Symbolic link bypasses htaccess in apache

Question

I have a protected folder in my server.

/var/www/private/
/var/www/private/.htaccess

It also has a lot of subfolders with different services.

/var/www/private/service1/
/var/www/private/service2/
/var/www/private/service3/

Now, i'd like to shorten the url of some services. I'd like to use symbolic links.

/var/www/service1 -> private/service1

Now the tests:

http://localhost/private/service1 <-- Asks for password, like i want.

http://localhost/service1 <-- Doesn't ask for password!!

Is this a general limitation of symbolic links or a misconfiguration issue? Tried on Fedora and Ubuntu with quite standard configs (i can post them at request).

score 1 · Answer 1 · answered Oct 13 '10 at 09:34

1

you probably enabled htaccess only for the target directory. you should also do the same for the symlink itself with:

<directory /var/www/symlink>
allowoverride all 
</directory>

apache does not process the directives defined for the target directory after finding the symlink in the path. anyway, I would use an alias in apache config instead of symlinking. for shortening urls, that is.

answered Oct 13 '10 at 09:34

user237419

1,653
8
8

I tried ... and no joy. – LatinSuD Oct 13 '10 at 09:54
2

i apologize, i didn't pay attention to your directory structure. your htaccess is in private, not in private/service1 so a symlink from outside private to service1 will bypass the .htaccess rules. the only fix i see for this is using an alias instead of symlink – user237419 Oct 13 '10 at 10:12

gherardo · Answer 2 · 2017-02-06T17:39:21.840

Short answer: use the apache2 config instead of the file .htaccess and protect the original directory, not the symlink (or maybe there is a way to tell "Directory" to dereference the symbolic link)

Long answer: I had a similar problem with phpmyadmin. Following the Debian guide I created a symbolic link in the document root:

/var/www/html/phpmyadmin  --> /usr/share/phpmyadmin

Then I put the directive

<Directory "/var/www/html/phpmyadmin">
   AuthType Basic
   AuthName "Restricted Content"
   AuthUserFile /etc/apache2/.htpasswd
   Require valid-user
</Directory>

whithin the /etc/apache2/sites-available/000-default.conf

It did not work. Eventually I figured out that the path to be protected was not the symlink, but the actual dir:

<Directory "/usr/share/phpmyadmin">
     AuthType Basic
     AuthName "Restricted Content"
     AuthUserFile /etc/apache2/.htpasswd
     Require valid-user
</Directory>

This one worked.

Symbolic link bypasses htaccess in apache

2 Answers2