What is the best way to deal with .htaccess files in subdirectories?

deborahjuly

What is the best way to deal with .htaccess files in subdirectories?

From what I understand, OpenLiteSpeed only reads the .htacess files in the main directory of the website.

Using the example of PrestaShop, there are several .htaccess files listed in subdirectories. From a search, these are the files I could find:

• ./translations/.htaccess
  
• ./translations/cldr/.htaccess
  
• ./themes/.htaccess
  
• ./themes/classic/config/.htaccess
  
• ./vendor/.htaccess
  
• ./vendor/tecnickcom/tcpdf/tools/.htaccess
  
• ./vendor/mrclay/minify/min/.htaccess
  
• ./vendor/mrclay/minify/min/builder/.htaccess
  
• ./vendor/prestashop/smarty/.htaccess
  
• ./cache/.htaccess
  
• ./.htaccess
  
• ./override/.htaccess
  
• ./classes/.htaccess
  
• ./mails/.htaccess
  
• ./controllers/.htaccess
  
• ./modules/.htaccess
  
• ./app/.htaccess
  
• ./upload/.htaccess
  
• ./config/.htaccess
  
• ./config/xml/.htaccess
  
• ./js/.htaccess
  
• ./admin877zpdps0/.htaccess
  
• ./admin877zpdps0/import/.htaccess
  
• ./admin877zpdps0/export/.htaccess
  
• ./admin877zpdps0/backups/.htaccess
  
• ./docs/.htaccess
  
• ./docs/csv_import/.htaccess
  
• ./src/.htaccess
  
• ./pdf/.htaccess
  
• ./tools/.htaccess
  
• ./tools/parser_sql/.htaccess
  
• ./tools/htmlpurifier/.htaccess
  
• ./tools/profiling/.htaccess
  
• ./bin/.htaccess
  
• ./download/.htaccess
  
• ./localization/.htaccess
  
• ./img/.htaccess
  

I also understand the directory option cannot be read in the main .htaccess file so I can't move everything to a single file.

I thought of the following solutions:

• Move all the file properties to Contextes within the WebAdmin panel.
  
• Use rewrite rules in the main .htaccess file for the information in the .htaccess subdirectory files
  

usmannasir

In most of these files, there are no important rules except

Order deny,allow
Deny from all

And these two directives are not read by OpenLiteSpeed, as OpenLiteSpeed has its own mechanism to deny access.

But if there are any important rules in sub-directories contexts are your best chance. If I take an example of WordPress installation in sub-directory such as "cyberpanel"

Then my context config would look like:

context /cyberpanel/ {
location /home/example.com/public_html/cyberpanel
allowBrowse 1

rewrite {
enable 1
inherit 0
RewriteFile /home/example.com/public_html/cyberpanel/.htaccess
}
addDefaultCharset off
}

And rewrite rules in WordPress sub-directory

# BEGIN WordPress

RewriteEngine On
RewriteBase /cyberpanel/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /cyberpanel/index.php [L]

# END WordPress

Coming back to Prestashop, important rules are already in doc root of PrestaShop installation, but if PrestaShop is in sub-directory you can use contexts.

But if you think there is any important .htaccess file in sub-directory with PrestaShop, you can surely use contexts.

deborahjuly

Apache Order Configuration Example

So for PrestaShop

The file /translations/.htaccess has the following rules:

Order deny,allow                                                                                                                                                      
Deny from all

My Context in the vHost Conf would be:

context /translations/ {
  location                /translations
  allowBrowse             0
  addDefaultCharset       off
}

The file /translations/cldr/.htaccess has the following rules:

Order deny,allow                                                                                                                                                      
Allow from all 

My Context in the vHost Conf would be:

context /translations/cldr/ {
  location                /translations/cldr/
  allowBrowse             1

  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}   

I someone would not be able to access the translation folder in the browser but they could access the translations/cldr folder. After applying this context, when trying to access domain/translations, I am hit with a 403 error. Before, it was clearly a 404 error. Is this set up correct?

deborahjuly

More Complex Order Configuration Example

The file /themes/.htaccess has the following rules:

                                                                                                                                                 
Deny from all                                                                                                                                                         
  

The issue is OpenLiteSpeed does not recognize FilesMatch. I believe I have to use a Perl regular expression in the Static Context for the URI. Would the context look like the one below:

context exp: ^/themes/([A-Za-z0-9]+\.tpl)$ {
  location                /themes/$1
  allowBrowse             0
  addDefaultCharset       off
}

deborahjuly

Rewrite Rules in Subdirectory Example

The file /vendor/mrclay/minify/min/.htaccess has the following rules:

