问题
I'm setting up a quick internal project in a new addon domain in cPanel. This particular one has an SSL cert installed. I was building my .htaccess up and added a <Files config.php> directive to deny from all so that my config.php file isn't accessible. I realise that storing it outside of the web root is the ideal but I can't in this case.
Normally I would expect that when going to www.domain.com/config.php in a browser that I would get Apache's default 403 Forbidden page. This is what happens on other domains on the same server. But in this case I'm being given a 404 not found error, stating:
Not Found
The requested URL /403.shtml was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
I would normally expect this if I was attempting to define custom error documents but in this case, I'm not!
The only thing that makes this domain different to all the others in the same cPanel account is the fact it has an SSL certificate. And this 404 error is the same regardless of navigating using http or https. I've tried clearing cache and still the same.
Can anyone see anything in my .htaccess below that might be causing this?
DirectoryIndex /index.php
Options -Indexes +FollowSymLinks
ServerSignature Off
# PARSE PHP IN OTHER FILES
# AddType FOR PHP AS APACHE MODULE, AddHandler FOR CGI
AddType application/x-httpd-php .ics .xml
# ATTEMPT FORCE PDF DOWNLOAD
AddType application/octet-stream .pdf
# PREVENT ACCESS TO CONFIG
<Files config.php>
order allow,deny
deny from all
</Files>
# CACHING
# http://httpd.apache.org/docs/current/mod/mod_headers.html
<FilesMatch "\.(js|css|ico|png|gif|jpg)$">
Header set Cache-Control "max-age=172800, public, must-revalidate"
#Header set Expires "Thu, 15 Apr 2011 20:00:00 GMT"
</FilesMatch>
# PREVENT ACCESS TO STATS UPDATE SCRIPT AS IT'S CLI ONLY
<Files stats_update.php>
order allow,deny
deny from all
</Files>
Redirect 302 /preview http://otherdomain.com/documents/preview
Redirect 302 /sample http://otherdomain.com/documents/preview
RewriteEngine On
# REWRITE NON-WWW TO WWW
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301]
RewriteRule ^about/?$ /index.php [L]
RewriteRule ^contact/?$ /contact.php [L]
RewriteRule ^home/?$ /home.php [L]
RewriteRule ^order/?$ /order.php [L]
# MAINTAINANCE
#RewriteCond %{REMOTE_HOST} !^123\.123\.123\.123
#RewriteCond %{REQUEST_URI} !^/maintainance\.html$
#RewriteRule ^(.*)$ /maintainance.html [R=302,L]EDIT: Could it be anything to do with the way cPanel handles primary and addon domains?
In a cPanel account you have a primary domain whose files live under public_html then you define addon domains (or subdomains) whose files live under public_html/addondomain.com/
Would the .htaccess for the primary domain at public_html/.htaccess be affecting/overriding that of addon domains at public_html/addondomain.com/.htaccess?
I know .htaccess does cascade down through directories but is that the case even above a particular domain's DocumentRoot, e.g.: in the case of this addon domain?
EDIT 2: Just for info here are the responses to both HTTP requests, bypassing any caching
root@vps [/home/username]#curl -i 'http://www.mydomain.com/config.php'
HTTP/1.1 403 Forbidden
Date: Sun, 16 Sep 2012 19:05:10 GMT
Server: Apache
Content-Length: 331
Content-Type: text/html; charset=iso-8859-1
root@vps [/home/username]# curl -i 'http://mydomain.com/config.php'
HTTP/1.1 301 Moved Permanently
Date: Sun, 16 Sep 2012 19:05:20 GMT
Server: Apache
Location: http://www.mydomain.com/403.shtml
Content-Length: 244
Content-Type: text/html; charset=iso-8859-1
You see the 2nd one gets the 301 redirect but it's redirecting to the 403.shtml. So the 403.shtml has already been injected before the rewrite to the www. happens.
回答1:
This was not reproducible on a vanilla Apache installation so I started to further interrogate cPanel. So after plenty of mucking around I have tracked down the issue. cPanel does indeed set the ErrorDocument directive for you and it's not very clever at all. Especially when it sets the ErrorDocuments to documents that are visibly identical to the Apache defaults.
It's not obvious where this happens either as the ErrorDocument cPanel screen is blank.
cPanel's httpd.conf is built from quite a few included configs and tucked away there is...
/usr/local/apache/conf/includes/errordocument.conf
...
# 403 - Forbidden
ErrorDocument 403 /403.shtmlSo there we go, that's where the 403.shtml is appearing in the request. cPanel's setting the error documents for me. To avoid the confusion of seeing the 404 on the 403 I've set my own 403 error message so at least they are consistent.
I hope this helps someone out!
回答2:
Your htaccess file isn't causing the custom error page. If there isn't any other htaccess files, the problem probably lies with cPanel, which has its own way of setting custom error pages.
来源:https://stackoverflow.com/questions/12192681/htaccess-file-deny-from-all-redirects-to-404-not-found-on-403-shtml-but-no-cust