0

I'm running Apache, CentOS 5.5, cPanel.

I want to block the error_log files from being accessed from the web, as it shows errors that might give away data that I don't want given away.

How can I do this?

Rob
  • 2,393
  • 9
  • 33
  • 52
  • 4
    This question appears to be off-topic because it concerns the use of shared web hosting by end users or resellers, rather than the administration of web hosting. – Jenny D Jun 28 '13 at 09:22

1 Answers1

1

The answer to this is your server error_log file is not stored in the same directory tree as your webserver content files. For example, your webserver typically serves files from somewhere like /var/www, while it writes logfiles in /var/log/httpd. The configuration of the webserver is such that it could never access the logfiles and make them available on the web.

EDIT: responding to comment that logs may be accessible for the webserver to send to clients. In reviewing httpd.conf, this is certainly technically possible. If your DocumentRoot and ServerRoot point to the same filesystem tree, I suppose that you could end up being able to serve error_log to clients. Also if you use an absolute path for ErrorLog you could place it in under your DocumentRoot and again make it accessible to clients.

In either of those cases, you could then protect your error_log with a .htaccess file in the same directory, with contents like this:

<files error_log>
   order allow,deny
   deny from all
</files>

then any client that requested that file woud be denied.

Phil Hollenback
  • 14,947
  • 4
  • 35
  • 52
  • 1
    The configuration of the web server _should_ be such, but it is not necessarily. It may be that in the questioner's hosted configuration, the logs are in fact web-accessible. – mattdm Jan 16 '11 at 21:27
  • mattdm see my edit, hopefully that addresses your concern. – Phil Hollenback Jan 16 '11 at 22:15