.htaccess Configuration

This article explains the .htaccess configuration, the specific directives used, and their purpose for improving security and script handling on a server. It covers controlling access to files, restricting execution of sensitive scripts, and configuring specific script handlers like CGI.

The .htaccess file is used for configuring Apache web server settings at the directory level. This configuration file can override the global server settings to provide finer control over specific directories or virtual hosts.

.htaccess Example Configuration

<IfModule mod_suphp.c>
  suPHP_ConfigPath /home/user/public_html/website
  <Files php.ini>
    order allow,deny
    deny from all
  </Files>
</IfModule>

<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
  Order allow,deny
</FilesMatch>

AddHandler cgi-script .py .pl .cgi

Explanation of Directives

<IfModule mod_suphp.c>:
This directive checks if the mod_suphp module is enabled. If it is, it configures PHP to use a specific configuration file. In this case, the path to the php.ini file is set to /home/user/public_html/website.
```
suPHP_ConfigPath /home/user/public_html/website
```
It is important to note that mod_suphp is used for running PHP scripts with the user’s permissions, and this directive sets a custom PHP configuration path for scripts in the specified directory.
<Files php.ini>:
This block restricts access to the php.ini file by denying all external requests. This is done to prevent unauthorized users from accessing or downloading the configuration file, which could expose sensitive settings.
```
<Files php.ini>
  order allow,deny
  deny from all
</Files>
```
The order allow,deny and deny from all directives ensure that no one can view the php.ini file from the web.
<FilesMatch>:
This directive is used to match files with specific extensions (e.g., .engine, .inc, .info, .sql, .tpl, etc.) and restrict access to them. It is a good security measure to protect various sensitive files that should not be publicly accessible, like configuration files, source code files, or backup files.
```
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
  Order allow,deny
</FilesMatch>
```
The FilesMatch directive applies to all files matching the provided regular expression, which includes multiple file extensions and names that are typically used for sensitive files.
AddHandler:
This directive associates file extensions with a specific handler. In this case, the .py, .pl, and .cgi extensions are set to be handled as CGI scripts. This is useful for allowing the server to execute these file types as scripts.
```
AddHandler cgi-script .py .pl .cgi
```
This allows Python (.py), Perl (.pl), and CGI (.cgi) scripts to be executed when requested.

Summary of Key Security Measures

suPHP_ConfigPath: Specifies a custom PHP configuration file path for PHP scripts.
Restricting Access to php.ini: Prevents external access to the PHP configuration file (php.ini) to protect sensitive information.
Restricting Access to Sensitive Files: Uses the <FilesMatch> directive to protect files with sensitive extensions like .sql, .tpl, and .php from external access.
Adding CGI Handlers: Configures the server to treat .py, .pl, and .cgi files as executable scripts.

General Usage

File Access Control: The .htaccess file is used for controlling access to sensitive files and protecting them from unauthorized access.
CGI Script Handling: It is common to configure .htaccess to handle CGI scripts with specific handlers like .py, .pl, and .cgi.

For more information on Apache .htaccess directives, refer to the Apache documentation.