdf's contained in the store's download folder. But if a link is clicked on, instead of seeing a pdf an error occurs:
Internal Server Error 500

The problem has been tracked to the htaccess in the downloads folder. When it is removed, the links work fine. However, that leaves the folder vulnerable.

Here is the code from the htaccess:

Code:

#
# @copyright Copyright 2003-2011 Zen Cart Development Team
# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
# @version $Id: .htaccess 18695 2011-05-04 05:24:19Z drbyte $
#

AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
#Require valid-user


###############################
#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified. 
# Example:
#<Directory "/usr/local/apache/htdocs">
#  AllowOverride Limit Options Indexes
#</Directory>
###############################

# deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch ".*\.(zip|ZIP|gzip|pdf|PDF|mp3|MP3|swf|SWF|wma|WMA|wmv|WMV|wav|epub)$">
  Order Allow,Deny
  Allow from all
</FilesMatch>

<IfModule mod_headers.c>
  <FilesMatch ".*\.(zip|ZIP|pdf|PDF|mp3|MP3|swf|SWF|wma|WMA|wmv|WMV|wav|epub)$">
    # tell all downloads to automatically be treated as "save as" instead of launching in an application directly
    # ALERT: ForceType requires Apache2 or later. If using older version of Apache, it will need mod_mime installed. Or just comment out the ForceType line below
    # (to disable, just comment the next 2 lines by adding a '#' at the beginning of each):
    # ForceType application/octet-stream
    # Header set Content-Disposition attachment
  </FilesMatch>
</IfModule>

IndexIgnore */*


## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI

Is there something wrong with that?

Or is there some service on the VPS (apache) that needs to be enabled?

Huge thanks in advance for your thoughts!

~Mike

[mc12345678]

Perhaps could also identify the server information made available through the admin->Version link? (assuming it offers information about the host computer). Seem to recall that there was some differences needed in the htaccess based on the version of the host computer's software. It had to do with resequencing the order and deny lines or something similar.

[Feznizzle]

Here are the headlines:

Server OS: Linux 2.6.32-042stab120.19
Database: MySQL 5.5.54-cll
Server Date: 04/20/2017 16:27:55
Database Date: 04/20/2017 16:27:55
Server Up Time: 16:27:55 up 8 days, 23:38, 1 user, load average: 0.00, 0.02, 0.00
HTTP Server: Apache
PHP Version: 5.3.29 (Zend: 2.3.0)
PHP Memory Limit: 128M
PHP Safe Mode: Off
PHP File Uploads: On
Max Size: 64M POST Max Size: 8M
Database Data Size: 64,558 kB
Database Index Size: 3,077 kB
Database Host: localhost

Is there anything else, in particular, I can provide?

[Website Rob]

But if a link is clicked on, instead of seeing a pdf an error occurs: Internal Server Error 500

What does your Apache error log (located within your Hosting Control Panel) state about the error? It should tell you "why" it is a 500 error.

[Feznizzle]

Not much, found this:
[21/Apr/2017:10:58:21 -0400] "GET /download/cleaned/glowcore_cored_wire_tds.pdf HTTP/1.1" 404 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"

[Feznizzle]

Received this from host support:

"Is it possible that some service that was available on the previous version didn't get enabled on the new?"
^^^ If there were any major things that couldn't be moved over due to older PHP/MySQL/etc. versions no longer being supported, the upgrade ticket would have detailed those, so that you were aware of the changes. I don't see any mention of that in that upgrade ticket, however.

Also, newer versions of WHM also deprecate/remove support for older things, and that may have happened here, if the WHM version was raised as well. I do see you're still on PHP 5.3 - it's also possible something in that (module-wise) wasn't brought over due to 64-bit switch and that being an older PHP version. You may want to consider trying to go to a newer PHP version (even just incrementally, for testing) to see if that helps. You can also look into EasyApache 4, which offers multiple PHP versions on same server, so you can set your testing site to, say, the latest version while your site stays on something much older.

Without the original server to compare to though, it's hard to say exactly what is different.

[Feznizzle]

In case anybody stumbles in here with the same problem, this solved it for me:
https://www.zen-cart.com/showthread....ion-directives

[DrByte]

Summary: your host upgraded to a newer Apache version, and left out the compatibility module to allow use of old-style auth directives.

[Feznizzle]

That would definitely seem to be the case. I will ask them to patch.

Any chance you could help me to phrase my request? What, specifically, should I ask them?

[DrByte]

mod_access_compat
https://httpd.apache.org/docs/curren...ss_compat.html