                                                                                                                                              
RewriteEngine on                                                                                                                                                      
                                                                                                                                                                      
# You may need RewriteBase on some servers                                                                                                                            
#RewriteBase /min                                                                                                                                                     
                                                                                                                                                                      
# rewrite URLs like "/min/f=..." to "/min/?f=..."                                                                                                                     
RewriteRule ^([bfg]=.*)  index.php?$1 [L,NE]                                                                                                                          
                                                                                                                                                           
                                                                                                                                                  
# In case AddOutputFilterByType has been added                                                                                                                        
SetEnv no-gzip                                                                                                                                                        
  

Woudl it be better to create a static context with the information or put the information in the main .htaccess file?

Example static context:

context /vendor/mrclay/minify/min/ {
  location                /vendor/mrclay/minify/min
  allowBrowse             0

  rewrite  {
    enable                1
    base                  /min
RewriteRule ^([bfg]=.*)  index.php?$1 [L,NE] 
RewriteRule . - [E=no-gzip:1]
  }
  addDefaultCharset       off
}

usmannasir

deborahjuly said:

Apache Order Configuration Example

So for PrestaShop

The file /translations/.htaccess has the following rules:

Order deny,allow                                                                                                                                                      
Deny from all

My Context in the vHost Conf would be:

context /translations/ {
  location                /translations
  allowBrowse             0
  addDefaultCharset       off
}

The file /translations/cldr/.htaccess has the following rules:

Order deny,allow                                                                                                                                                      
Allow from all 

My Context in the vHost Conf would be:

context /translations/cldr/ {
  location                /translations/cldr/
  allowBrowse             1

  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}   

I someone would not be able to access the translation folder in the browser but they could access the translations/cldr folder. After applying this context, when trying to access domain/translations, I am hit with a 403 error. Before, it was clearly a 404 error. Is this set up correct?

If it says 403 then it is correctly setup as this is what you wanted (According to the rule in .htaccess)

Or something is not working as expected on your end?

usmannasir

deborahjuly said:

Rewrite Rules in Subdirectory Example

The file /vendor/mrclay/minify/min/.htaccess has the following rules:

                                                                                                                                              
RewriteEngine on                                                                                                                                                      
                                                                                                                                                                      
# You may need RewriteBase on some servers                                                                                                                            
#RewriteBase /min                                                                                                                                                     
                                                                                                                                                                      
# rewrite URLs like "/min/f=..." to "/min/?f=..."                                                                                                                     
RewriteRule ^([bfg]=.*)  index.php?$1 [L,NE]                                                                                                                          
                                                                                                                                                           
                                                                                                                                                  
# In case AddOutputFilterByType has been added                                                                                                                        
SetEnv no-gzip                                                                                                                                                        
  

Woudl it be better to create a static context with the information or put the information in the main .htaccess file?

Example static context:

context /vendor/mrclay/minify/min/ {
  location                /vendor/mrclay/minify/min
  allowBrowse             0

  rewrite  {
    enable                1
    base                  /min
RewriteRule ^([bfg]=.*)  index.php?$1 [L,NE] 
RewriteRule . - [E=no-gzip:1]
  }
  addDefaultCharset       off
}

For such things, if you can easily convert your rewrite rules then use the doc root .htaccess file, will make things less complex later.

Otherwise, you will have to go into different files later and create many other contexts.

deborahjuly

usmannasir said:

deborahjuly said:

Rewrite Rules in Subdirectory Example

The file /vendor/mrclay/minify/min/.htaccess has the following rules:

                                                                                                                                              
RewriteEngine on                                                                                                                                                      
                                                                                                                                                                      
# You may need RewriteBase on some servers                                                                                                                            
#RewriteBase /min                                                                                                                                                     
                                                                                                                                                                      
# rewrite URLs like "/min/f=..." to "/min/?f=..."                                                                                                                     
RewriteRule ^([bfg]=.*)  index.php?$1 [L,NE]                                                                                                                          
                                                                                                                                                           
                                                                                                                                                  
# In case AddOutputFilterByType has been added                                                                                                                        
SetEnv no-gzip                                                                                                                                                        
  

Woudl it be better to create a static context with the information or put the information in the main .htaccess file?

