I have main domain xyz.com
and it's home folder is /home/username/public_html/
On the same server I also have subdomain sub.xyz.com
and it's home folder is /home/username/public_html/subfolder/
I am creating a web site for subdomain and I'm trying to do some redirects using .htaccess file. I have placed 404.php file in subdomain's home directory. There is also .htaccess file for subdomain and.htpassword file too. For the purpose of this test I have renamed .htaccess file of the main domain and simplified version of my subdomain's .htaccess file looks like this:
ErrorDocument 404 /404.php
RewriteEngine on
RewriteRule ^\. /404.php [R=404,L]
When I write non-existing filename eg sub.xyz.com/non.existing
the address in browser stays the same and I'm presented with the content of 404.php file. Fine.
But when I write existing filename eg sub.xyz.com/.htpassword
, the address in browser change to this: sub.xyz.com/home/username/public_html/subfolder/404.php
thus revealing my directory structure.
Oddly enough same happens when I write non-existing filename sub.xyz.com/.htpasswords
, but everything is OK for non-existing filenames sub.xyz.com/.htpasswor
& sub.xyz.com/.htpassword1
What should I do so that behaviour would be the same for existing & non-existing files?
Address should stay the same equally for all cases or change to sub.xyz.com/404.php equally for all cases.
Since @arkascha choose not to gave straightforward answer but to hint what should be changed, I'm going to write it down. Now, when I knew where exactly is the problem I have found in Apache documentation on page RewriteRule Flags under "Forbidden" the answer to my question
This example uses the "-" syntax for the rewrite target, which means that the requested URI is not modified.
So the proper .htaccess part look like this:
ErrorDocument 404 /404.php
RewriteEngine on
RewriteRule ^\. - [R=404,L]
So this way, URI stays the same and user is presented with the content of 404.php file, like I wanted.
Another important notice: example I have used is a bad one and I have moved file.htpassword bellow folder public_html, but it is useful for other files that you don't want to reveal their presence to malicious user
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.