1

I have a PHP script that is run from cron to send out reminder emails. To prevent unauthorised use of this script, I have the following .htaccess file which I upgraded to the Require directive after upgrading apache to 2.4 from 2.2.

<Files "reminder.php">
Require all denied
Require host localhost
Require ip 127.0.0.1
Require ip xxx.yyy.zzz.aaa
</Files>

xxx.yyy.zzz.aaa is the address of the webserver, equivalent to localhost.

Whereas the old .htaccess file used to work, this one isn't preventing access from remote browsers. I've read and reread all the directive documentation and can't see what is wrong. Any clues? Is this the best way to protect a PHP script designed to run from cron?

The old .htaccess file was:

<Files "reminder.php">
    Order Deny,Allow
    Deny from all
    Allow from localhost
    Allow from 127.0.0.1
    Allow from xxx.yyy.zzz.aaa
</Files>
Nik Dow
  • 584
  • 4
  • 10
  • Hope this link might help you http://stackoverflow.com/questions/11728976/how-to-deny-access-to-a-file-in-htaccess – Sanjay Kumar N S Apr 09 '15 at 09:34
  • Just move it out of the web-root directory. How are you calling the script from cron? – jeroen Apr 09 '15 at 09:38
  • 30 5 * * * /home/lamp/skilodgedeploy/cronjobscript/skilodgereminder.sh the .sh file has: wget -q http://domain.com/admin/reminder.php – Nik Dow Apr 09 '15 at 20:19
  • Thanks @SanjayKumarNS but on my Apache 2.2 server the .htaccess file (the 2nd file shown above) is working - or at least something is preventing access to reminder.php there. The .htaccess file is one directory level *above* the reminder.php file. On my Apache 2.4 server the files are in the same relative positions but the Require directives aren't having any effect. – Nik Dow Apr 09 '15 at 20:33
  • 1
    @jeroen I take your point that if the script were called directly it wouldn't need to be in webroot, but the script is part of a website and it calls other functions in that site's source code. Additionally there are about 20 copies of this code on the server (instances) and deployment is automated via a shell script, using rsynch. It's a lot easier to do this if the reminder.php is contained within the Virtual Server web tree. .htaccess works on our old Apache 2.2 server by denying access to reminder.php so it should be able to work on Apache 2.4 with the Require directive. – Nik Dow Apr 09 '15 at 20:37

1 Answers1

1

I found the problem. When I set up the 2.4 server, I explictly used

AllowOverride None

and didn't override this in specific directories. BTW AllowOverride defaulted to All in 2.2 and defaults to None in 2.4 so without the directive I would still have had the same problem.

So replacing this with 

AllowOverride All

within the <directory> group fixed the problem. The .htaccess file is now allowed to do its job.

Nik Dow
  • 584
  • 4
  • 10