Magento Apache configuration (app/etc/local.xml accessible warning)

Question

Just finished installing Magento on a Linux server.

When I go to the Magento "Admin Panel" I can see the following message at the top of the page.

Your web server is configured incorrectly. As a result, configuration files with sensitive information are accessible from outside. Please contact your hosting provider.

What is the most likely cause for this error message?

Thanks,

John Goche

Answer 1

@Brijmohan karadia and @Spudley

Your solution worked. I am using AWS Linux for Magento installation.

1. Go to /etc/httpd/conf/httpd.conf

2. Add following in httpd.conf.

   Options FollowSymLinks AllowOverride All

3.set permission from SSH/FTP to local.xml =>600 in the file path /app/etc/local.xml

4. sudo service httpd restart

Answer 2

I solved this problem by following these steps:

Confirm that there is an .htaccess file in the app subdirectory of the Magento installation. If the .htaccess file is missing, create a new .htaccess file in the app subdirectory that contains the following directives:

Order deny,allow
Deny from all

Confirm that file permissions are set correctly. Generally, directories should have permissions set to 755 (read, write, and execute permissions for the user, and read and execute permissions for the group and world). Files should have permissions set to 644 (read and write permissions for the user, and read permissions for the group and world).

Please change the .htaccess file permission to 644 then refresh the magento admin page.

Answer 3

Magento uses .htaccess files in various directories to deny access to the directory trees. You will find them in app, media, var, and wherever else Magento sees fit to stick them. They do various things like deny viewing (app, var), executing (media .htaccess). For these .htaccess files to work, it is really important that the following be set in either the doc root .htaccess or in the virtual server configuration.

Options FollowSymLinks
AllowOverride All

More than likely, Magento detects that the app directory .htaccess file isn't being allowed to deny network access to your app/etc/local.xml file, so all your database credentials and encryption key are visible to anyone with a web browser.

Another issue might be that your file/directory permissions are too lax.

For Magento running under FastCGI, SuPHP or LSAPI

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 550 pear #for Magento pre 1.5
chmod 550 mage #for Magento 1.5 and up
chmod 550 cron.sh

For Magento running under DSO (mod_php)

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod o+w var var/.htaccess app/etc
chmod 550 pear #for Magento pre 1.5
chmod 550 mage #for Magento 1.5 and up
chmod 550 cron.sh
chmod -R o+w media

For the question below, the app/etc folder is supposed to have the following .htaccess file in place. Trying to read anything through the server should throw a 403 error. Your next step is to get in touch with your web hoster to find out why that file is not being honored.

Order deny,allow
Deny from all

Note: If you are using alternative http servers like nginx, you must search down all of the .htaccess files created in Magento's directory tree and recreate all the .htaccess functions used by Magento in your nginx setups so you have the same file/directory protections as a standard Apache DSO install. Same goes for Windows installations on IIS.

Answer 4

I tried all the above and none worked on our web hosting. "AllowOverride All" would not work on our vhosts.conf and as a result, "Deny from all" was being ignored.

Add this code to .htaccess and it works a charm...

##### Block access to local.xml #####
RewriteRule ^(.*)local.xml$ - [F,L]

Answer 5

Magento checks if /app/etc/local.xml is accessible (using curl). You can try it yourself in the browser to verify.

To fix this you have make sure this file is not visible anymore. How you do that depends on your webserver. Magento ships with a .htaccess to prevent the access but you might have copied the folders without the hidden files. cp does not copy them. Or apache can not access .htaccess check file permissions.

Answer 6

1.Add following in httpd.conf.

    <Directory "/var/www/html/app/etc">
        Options FollowSymLinks
        AllowOverride All
    </Directory>

1. set permission from ftp to local.xml =>600

2. sudo /etc/init.d/httpd restart

3. sudo /etc/init.d/httpd reload

Answer 7

The app/etc/local.xml file needs to be chmodded to 600 and the error will go away ;)