[Tutorial] How to deny access for files with certain extension or folder in OpenLiteSpeed/CyberPanel

qt

qtwrk Dec 09, 2017 #1

in apache .htaccess file , we have something like this to deny access for certain files that needs to be protected

<FilesMatch "(?i)((\\.ini|\\.log|\\.txt))">
 Require all denied
</FilesMatch>

but OpenLiteSpeed doesn’t read this.

so how do we deny access for files or folders ?

1. deny files with certain ext.

by simply added this code into your .htaccess

RewriteRule ^.*\\.(log|ini|txt)$ - [F,L,NC]

so any files with .log , .ini and .txt should be denied from access.

2. deny folder to be accessed.

add following code into the bottom of “vhost main configuration” area, like in screenshots

context /system {
  type                    NULL
  location                /home/$VH_NAME/public_html/system
  allowBrowse             0
  addDefaultCharset       off
}

explain: this context will NOT allow any access to http(s)://domain/system

original posted here by myself , and translated by myself

Ka

Kaz Feb 11, 2018 #2

what code for directory listing? i want to display file contents on may site, sample site.com/downloads

qt

qtwrk Feb 14, 2018 #3

@kaz050457 said:
what code for directory listing? i want to display file contents on may site, sample site.com/downloads

sorry didn’t see it in time , have you already figured this out ?

if not , this should help you

https://forums.cyberpanel.net/discussion/136/options-followsymlinks-ports-25-465-587#latest

Be

Bert Mar 18, 2019 #4

Trying RewriteRule ^/.*\.(log|ini|txt)$ - [F,L,NC] but it does not seem to be working, I can still view and download .ini files.

qt

qtwrk Mar 21, 2019 #5

try

^.*\.(log|ini|txt)$ - [F,L,NC]

Be

Bert Mar 25, 2019 #6

try
^.*\.(log|ini|txt)$ - [F,L,NC]

Thank you qtwrk.

L3

L3xD Apr 28, 2020 #7

Type your comment> @qtwrk said:

in apache .htaccess file , we have something like this to deny access for certain files that needs to be protected

<FilesMatch “(?i)((\.ini|\.log|\.txt))”> Require all denied

but OpenLiteSpeed doesn’t read this.

so how do we deny access for files or folders ?

deny files with certain ext.

by simply added this code into your .htaccess

RewriteRule ^.*\.(log|ini|txt)$ - [F,L,NC]

so any files with .log , .ini and .txt should be denied from access.

deny folder to be accessed.

add following code into the bottom of “vhost main configuration” area, like in screenshots

context /system { type NULL location /home/$VH_NAME/public_html/system allowBrowse 0 addDefaultCharset off}

explain: this context will NOT allow any access to http(s)://domain/system

original posted here by myself , and translated by myself

This is genius. And how to include certain IP from the global restriction of the folder? Is there an option for that?

qt

qtwrk Apr 28, 2020 #8

Have you check this ?

https://openlitespeed.org/kb/access-control/

L3

L3xD Apr 29, 2020 #9

Yes, and none of these are working. The only thing working is the vHost

ga

gasonline Mar 03, 2021 #10

I tried Acces Control and none of these are working.

There are some trick to restrict access to directory and allow access to certain IP?

fa

fan Mar 14, 2021 #11

Type your comment> @L3xD said:

Yes, and none of these are working. The only thing working is the vHost

Thanks. Kept trying (for about 1 hour) and could not believe that official documentation is piece of s**t.

qt

qtwrk Mar 14, 2021 #12

root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "test" > test.txt
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "test" > test.ini
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "test" > test.log
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "RewriteRule ^.*\\.(log|ini|txt)$ - [F,L,NC]" > .htaccess
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# systemctl restart lsws
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.txt
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 21:49:14 GMT
Server: LiteSpeed
Connection: Keep-Alive

root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.log
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 21:49:16 GMT
Server: LiteSpeed
Connection: Keep-Alive

root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.ini
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 21:49:20 GMT
Server: LiteSpeed
Connection: Keep-Alive

did you restart OLS after you change htaccess ?

fa

fan Mar 14, 2021 #13

@qtwrk said:
^.*\.(log|ini|txt)$ - [F,L,NC]" > .htaccess

I was talking about folders.

@qtwrk said:
did you restart OLS after you change htaccess ?

Yes, each of those 30 or 40 times I made the change, it would worked even with vhost configuration if I wouldn’t restart, right?

In this link - Access Control – OpenLiteSpeed

It mentions:

RewriteRule ^test/.*$ - [F,L]

and, while stating, that “The difference is the forward slash.”

RewriteRule ^test/.*$ - [F,L]

I can’t see the difference. Location, color and size looks the same.

qt

qtwrk Mar 14, 2021 #14

root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# echo “test” > test/test.html
root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# echo “RewriteRule ^test/.*$ - [F,L]” > .htaccess
root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# systemctl restart lsws
root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test/test.html
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 23:02:09 GMT
Server: LiteSpeed
Connection: Keep-Alive

works on me

now you mention it , it’s not s**t , but a typo

it should be ^/test/ vs ^test/

I mailed OLS staffs to correct it though.

fa

fan Mar 14, 2021 #15

@qtwrk said:

works on me

now you mention it , it’s not s**t , but a typo

it should be ^/test/ vs ^test/

I mailed OLS staffs to correct it though.

None of these worked for me anyway, as I mentioned already. So considering this and typo, it still smells the same.

qt

qtwrk Mar 14, 2021 #16

I just tested this and it works on me

did you put this rule at top ? , the L flag will change the result of rewrite rule based on their location in the htaccess , and forbid ones should be at top of it

fa

fan Mar 14, 2021 #17

@qtwrk said:
I just tested this and it works on me

did you put this rule at top ? , the L flag will change the result of rewrite rule based on their location in the htaccess , and forbid ones should be at top of it

Oh yes, I know this very well. Well, as long as it works with vhost configuration, I’m fine. Just lost some time. If I have further folders to secure in the future, I’ll try to investigate deeper.

qt

qtwrk Mar 14, 2021 #18

okay, maybe you can check with OLS’s rewrite log to see what exactly did it matched/rewrote

fa

fan Mar 14, 2021 #19

Maybe later. BTW, thanks for posting that vhost configuration.

qt

qtwrk Mar 14, 2021 #20

: )

Jo

Jordan Dec 01, 2022 #21

Trying to block the /vendor folder for whmcs and neither .htaccess code is working.