I've blocked .htaccess files in httpd.conf file by: Require all denied
My httpd.conf:
ServerRoot "/etc/httpd" Listen 80 Include conf.modules.d/*.conf User apache Group apache <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/var/www/html" <Directory "/var/www"> AllowOverride None # Allow open access: Require all granted </Directory> <Directory "/var/www/html"> Options -Indexes +FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> <Files ~ "^\.?ht(access|passwd)(\.dist)?"> Require all denied </Files> IncludeOptional sites/*.conf Here is my virtualhost:
<VirtualHost *:80> ServerName example.com DocumentRoot /var/www/site/ <Location /> AuthUserFile /etc/httpd/conf/passwd AuthName "ADMIN AREA" AuthType Basic require valid-user Order allow,deny Allow from 10.0.0.0/8 satisfy any </Location> <Directory /var/www/site/> Options +FollowSymlinks -Multiviews AllowOverride all Require all granted </Directory> </VirtualHost> Now, when I use directive location to allow access only for certain IP addresses or using login and password, this addresses can access .htaccess file. How can I resolve this problem? The .htaccess cannot be viewed by anyone.