Example static context:

context /vendor/mrclay/minify/min/ {
  location                /vendor/mrclay/minify/min
  allowBrowse             0

  rewrite  {
    enable                1
    base                  /min
RewriteRule ^([bfg]=.*)  index.php?$1 [L,NE] 
RewriteRule . - [E=no-gzip:1]
  }
  addDefaultCharset       off
}

For such things, if you can easily convert your rewrite rules then use the doc root .htaccess file, will make things less complex later.

Otherwise, you will have to go into different files later and create many other contexts.

What do you mean by I would have to go into other files later and create many other contexts? Please give me an example.

usmannasir

For small example you can take a look at bottom of this article:

https://blog.cyberpanel.net/2018/04/07/how-to-write-rewrite-rules-for-openlitespeed/

Under the heading: WordPress in subdirectory

deborahjuly

Here is another example. Are these parameters important? If so, how do I put them into a context?

From the PrestaShop file /upload/.htaccess

                                                                                                                                                 
        RemoveHandler .php .phtml .php3 .php4 .php5                                                                                                                   
        RemoveType .php .phtml .php3 .php4 .php5                                                                                                                      
                                                                                                                                                           
                                                                                                                                                 
        php_flag engine off                                                                                                                                           
  

deborahjuly

MultiViews Options Question

The PrestaShop directory /admin:

                                                                                                                                          
    Options -MultiViews                                                                                                                                               

I copied the rewrite rules into a Context file but now when I visit the admin panel, I get a 500 error:

context exp: ^/admin([A-Za-z0-9]+)/ {
  location                /admin$1
  allowBrowse             1
  indexFiles              index.php

  rewrite  {
    enable                1
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$                                                                                                                   
RewriteRule ^(.*) - [E=BASE:%1]
RewriteCond %{HTTP:Authorization} .                                                                                                                               
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^(ajax|ajax_products_list|ajax-tab|backup|cron_currency_rates)\.php - [P]                                                                             
RewriteRule ^(displayImage|drawer|footer\.inc|functions|get-file-admin)\.php - [P]                                                                                
RewriteRule ^(grider|header\.inc|init|login|password|pdf|searchcron)\.php - [P] 
RewriteCond  %{QUERY_STRING} (^|&)controller=|(^|&)tab=                                                                                                           
RewriteRule .* - [P]
RewriteCond %{REQUEST_FILENAME} -f                                                                                                                                
RewriteRule .? - [L]
RewriteRule .? %{ENV:BASE}/index.php [L]
  }
  addDefaultCharset       off
}

deborahjuly

usmannasir said:

For small example you can take a look at bottom of this article:

https://blog.cyberpanel.net/2018/04/07/how-to-write-rewrite-rules-for-openlitespeed/

Under the heading: WordPress in subdirectory

This is the original /.htaccess file from PrestaShop:

# ~~start~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again
# .htaccess automaticaly generated by PrestaShop e-commerce open-source solution
# http://www.prestashop.com - http://www.prestashop.com/forums



SetEnv HTTP_MOD_REWRITE On


RewriteEngine on


#Domain: example.com
RewriteRule . - [E=REWRITEBASE:/]
RewriteRule ^api$ api/ [L]

RewriteRule ^api/(.*)$ %{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L]

# AlphaImageLoader for IE and fancybox
RewriteRule ^images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 [L]


AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType application/font-woff .woff
AddType font/woff2 .woff2

  
  Header set Access-Control-Allow-Origin "*"
 


#If rewrite mod isn't enabled
ErrorDocument 404 /index.php?controller=404

# ~~end~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again

Please verify if I am on the right path based on the guide you posted:

RewriteEngine ON
RewriteRule . - [E=REWRITEBASE:/]
RewriteRule ^/api$ api/ [L]
RewriteRule ^/api/(.*)$ %{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L]
RewriteRule ^/images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 [L]

Some of the parameters in the original .htaccess file give errors. What do I do with the following parameters in the .httaccess file?

AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType application/font-woff .woff
AddType font/woff2 .woff2

  
  Header set Access-Control-Allow-Origin "*"
 


#If rewrite mod isn't enabled
ErrorDocument 404 /index.php?controller=404

usmannasir

Conversion is on point, please note that on v.1.6.4 (Current stable version) you have to modify your rules.

From v1.7 ( 1.7 is in RC ) onwards this conversion is not needed.

