Protect .env file direct access from web browser

cloudrider · September 23, 2020, 9:52pm

Hi

I have been using cyberpanel from quite some time but after recent updates, I am facing a unusual problem.

I would like to disable direct access to .env file of my laravel based application. I have added below rules in my .htacess file at the end.

location = /robots.txt { access_log drops; log_not_found off; }
location = /favicon.ico { access_log drops; log_not_found off; }
location ~ /\. { access_log denied; log_not_found off; deny all; }
location ~ ~$ { access_log denied; log_not_found off; deny all; }

Disable index view

Options -Indexes

Order allow,deny Deny from all

Yet everytime I try to access the .env file by visiting Website Domain Names, Online Stores & Hosting - Domain.com

I am able to download the .env file which contains vital info which should not be available to public.

I would like to know if their is some special configuration needed for apache & litespeed here.

Hopefully @CyberPanel @usmannasir you can help out with this.

Thanks.

Numeriku · September 24, 2020, 6:22am

That does not work for OLS.

You need this. Example below.

RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|install.php|wp-config.php|php.ini|php5.ini|bb-config.php [NC]
RewriteRule .* - [F,L]

cloudrider · September 24, 2020, 1:59pm

Hi @Numeriku thanks for the reply, do I need to add this code in .htacess file.

As I have one another instance of same software hosted on cPanel with OLS & no extra configuration was done by me.

Numeriku · September 24, 2020, 3:34pm

@cloudrider you can find everything you need here for your use case.

https://openlitespeed.org/kb/access-control/

cloudrider · September 24, 2020, 3:35pm

Thanks @Numeriku let me check.