# Apache doesn't serve files that start with ".htaccess"



## tuaris (May 16, 2013)

I'm not sure what I am doing wrong, but I have the following files in a directory served by Apache:


```
2 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 htaccess.bz2
2 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 .taccess.bz2
2 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 .htaccess1.bz2
4 -rwxrwxrwx   1 daniel  daniel    55B May 15 20:25 .htaccess.bz2
2 drwxr-xr-x  60 root    wheel    1.5k May 15 21:02 ..
2 drwxr-xr-x   2 www     www      512B May 15 21:25 .
```

When every file except htaccess.bz2 and .taccess.bz2 return the following error when I try to download them:


```
client denied by server configuration: /usr/local/www/test/.htaccess1.bz2
```

I tried adding the following directives into the virtual host configuration:


```
AccessFileName .mysettings
<Directory "/usr/local/www/test">
    Options All Indexes FollowSymLinks    
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
<Files ".htaccess.bz2">
ForceType application/octet-stream
Header set Content-Disposition attachment
</Files>
```

The problem is still the same.  What am I doing wrong? Is it not possible to download files whose names start with .htaccess?


----------



## Anonymous (May 16, 2013)

Have a look at /usr/local/etc/apache22/httpd.conf, and locate the following section:

```
#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>
```

Understand it, and think twice before you change something here.


----------



## ShelLuser (May 17, 2013)

I just want to add some weight on this by mentioning that it is an extremely bad idea to change the way Apache handles its .htaccess files, this is a recipe for disaster. Because allowing this behaviour will also provide potential attackers with a lot more information on how they can bypass or abuse certain website limitations.

Worse yet: if you set up some lo*o*se permissions then there's also a reasonable chance people might be able to apply settings of their own, something you really wouldn't want to happen.


----------



## tuaris (May 17, 2013)

Thanks for putting this in.   I was afraid someone else was going to find this thread and change the Apache httpd.conf file without thinking about the potential hazards.

I totally agree that it's a bad idea.  This is only for a very specific need and is limited only to one virtual host.

For example:


```
<VirtualHost *:80>
DocumentRoot "/usr/local/www/test"
ServerName test.domain.net
AccessFileName .mysettings
<FilesMatch "^.ht">
    Order allow,deny
    Allow from all
</FilesMatch>
</VirtualHost>
```


----------



## aurora (May 20, 2013)

The usage of .htaccess files is simple and clear: To adjust server settings, w.o. without having to restart the server. I sometimes use them for this purpose, and it works. Bad idea trying to use them for any other purpose.


----------

