[Tutorial] How to deny access for files with certain extension or folder in OpenLiteSpeed/CyberPanel

in apache .htaccess file , we have something like this to deny access for certain files that needs to be protected

<FilesMatch "(?i)((\\.ini|\\.log|\\.txt))">
 Require all denied
</FilesMatch>

but OpenLiteSpeed doesn’t read this.

so how do we deny access for files or folders ?

1. deny files with certain ext.

by simply added this code into your .htaccess

RewriteRule ^.*\\.(log|ini|txt)$ - [F,L,NC]

so any files with .log , .ini and .txt should be denied from access.

2. deny folder to be accessed.

add following code into the bottom of “vhost main configuration” area, like in screenshots

context /system {
  type                    NULL
  location                /home/$VH_NAME/public_html/system
  allowBrowse             0
  addDefaultCharset       off
}

explain: this context will NOT allow any access to http(s)://domain/system

original posted here by myself , and translated by myself :slight_smile:

what code for directory listing? i want to display file contents on may site, sample site.com/downloads

@kaz050457 said:
what code for directory listing? i want to display file contents on may site, sample site.com/downloads

sorry didn’t see it in time , have you already figured this out ?

if not , this should help you

Trying RewriteRule ^/.*\.(log|ini|txt)$ - [F,L,NC] but it does not seem to be working, I can still view and download .ini files.

try

^.*\.(log|ini|txt)$ - [F,L,NC]

try

^.*\.(log|ini|txt)$ - [F,L,NC]

Thank you qtwrk.

Type your comment> @qtwrk said:

in apache .htaccess file , we have something like this to deny access for certain files that needs to be protected

<FilesMatch “(?i)((\.ini|\.log|\.txt))”> Require all denied

but OpenLiteSpeed doesn’t read this.

so how do we deny access for files or folders ?

  1. deny files with certain ext.

by simply added this code into your .htaccess

RewriteRule ^.*\.(log|ini|txt)$ - [F,L,NC]

so any files with .log , .ini and .txt should be denied from access.

  1. deny folder to be accessed.

add following code into the bottom of “vhost main configuration” area, like in screenshots

context /system { type NULL location /home/$VH_NAME/public_html/system allowBrowse 0 addDefaultCharset off}

explain: this context will NOT allow any access to http(s)://domain/system

original posted here by myself , and translated by myself :slight_smile:

This is genius. And how to include certain IP from the global restriction of the folder? Is there an option for that?

Have you check this ?

Yes, and none of these are working. The only thing working is the vHost

I tried Acces Control and none of these are working.

There are some trick to restrict access to directory and allow access to certain IP?

Type your comment> @L3xD said:

Yes, and none of these are working. The only thing working is the vHost

Thanks. Kept trying (for about 1 hour) and could not believe that official documentation is piece of s**t.

root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "test" > test.txt
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "test" > test.ini
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "test" > test.log
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# echo "RewriteRule ^.*\\.(log|ini|txt)$ - [F,L,NC]" > .htaccess
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# systemctl restart lsws
root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.txt
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 21:49:14 GMT
Server: LiteSpeed
Connection: Keep-Alive

root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.log
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 21:49:16 GMT
Server: LiteSpeed
Connection: Keep-Alive

root@ubuntu-2gb-nbg1-1:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test.ini
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 21:49:20 GMT
Server: LiteSpeed
Connection: Keep-Alive

did you restart OLS after you change htaccess ?

@qtwrk said:
^.*\.(log|ini|txt)$ - [F,L,NC]" > .htaccess

I was talking about folders.

@qtwrk said:
did you restart OLS after you change htaccess ?

Yes, each of those 30 or 40 times I made the change, it would worked even with vhost configuration if I wouldn’t restart, right?

In this link - Access Control with OpenLiteSpeed • OpenLiteSpeed

It mentions:

RewriteRule ^test/.*$ - [F,L]

and, while stating, that “The difference is the forward slash.”

RewriteRule ^test/.*$ - [F,L]

I can’t see the difference. Location, color and size looks the same.

root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# echo “test” > test/test.html
root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# echo “RewriteRule ^test/.*$ - [F,L]” > .htaccess
root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# systemctl restart lsws
root@ubuntu-2gb-nbg1-2:/home/example.com/public_html# curl -I -XGET --resolve example.com:80:127.0.0.1 http://example.com/test/test.html
HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 1227
Date: Sun, 14 Mar 2021 23:02:09 GMT
Server: LiteSpeed
Connection: Keep-Alive

works on me

now you mention it , it’s not s**t , but a typo

it should be ^/test/ vs ^test/

I mailed OLS staffs to correct it though.

@qtwrk said:

works on me

now you mention it , it’s not s**t , but a typo

it should be ^/test/ vs ^test/

I mailed OLS staffs to correct it though.

None of these worked for me anyway, as I mentioned already. So considering this and typo, it still smells the same.

I just tested this and it works on me

did you put this rule at top ? , the L flag will change the result of rewrite rule based on their location in the htaccess , and forbid ones should be at top of it

@qtwrk said:
I just tested this and it works on me

did you put this rule at top ? , the L flag will change the result of rewrite rule based on their location in the htaccess , and forbid ones should be at top of it

Oh yes, I know this very well. Well, as long as it works with vhost configuration, I’m fine. Just lost some time. If I have further folders to secure in the future, I’ll try to investigate deeper.

okay, maybe you can check with OLS’s rewrite log to see what exactly did it matched/rewrote

Maybe later. BTW, thanks for posting that vhost configuration.

: )