How to show custom page for inaccessible folders in Windows?

Asked

Viewed 484 times

11

I used ErrorDocument to configure custom error pages, but when trying to access a folder that is only accessible with high privileges, instead of showing the custom page is displaying the default Apache error page:

Página Forbidden

But the expected was something like:

pagina customizada

What I tried was this:

  • I created c:\wamp\www\denyfolderwindows
  • I removed the user Administrator, removed the user Owner and kept only the user System.

  • I created a . htaccess file inside c:\wamp\www\ with this content:

    ErrorDocument 403 "Oi 403 :)"

  • I accessed the page http://localhost/denyfolderwindows/, but instead of showing Oi 403 :) I got this result:

Forbidden

You don’t have permission to access /denyfolderwindows/ on this server.

Note that I created a folder called c:\wamp\www\denyforapache and put a. htaccess file inside it with this content:

Order deny,allow
Deny from All

After navigating to http://localhost/denyforapache/ I am shown this:

Hi 403 :)

That is, with Deny from All the custom page works, but with other users' folders from Windows (inaccessible) does not work. It is not really a problem is just curiosity of why it does not work.

The structure of the folder was like this:

c:/wamp/www/
├── .htaccess (Contem o errordocument)
├── denyfolderwindows/ (pasta do Windows bloqueada)
└── denyforapache/
    └── .htaccess (bloqueia a pasta usando a diretiva do apache)

My doubt:

How do I show pages customized instead of the page apache error pattern when I try to navigate to a folder inaccessible from Windows?

Details

Currently vhosts.conf is this way:

DocumentRoot c:/wamp/www

<Directory c:/wamp/www>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
apache windows htaccess http-status-code-403

  • The answer to this is simple. The user that Apache is running has no read permission in the directory. It’s different than denying access. To show an error message it is necessary to create a rule, which can be url rewriting.

  • @Marcosregis I do not know if I did not make myself understood, this for me is clear, what I want is to be displayed the page I set up in ErrorDocument instead of the standard apache error page.

  • Apache in Windows is usually run with your user. If this user does not have the proper permissions he will not have it either. Remember that not only the target directory has read permission, its parents also need such permission. This is checked before Apache can check what kind of answer it can give. In time, this problem is not of programming which will probably cause someone to signal.

  • @Marcosregis The problem whether it is possible or not to be theoretical induces a tool used in development, Apache, if Apache can present an error page from apache2\error\HTTP_FORBIDDEN.html.var then why not present a custom page? If apache crashes or emits a Warning then you really would be correct. But that’s not the case. So if it’s not possible, then the answer would be "not possible," but it’s not really off-topic.

  • 1

    I get your point now. The problem is that Voce seems to have changed the answer in . htaccess but since Apache cannot read the directory, you will never get the text from it. To do this, Voce needs to change Errordocument directly at httpd.conf

  • 2

    Biggest reward I’ve ever seen :-)

  • @Ricardo I also did not find any question that had such a reward :) - but I could be wrong

  • @Guilhermenascimento you could remove content from the default page by custom content ?

  • @Ricardo I believe not, because it is something internal of the apache, I even searched in the documents, but I’m not sure

  • @Guilhermenascimento unless I’ve got it wrong, just set it up in apache.conf and put the error page in a folder accessible by everyone, or even put the custom message right in the file, if it’s textual.

  • 1

    Example, straight to apache.conf: ErrorDocument 403 "Ei, aqui nao pode." You need to see if Allowoverride is allowing you to change this in htaccess as well. The Document error can be set to server config, virtual host, directory and . htaccess.

  • @Bacco can’t find such an apache.conf file, it would be httpd.conf?

  • It can be, depending on the package. If you don’t want to literal, you can put the path in htaccess. Just put it in a place where apache has access. https://httpd.apache.org/docs/2.2/mod/core.html#errordocument

  • @Bacco seems to be right, the test worked here, I will test tomorrow all right to confirm :) Thank you!

  • @Guilhermenascimento you can configure pro 403 show different pages in different folders even without htaccess, just use a <directory> for each path. There is an example in the link I put.

