• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

How can i disable htaccess in plesk?

P

pintalabios

New Pleskian
Hi

I have a plesk 12.5 on CentOS 6.7 (Final)

I am using Plesk Panel

Is posible to disable all htaccess files in a domain and configure all the "htaccess rules" ONLY from

Additional Apache directives and Additional directives for HTTPS of this domain for security?

it is advisable do that?

How can i set Alowoverride none in Additional Apache directives and Additional directives for HTTPS?

Thanks
 
Hi

in the file /etc/httpd/conf.d/zz010_psa_httpd.conf of the mentioned article http://kb.odin.com/en/124 i have this

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

making changes in this file is not posible
 
@pintalabios

To answer your question: no, it is not adviceable.

If you are using .htaccess files for security purposes (note that you should do more than that), then it is "good practice" to have the possibility to specify (specific) security settings for each domain, subdomain, directory, subdirectory or even file extension types.

After all, each individual level in the domain and directory/file structure will have different characteristics, requiring custom settings, perfectly adapted to those characteristics.

There is no such thing as a "general rule" in security settings.

Regards.....
 
If it can be useful to someone I write the solution I've found so far

1) Write this code on Additional Apache directives and Additional directives for HTTPS on every domain you want block htaccess files

#Block htaccess files in domain.tld
<Directory /var/www/vhosts/domain.tld/httpdocs>
AllowOverride none
</Directory>

2) Write your necessary htaccess rules for the domain in Additional Apache directives and Additional directives for HTTPS
You can write <Directory <files ... directives and so

This way all htaccess rules are centralized. Even if a hacker can upload and htaccess file, to one website directory will be useless.

Just to avoid this things http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html

Best....


 
@pintalabios

I will keep it short: your solution is not a solution at all.

A small hint: your change with the AllowOverride Directive is making your installation less secure, can cause instability etc. and so on.

Another small hint: you should have a look at http://httpd.apache.org/docs/2.4/mod/core.html#allowoverride AND inspect the default httpd.conf files, by default generated by Plesk.

Furthermore, note that .htaccess files are created by external software, not by Plesk.

Finally, note that having a (hidden) file like .htaccess in a publicly visible directory, such as httpdocs, can only be viewed as the essence of a contradiction.

In short, try to prevent .htaccess files in publicly visible/accessible directories: it is "bad practice" in terms of security.

Instead, choose some decent software that does not need .htaccess and/or use Nginx as a pure proxy, in order to make .htaccess files effectively void.

Regards....
 
You must log in or register to reply here.

Similar threads

J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
311
joell
J
WhiteTiger
Question "Your server is neither Nginx nor Apache"
Replies
2
Views
947
WhiteTiger
WhiteTiger
J
Resolved domain with storage in sub-folder of another domain
Replies
3
Views
595
jonny512379
J
A
Question How to set passenger for 2 different sites?
Replies
0
Views
946
arsus
A
K
Forwarded to devs Custom 403 error document never shown for document root
Replies
8
Views
2K
Kaspar
K
Back
Top