For the rest of directives that you have mentioned they are ignored by OpenLiteSpeed, but they will not cause the server to stop and they will be ignored.

You will need to use OpenLiteSpeed to set extra headers using contexts and regular expressions the same way you did earlier.

deborahjuly

usmannasir said:

For small example you can take a look at bottom of this article:

https://blog.cyberpanel.net/2018/04/07/how-to-write-rewrite-rules-for-openlitespeed/

Under the heading: WordPress in subdirectory

Here is an example of Drupal .htaccess. Does it look correct?

RewriteEngine ON

  # Set "protossl" to "s" if we were accessed via https://.  This is used later
  # if you enable "www." stripping or enforcement, in order to ensure that
  # you don't bounce between http and https.
  RewriteRule ^/ - [E=protossl]
  RewriteCond %{HTTPS} on
  RewriteRule ^/ - [E=protossl:s]

  # Make sure Authorization HTTP header is available to PHP
  # even when running as CGI or FastCGI.
  RewriteRule ^/ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

  # Block access to "hidden" directories whose names begin with a period. This
  # includes directories used by version control systems such as Subversion or
  # Git to store control files. Files whose names begin with a period, as well
  # as the control files used by CVS, are protected by the FilesMatch directive
  # above.
  #
  # NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
  # not possible to block access to entire directories from .htaccess because
  #  is not allowed here.
  #
  # If you do not have mod_rewrite installed, you should remove these
  # directories from your webroot or otherwise protect them from being
  # downloaded.
  RewriteRule "/\.|^\.(?!well-known/)" - [F]

  # If your site can be accessed both with and without the 'www.' prefix, you
  # can use one of the following settings to redirect users to your preferred
  # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
  #
  # To redirect all users to access the site WITH the 'www.' prefix,
  # (http://example.com/foo will be redirected to http://www.example.com/foo)
  # uncomment the following:
  # RewriteCond %{HTTP_HOST} .
  # RewriteCond %{HTTP_HOST} !^www\. [NC]
  # RewriteRule ^/ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  #
  # To redirect all users to access the site WITHOUT the 'www.' prefix,
  # (http://www.example.com/foo will be redirected to http://example.com/foo)
  # uncomment the following:
  # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  # RewriteRule ^/ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]

  # Modify the RewriteBase if you are using Drupal in a subdirectory or in a
  # VirtualDocumentRoot and the rewrite rules are not working properly.
  # For example if your site is at http://example.com/drupal uncomment and
  # modify the following line:
  # RewriteBase /drupal
  #
  # If your site is running in a VirtualDocumentRoot at http://example.com/,
  # uncomment the following line:
  # RewriteBase /

  # Redirect common PHP files to their new locations.
  RewriteCond %{REQUEST_URI} ^(.*)?/(install.php) [OR]
  RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild.php)
  RewriteCond %{REQUEST_URI} !core
  RewriteRule ^/ %1/core/%2 [L,QSA,R=301]

  # Rewrite install.php during installation to see if mod_rewrite is working
  RewriteRule ^/core/install.php core/install.php?rewrite=ok [QSA,L]

  # Pass all requests not referring directly to files in the filesystem to
  # index.php.
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^/ index.php [L]

  # For security reasons, deny access to other PHP files on public sites.
  # Note: The following URI conditions are not anchored at the start (^),
  # because Drupal may be located in a subdirectory. To further improve
  # security, you can replace '!/' with '!^/'.
  # Allow access to PHP files in /core (like authorize.php or install.php):
  RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
  # Allow access to test-specific PHP files:
  RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
  # Allow access to Statistics module's custom front controller.
  # Copy and adapt this rule to directly execute PHP files in contributed or
  # custom modules or to run another PHP application in the same directory.
  RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
  # Deny access to any other PHP files that do not match the rules above.
  # Specifically, disallow autoload.php from being served directly.
  RewriteRule "^/(.+/.*|autoload)\.php($|/)" - [F]

  # Rules to correctly serve gzip compressed CSS and JS files.
  # Requires both mod_rewrite and mod_headers to be enabled.
    # Serve gzip compressed CSS files if they exist and the client accepts gzip.
    RewriteCond %{HTTP:Accept-encoding} gzip
    RewriteCond %{REQUEST_FILENAME}\.gz -s
    RewriteRule ^/(.*)\.css $1\.css\.gz [QSA]

    # Serve gzip compressed JS files if they exist and the client accepts gzip.
    RewriteCond %{HTTP:Accept-encoding} gzip
    RewriteCond %{REQUEST_FILENAME}\.gz -s
    RewriteRule ^/(.*)\.js $1\.js\.gz [QSA]

    # Serve correct content types, and prevent mod_deflate double gzip.
    RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
    RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]

deborahjuly

Here is the rest of the Drupal /.htaccess file using a Static Context based on the information I found online. Do I have the parameters set correctly?

