"Hello,
I have a serious security issue on my server (running CyberPanel with OpenLiteSpeed). A file in my web root, .user.ini, is publicly downloadable. I have tried
to block it, but the server is ignoring all access control rules for it.
What I have tried:
-
I added the following block to the “Rewrite Rules” section for the virtual host in the CyberPanel UI:
1 <Files “.user.ini”>
2 Require all denied
3
After saving and restarting LiteSpeed, the file is still downloadable. -
I also tried adding a direct RewriteRule to the same section in CyberPanel:
1 RewriteEngine On
2 RewriteRule ^\.user\.ini$ - [F,L]
After saving and restarting LiteSpeed, this rule is also ignored and the file is still downloadable.
My httpd_config.conf loads the vhost configuration correctly using a configFile directive. The server is simply not obeying fundamental security directives for
this vhost.
Why would my LiteSpeed server be ignoring both and RewriteRule [F] directives? Is there a global configuration that could be overriding this?
Thank you."