  • @Marcosregis Strangely recreating all the folders from www to www internal folders started working, I didn’t have to touch Apache and no configuration, I tried to check all users of the original www folder, but it looked identical to the new folder, I can only assume that Windows is somewhat of a sequel :p - Thank you!

Show 11 more comments

2 answers

11


First of all

I thought it was a little strange when you said it:

Created c: wamp www denyfolderwindows
...
I created a . htaccess file within c: wamp www myfolder ...

If it really is like this, the .htaccess who is in myfolder there is no way to affect the folder denyfolderwindows. Each of the .htaccess of a host goes to the folder where it is, and subfolders inside it. "Neighbor" folders are not affected.

The correct in a scenario like the one above would be by the .htaccess at least in c:\wamp\www\.

But assuming it’s just the wrong example, let’s go to other possibilities.


Returning to the Apache

According to the apache documentation, you can configure the directive ErrorDocument in four different contexts.:

  • config server
  • virtual host
  • directory
  • .htaccess

Since your . htaccess may not be accessible, you have the other 3 options, the server config the main context, which affects Apache as a whole. Generally apache.conf, or httpd.conf.

The Virtual Host is the context used when you serve multiple domains on the same IP. Using the Error Document inside virtual hosts you can customize different pages for each site.

If you need more granularity, with error 403 showing different pages in different subdirectories, and cannot use .htaccess, is the case of using the context directory:

<Directory /minhasubpasta/pastasecreta>
    ErrorDocument 403 /rickrolled.html
</Directory>
<Directory /minhasubpasta/filmes>
    ErrorDocument 403 "403 Access Denied. Olá amiguinho, a senha é SWORDFISH"
</Directory>


The directive Allowoverride

Regardless of permissions, so that the Error Document works on . htaccess, it is necessary to check the directive Allowoverride in httpd.conf.

She must have at least the flag FileInfo qualified, other than the .htaccess is ignored as a whole. Option All, as the name already says, it allows everything, but usually it is not what is desired in a lodging. In turn, None is very restrictive. The documentation has a better description of the options of this Directive.


File permissions

Remember that Apache will only serve the pages and directories that it can access. This also applies to configuration files, including .htaccess.

It doesn’t matter at all the file permissions of the user who is browsing the site, only those of Apache.

In many Linux distros the Apache user is usually the 48, and he has to have read access to everything he uses.

In Windows it is similar. Once you know this, in Windows security permissions you must allow Apache access to all work files. When in doubt, it is good to look, for example in the Task Manager (show all users' processes, if applicable) and notice who is the parent of the child.

In Windows, the simplest is to run it as SYSTEM, or better yet, installed as Service, so he’ll have the basic privileges to do what he needs. If it is an installation for an application in production environment, you can create a separate user for Apache (it is even the most recommended), but you have to understand the necessary file permissions, not to complicate.

In the latter case, by creating a .htaccess new, remember that it may have been created with your credentials, not the ones that Apache can use. It’s hard to get into a situation like this in normal everyday life, but it’s good to know it’s not impossible.


Peculiarities of Windows Explorer

For those who are in Windows, has another interesting detail: it is very good that the option "evil" to hide the extension types for known files is turned off, because most of the time it hinders. For example, malware "arquivotexto.exe" with an innocent icon passes through a mere document.

In the case of .htaccess can happen the same. Suddenly one thinks he has created a .htaccess, but there’s a .htaccess.txt. By the way, if you create a .htaccess directly by the Explorer and it does not complain, something is wrong.

Windows 7 simply won’t let you create one .htaccess directly by Explorer, or rename an existing file to .qualquercoisa, because he considers it an unnamed file. And it’s no use to want to rename.

The solution? There are several, how to create from scratch in your code editor and save, download one via FTP and change the content, or create via CMD:

echo # > .htaccess


Beware of Internet Explorer

And a few more browsers. It often happens that your custom error is working, but it doesn’t show up because IE detects very short error messages, and exchanges them for the internal versions of it. The solution to this is to increase the number of bytes on the page to more than 512 bytes.