.htaccess
Options -Indexes

Static Context
autoIndex 0

.htaccess
DirectoryIndex index.php index.html index.htm

Static Context
indexFiles index.php index.html index.htm

.htaccess
AddType image/svg+xml svg svgz

Static Context
addMIMEType image/svg+xml svg svgz

.htaccess

  php_value assert.active                   0
  php_flag session.auto_start               off
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_flag mbstring.encoding_translation    off
  # PHP 5.6 has deprecated $HTTP_RAW_POST_DATA and produces warnings if this is
  # not set.
  php_value always_populate_raw_post_data   -1

Static Context

  phpIniOverride  {
php_value assert.active                   0
php_flag session.auto_start               off
php_value mbstring.http_input             pass
php_value mbstring.http_output            pass
php_flag mbstring.encoding_translation    off
php_value always_populate_raw_post_data   -1
  }

.htaccess

  # Disable content sniffing, since it's an attack vector.
  Header always set X-Content-Type-Options nosniff
  # Disable Proxy header, since it's an attack vector.
  RequestHeader unset Proxy

Static Context

 extraHeaders            <<<END_extraHeaders
X-Content-Type-Options: nosniff
HTTP_PROXY: " "
  END_extraHeaders</code>

I currently do not understand how to set these parameters in OLS. Any assistance on them would be appreciated.

# Protect files and directories from prying eyes.

  
    Require all denied
  
  
    Order allow,deny
  


# Requires mod_expires to be enabled.

  # Enable expirations.
  ExpiresActive On

  # Cache all files for 2 weeks after access (A).
  ExpiresDefault A1209600

  
    # Do not allow PHP scripts to be cached unless they explicitly send cache
    # headers themselves. Otherwise all scripts would have to overwrite the
    # headers set by mod_expires if they want another caching behavior. This may
    # fail if an error occurs early in the bootstrap process, and it may cause
    # problems if a non-Drupal PHP file is installed in a subdirectory.
    ExpiresActive Off
  


# Set a fallback resource if mod_rewrite is not enabled. This allows Drupal to
# work without clean URLs. This requires Apache version >= 2.2.16. If Drupal is
# not accessed by the top level URL (i.e.: http://example.com/drupal/ instead of
# http://example.com/), the path to index.php will need to be adjusted.

  FallbackResource /index.php


  # Rules to correctly serve gzip compressed CSS and JS files.
  # Requires both mod_rewrite and mod_headers to be enabled.
  
    
      # Serve correct encoding type.
      Header set Content-Encoding gzip
      # Force proxies to cache gzipped & non-gzipped css/js files separately.
      Header append Vary Accept-Encoding
    
  

deborahjuly

usmannasir said:

Conversion is on point, please note that on v.1.6.4 (Current stable version) you have to modify your rules.

From v1.7 ( 1.7 is in RC ) onwards this conversion is not needed.

For the rest of directives that you have mentioned they are ignored by OpenLiteSpeed, but they will not cause the server to stop and they will be ignored.

You will need to use OpenLiteSpeed to set extra headers using contexts and regular expressions the same way you did earlier.

I was able to add the MIME types from the PrestaShop ./htaccess file to a Static Context.

.htaccess

AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType application/font-woff .woff
AddType font/woff2 .woff2

Static Context

addMIMEType             application/vnd.ms-fontobject eot, font/ttf ttf, font/otf otf, application/font-woff woff, font/woff2 woff2

I see that headers can be set, the issue I am having is the headers can only be set for certain file types rather than all files in the directory. I do not know how to create file level rules. A Static Context refers to directory level rules, correct?

.htaccess

  
  Header set Access-Control-Allow-Origin "*"
 

I am also not sure if this option is even necessary.

#If rewrite mod isn't enabled
ErrorDocument 404 /index.php?controller=404

qtwrk

just mention it here , you can also use [F] to deny access to certain type of files.

for example

RewriteRule ^/.*\.(log|ini|tpl|txt)$ - [F]