Reputation: 22255
How to display custom ErrorDocument when permission to folder is denied?
I'm trying to deny access to everything within a folder on a server (running Linux signature 4.14.117). I set chmod for that folder to 0700:
and it worked fine (by denying access.)
Although now, instead of my own 403.php error page, that is defined in my .htaccess that is located in the root, I get this when I try to access anything within that folder:
Forbidden You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
I tried adding a shorter version of .htaccess to that folder and by setting its access to 0644 but it doesn't seem to change anything. Here's what was in that .htaccess:
Redirect 301 / https://example.com/blog
# Define priority of which index file is used first
DirectoryIndex index.php index.htm index.html
# Error pages:
ErrorDocument 401 /401.php
ErrorDocument 403 /403.php
ErrorDocument 404 /404.php
ErrorDocument 500 /500.php
What's the way to display my custom 403.php page in this case?
Upvotes: 2
Views: 787
Answers (1)
Reputation: 53543
Apache is trying to load an .htaccess file from that subdir, but your permissions have forbidden it from even looking. You could chmod 755 on the dir and then chmod 600 on all the files, so you have something like this:
0700 dir/
0600 dir/denied_file_1
0600 dir/denied_file_2
Or put in an .htaccess that denies everything:
0700 dir/
0644 dir/.htaccess
0600 dir/denied_file_1
0600 dir/denied_file_2
But if your goal simply is to outright deny all web access to a subfolder, then your best bet is always going to be moving the folder outside the web server's document root. This way, you are immune to mistakes in configuration and permissions.
[UPDATE]
Well, that folder will contain templates for my blog posts. I don't want them to be accessible (directly) via the web, but I need them to be readable from within my .php script. That was the goal.
That's fine. PHP can still read files that are outside the web root even though Apache can't. For example:
/path/to/your/dir/
/path/to/your/dir/src/ <-- put your library files here
/path/to/your/dir/public/ <-- point web server doc root here
/path/to/your/dir/public/index.php
/path/to/your/dir/templates/
/path/to/your/dir/templates/foo.template
/path/to/your/dir/templates/bar.template
As for changing perms on each file, it sounds kinda tedious and easy to miss.
Precisely why it's always better to put them outside the doc root.
Upvotes: 2
Related Questions
- Enabling error display in PHP via htaccess only
- Custom Error 403 Page PHP
- In a .htaccess in Apache 2.4, the custom ErrorDocument 403 page not displayed on Require all denied
- Emulate a 403 error page
- Show customized error page for forbidden request
- trigger 403 in php so that it shows the ErrorDocument
- Custom 403 Error Page in Root Directory
- htaccess ErrorDocument not rendering
- Customizing 403 error messages
- How to prevent: "File does not exist" being logged in error_log for .htaccess ErrorDocuments?