I want to restrict access to certain folders (includes, xml and logs for example) and so I've given them 700 permissions, and all files within them 600 permissions. Firstly, is this the right approach to restrict access?
I have a .htaccess file in my root that handles rewriting and error documents. There are two pages in the root – 403.php and 404.php – for 403 and 404 errors. And I have these rules added to my .htaccess file:
ErrorDocument 404 /404.php
ErrorDocument 403 /403.php
Now, the 404 page works just fine. The 403 page does not show when I try to access the 'includes' folder – I get the standard apache 403 error page instead, saying 'Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.'
However, when I try going to the .htaccess file (in the web root) in my browser, I get my custom 403 error page. Why is this happening?
Best Answer
Is there a .htaccess file inside the includes/ folder? And does it have an
ErrorDocument 403directive?If that one is overriding the parent one then that could cause the issue you describe.
Try putting the
ErrorDocumentdirective in your httpd.conf or vhost file.What do you see in your access and error logs for these requests ?
It's also worth triple checking that the 403 line definitely says
ErrorDocument 403 /403.phpand notErrorDocument 403 403.php. That small typo would cause all of the symptoms you described.Update after chat:
The final solution was to make the includes directory readable by the Apache user and add this to the .htaccess: