[Tutorial] How to deny access for files with certain extension or folder in OpenLiteSpeed/CyberPanel — CyberPanel - WebHosting Control Panel for OpenLiteSpeed
CyberLoader

[Tutorial] How to deny access for files with certain extension or folder in OpenLiteSpeed/CyberPanel

edited March 2019 in Tutorials

in apache .htaccess file , we have something like this to deny access for certain files that needs to be protected

<FilesMatch "(?i)((\.ini|\.log|\.txt))">
 Require all denied
</FilesMatch>

but OpenLiteSpeed doesn't read this.

so how do we deny access for files or folders ?

1. deny files with certain ext.

by simply added this code into your .htaccess

RewriteRule ^.*\.(log|ini|txt)$ - [F,L,NC]

so any files with .log , .ini and .txt should be denied from access.

2. deny folder to be accessed.

add following code into the bottom of "vhost main configuration" area, like in screenshots

context /system {
  type                    NULL
  location                /home/$VH_NAME/public_html/system
  allowBrowse             0
  addDefaultCharset       off
}

explain: this context will NOT allow any access to http(s)://domain/system

original posted here by myself , and translated by myself :)

Comments

  • what code for directory listing? i want to display file contents on may site, sample site.com/downloads

  • @kaz050457 said:
    what code for directory listing? i want to display file contents on may site, sample site.com/downloads

    sorry didn't see it in time , have you already figured this out ?

    if not , this should help you

    https://forums.cyberpanel.net/discussion/136/options-followsymlinks-ports-25-465-587#latest

  • Trying RewriteRule ^/.*\.(log|ini|txt)$ - [F,L,NC] but it does not seem to be working, I can still view and download .ini files.
  • try

    ^.*\.(log|ini|txt)$ - [F,L,NC]
  • qtwrk said:

    try

    ^.*\.(log|ini|txt)$ - [F,L,NC]

    Thank you qtwrk.
  • Type your comment> @qtwrk said:
    > in apache .htaccess file , we have something like this to deny access for certain files that needs to be protected
    >
    > <FilesMatch "(?i)((\.ini|\.log|\.txt))"> Require all denied</FilesMatch>
    >
    > but OpenLiteSpeed doesn't read this.
    >
    > so how do we deny access for files or folders ?
    >
    > 1. deny files with certain ext.
    >
    > by simply added this code into your .htaccess
    >
    > RewriteRule ^.*\.(log|ini|txt)$ - [F,L,NC]
    >
    > so any files with .log , .ini and .txt should be denied from access.
    >
    > 2. deny folder to be accessed.
    >
    > add following code into the bottom of "vhost main configuration" area, like in screenshots
    >
    > context /system { type NULL location /home/$VH_NAME/public_html/system allowBrowse 0 addDefaultCharset off}
    >
    > explain: this context will NOT allow any access to http(s)://domain/system
    >
    > original posted here by myself , and translated by myself :)

    This is genius. And how to include certain IP from the global restriction of the folder? Is there an option for that?
  • Have you check this ?

    https://openlitespeed.org/kb/access-control/
  • Yes, and none of these are working. The only thing working is the vHost
  • I tried Acces Control and none of these are working.

    There are some trick to restrict access to directory and allow access to certain IP?
  • Type your comment> @L3xD said:
    > Yes, and none of these are working. The only thing working is the vHost

    Thanks. Kept trying (for about 1 hour) and could not believe that official documentation is piece of s**t.
    Fan of CyberPanel
  • edited March 14
    [email protected]:/home/example.com/public_html# echo "test" > test.txt
    [email protected]:/home/example.com/public_html# echo "test" > test.ini
    [email protected]:/home/example.com/public_html# echo "test" > test.log
    [email protected]:/home/example.com/public_html# echo "RewriteRule ^.*\.(log|ini|txt)$ - [F,L,NC]" > .htaccess
    [email protected]:/home/example.com/public_html# systemctl restart lsws
    [email protected]:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.txt
    HTTP/1.1 403 Forbidden
    Content-Type: text/html
    Cache-Control: private, no-cache, max-age=0
    Pragma: no-cache
    Content-Length: 1227
    Date: Sun, 14 Mar 2021 21:49:14 GMT
    Server: LiteSpeed
    Connection: Keep-Alive

    [email protected]:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.log
    HTTP/1.1 403 Forbidden
    Content-Type: text/html
    Cache-Control: private, no-cache, max-age=0
    Pragma: no-cache
    Content-Length: 1227
    Date: Sun, 14 Mar 2021 21:49:16 GMT
    Server: LiteSpeed
    Connection: Keep-Alive

    [email protected]:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.ini
    HTTP/1.1 403 Forbidden
    Content-Type: text/html
    Cache-Control: private, no-cache, max-age=0
    Pragma: no-cache
    Content-Length: 1227
    Date: Sun, 14 Mar 2021 21:49:20 GMT
    Server: LiteSpeed
    Connection: Keep-Alive

    did you restart OLS after you change htaccess ?
  • > @qtwrk said:
    > ^.*\.(log|ini|txt)$ - [F,L,NC]" > .htaccess

    I was talking about folders.

    > @qtwrk said:
    > did you restart OLS after you change htaccess ?

    Yes, each of those 30 or 40 times I made the change, it would worked even with vhost configuration if I wouldn't restart, right?

    In this link - https://openlitespeed.org/kb/access-control/

    It mentions:

    RewriteRule ^test/.*$ - [F,L]

    and, while stating, that "The difference is the forward slash."

    RewriteRule ^test/.*$ - [F,L]

    I can't see the difference. Location, color and size looks the same.
    Fan of CyberPanel
  • [email protected]:/home/example.com/public_html# echo "test" > test/test.html
    [email protected]:/home/example.com/public_html# echo "RewriteRule ^test/.*$ - [F,L]" > .htaccess
    [email protected]:/home/example.com/public_html# systemctl restart lsws
    [email protected]:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test/test.html
    HTTP/1.1 403 Forbidden
    Content-Type: text/html
    Cache-Control: private, no-cache, max-age=0
    Pragma: no-cache
    Content-Length: 1227
    Date: Sun, 14 Mar 2021 23:02:09 GMT
    Server: LiteSpeed
    Connection: Keep-Alive





    works on me


    now you mention it , it's not s**t , but a typo

    it should be ^/test/ vs ^test/

    I mailed OLS staffs to correct it though.
  • > @qtwrk said:
    >
    > works on me
    >
    >
    > now you mention it , it's not s**t , but a typo
    >
    > it should be ^/test/ vs ^test/
    >
    > I mailed OLS staffs to correct it though.

    None of these worked for me anyway, as I mentioned already. So considering this and typo, it still smells the same.
    Fan of CyberPanel
  • I just tested this and it works on me

    did you put this rule at top ? , the L flag will change the result of rewrite rule based on their location in the htaccess , and forbid ones should be at top of it
  • > @qtwrk said:
    > I just tested this and it works on me
    >
    > did you put this rule at top ? , the L flag will change the result of rewrite rule based on their location in the htaccess , and forbid ones should be at top of it

    Oh yes, I know this very well. Well, as long as it works with vhost configuration, I'm fine. Just lost some time. If I have further folders to secure in the future, I'll try to investigate deeper.
    Fan of CyberPanel
  • okay, maybe you can check with OLS's rewrite log to see what exactly did it matched/rewrote
  • Maybe later. BTW, thanks for posting that vhost configuration.
    Fan of CyberPanel
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!