  • @Guilhermenascimento a folder/file permission can prevent apache from accessing . htaccess, depends on the user account that Apache is using (and not who accesses). To avoid problems, apache should run as a service on the SYSTEM account, for example. Then I’ll see if I can work that out in my answer, I stopped at night because I was a little tired. But regardless of the question, if you need help setting up a real case, we exchange comments, as far as possible, until you solve.

  • @Guilhermenascimento but you have checked windows permissions? Who is the user owner of the file, and who can read it? To better test, copy this htaccess and rename the copy to test.txt, and see if you can see it in the browser

  • Normally the apache would not need to be elevated, just read the files. Not as a definitive solution, but add "Everyone" with reading permission on. htaccess and see if anything changes (and that test to see if how .txt it appears in the browser is cool too). How’s your httpd.conf allowoverride these days?

  • Let’s go continue this discussion in chat.

  • I deleted the other answer, it seems I found the problem :/ a very strange thing rs. Thanks for everything!!

  • 1

    even if it was a Windows issue, the . htaccess file inside the folder denyfolderwindows it contained nothing, it was an empty file. Apache probably reaches . htaccess, but can’t read it so it sends Forbidden to the denyfolderwindows/.htaccess and not to the denyfolderwindows, I don’t know if it’s clear, but I think it’s really a little bug of apache.

Show 1 more comment

3

This is a complementary answer, just to understand why the ErrorDocument not function as expected.

After a long analysis on the old directories, I realized that inside the folder denyfolderwindows there was an archive .htaccess also.

The structure was like this:

c:/wamp/www/
├── .htaccess (Contem o errordocument)
└── denyfolderwindows/ (pasta do Windows bloqueada)
    └── .htaccess (este arquivo é vazio)
└── denyforapache/
    └── .htaccess (bloqueia a pasta usando a diretiva do apache)

  • Access http://localhost/denyfolderwindows/ and there is such a file c:/wamp/denyfolderwindows/.htaccess (even if this file is empty) the custom page is not displayed.

  • If you rename the file .htaccess for .foo, being like this:

    c:/wamp/www/
├── .htaccess (Contem o errordocument)
└── denyfolderwindows/ (pasta do Windows bloqueada)
    └── .foo (este arquivo é vazio)
└── denyforapache/
    └── .htaccess (bloqueia a pasta usando a diretiva do apache)

    And remove permissions from denyfolderwindows then try to access the page http://localhost/denyfolderwindows/ is shown the expected custom page, which in my case displays the following content:

    Hi 403 :)

Completion

This is apparently an Apache conflict, as he somehow manages to notice the file .htaccess, even the folder being without any user:

Permissões de pasta do Windows

It may even be an NTFS issue (I can’t say this), but it still seems to be an Apache conflict when the file exists. htaccess inside a folder without permission, even though it is strange that Apache can know that there is a file inside the folder that has no privileges for any user.

Note I tried to rename the file to c:/wamp/denyfolderwindows/.htaccesss (with 3 letters "s") and ErrorDocument of c:/wamp/.htaccess worked by displaying the custom page, in other words the problem only occurs if there is such a file c:/wamp/denyfolderwindows/.htaccess and ends up displaying the standard Apache error page (Forbidden).

This situation of creating an inaccessible folder within the public folder is unlikely to occur on a production server, this was all just a case study to understand how the .htaccess behaves in different situations.

  • you can also try adding an external url to Errordocument, something like: "<html><head><title>NO! </title></head><body><H2><tt>Hi 403 :)</tt></H2></body></html> one detail I noticed was the use of double quotes at the beginning and did not need them at the end, I don’t know if it would influence something in your case, can also pass a page to be loaded Errordocument 403 /errors/403.php, you can still set users on htaccess see here: http://httpd.apache.org/docs/current/howto/auth.html

  • @Júniormoreira Thank you, the ErrorDocument 403 "Oi 403 :)" was a very basic example, like a Hello World, my original file is yes a valid path ErrorDocument 403 /www/403.html. But nice the quote tip is only needed in the beginning.

Browser other questions tagged apache windows htaccess http-status-code-403

You are not signed in. Login or sign up in order to post.