• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

How can i disable htaccess in plesk?

P

pintalabios

New Pleskian
Hi

I have a plesk 12.5 on CentOS 6.7 (Final)

I am using Plesk Panel

Is posible to disable all htaccess files in a domain and configure all the "htaccess rules" ONLY from

Additional Apache directives and Additional directives for HTTPS of this domain for security?

it is advisable do that?

How can i set Alowoverride none in Additional Apache directives and Additional directives for HTTPS?

Thanks
 
Hi

in the file /etc/httpd/conf.d/zz010_psa_httpd.conf of the mentioned article http://kb.odin.com/en/124 i have this

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

making changes in this file is not posible
 
@pintalabios

To answer your question: no, it is not adviceable.

If you are using .htaccess files for security purposes (note that you should do more than that), then it is "good practice" to have the possibility to specify (specific) security settings for each domain, subdomain, directory, subdirectory or even file extension types.

After all, each individual level in the domain and directory/file structure will have different characteristics, requiring custom settings, perfectly adapted to those characteristics.

There is no such thing as a "general rule" in security settings.

Regards.....
 
If it can be useful to someone I write the solution I've found so far

1) Write this code on Additional Apache directives and Additional directives for HTTPS on every domain you want block htaccess files

#Block htaccess files in domain.tld
<Directory /var/www/vhosts/domain.tld/httpdocs>
AllowOverride none
</Directory>

2) Write your necessary htaccess rules for the domain in Additional Apache directives and Additional directives for HTTPS
You can write <Directory <files ... directives and so

This way all htaccess rules are centralized. Even if a hacker can upload and htaccess file, to one website directory will be useless.

Just to avoid this things http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html

Best....


 
@pintalabios

I will keep it short: your solution is not a solution at all.

A small hint: your change with the AllowOverride Directive is making your installation less secure, can cause instability etc. and so on.

Another small hint: you should have a look at http://httpd.apache.org/docs/2.4/mod/core.html#allowoverride AND inspect the default httpd.conf files, by default generated by Plesk.

Furthermore, note that .htaccess files are created by external software, not by Plesk.

Finally, note that having a (hidden) file like .htaccess in a publicly visible directory, such as httpdocs, can only be viewed as the essence of a contradiction.

In short, try to prevent .htaccess files in publicly visible/accessible directories: it is "bad practice" in terms of security.

Instead, choose some decent software that does not need .htaccess and/or use Nginx as a pure proxy, in order to make .htaccess files effectively void.

Regards....
 
You must log in or register to reply here.

Similar threads

brother4
Question Best way to block direct PHP file access and ensure .htaccess rules are always applied with Nginx as a reverse proxy?
Replies
1
Views
996
brother4
brother4
L
Question PHP-FPM served by Nginx vs. Apache (again)
Replies
2
Views
536
lema
L
S
Issue htaccess header missing
Replies
1
Views
1K
SKDamon
S
I
Issue Issue with user Certs in Plesk 17, Apache and Nginx
Replies
0
Views
280
IsmaelDSC
I
Y
Question Issue Implementing Dynamic CORS Headers in Plesk’s Additional NGINX Directives
Replies
1
Views
345
yfain
Y
Back
Top