.htaccess is giving 500 internal server error

Question

I made many searches over the web regarding this issue and found noting related to my case as I'm already enabling the rewrite_module

I'm using (Windows - Wamp)

This is what I get in apache_error.log file:

[Tue Aug 28 08:47:14.904987 2018] [core:alert] [pid 10748:tid 1160] [client ::1:56222] C:/wamp64/www/abb/.htaccess: Expected </IfModule> before end of configuration, referer: http://nphdb.local/

I'm using opencart v2.2, php5.6 and below is my .htaccess

php_value auto_prepend_file astra/astra-inc.php



# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.ini|\.log|(?<!robots)\.txt))">
 Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>

# 1.To use URL Alias you need to be running apache with mod_rewrite enabled.

# 2. In your opencart directory rename htaccess.txt to .htaccess.

# For any support issues please visit: http://www.opencart.com

Options +SymLinksIfOwnerMatch

# Prevent Directoy listing
Options -Indexes

# Force Apple site association file to application/json Content-Type
<Files apple-app-site-association>
     Header set Content-type "application/pkcs7-mime"
     #AddType application/pkcs7-mime .
</Files>



# https://www.cyberciti.biz/tips/the-rise-of-bots-spammers-crack-attacks-and-libwww-perl.html
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

# SEO URL Settings
RewriteEngine On
# If your opencart installation does not run on the main web folder make sure you folder it does run in ie. / becomes /shop/

RewriteBase /
## force HTTPS and www. if any of them are not already present
RewriteCond %{HTTP_HOST} (?!^www\.)^(.+)$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^http://nphdb.local%{REQUEST_URI} [R=301,L]
RewriteRule ^sitemap\.xml$ index.php?route=feed/google_sitemap [L]
RewriteRule ^sitemap_ar\.xml$ index.php?route=feed/google_sitemap&lang=4 [L]
RewriteRule ^sitemap_image\.xml$ index.php?route=feed/google_image_sitemap [L]
RewriteRule ^sitemap_image_ar\.xml$ index.php?route=feed/google_image_sitemap&lang=4 [L]
RewriteRule ^googlebase.xml$ index.php?route=feed/google_base [L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]

RewriteRule ^system/download/(.*) index.php?route=error/not_found [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]

### Additional Settings that may need to be enabled for some servers
### Uncomment the commands by removing the # sign in front of it.
### If you get an "Internal Server Error 500" after enabling any of the following settings, restore the # as this means your host doesn't allow that.

# 1. If your cart only allows you to add one item at a time, it is possible register_globals is on. This may work to disable it:
# php_flag register_globals off

# 2. If your cart has magic quotes enabled, This may work to disable it:
# php_flag magic_quotes_gpc Off

# 3. Set max upload file size. Most hosts will limit this and not allow it to be overridden but you can try
# php_value upload_max_filesize 999M

# 4. set max post size. uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value post_max_size 999M

# 5. set max time script can take. uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value max_execution_time 200

# 6. set max time for input to be recieved. Uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value max_input_time 200

# 7. disable open_basedir limitations
# php_admin_value open_basedir none
## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>

php_value session.cookie_domain .nphdb.local

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>

#  Gzip compress assets files
<IfModule mod_deflate.c>
    # Komprimiere HTML, CSS, JavaScript, Text, XML und fonts
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font
    AddOutputFilterByType DEFLATE application/x-font-opentype
    AddOutputFilterByType DEFLATE application/x-font-otf
    AddOutputFilterByType DEFLATE application/x-font-truetype
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/x-icon
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml

    # Browser bugs entfernen (nur für wirklich alte Browser)
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    Header append Vary User-Agent

    <filesMatch "\.(js|css|jpg|png)$">
        SetOutputFilter DEFLATE
    </filesMatch>
</IfModule>

<FilesMatch (\.php$|\.php56$)>
   SetHandler fcgid-script
</FilesMatch>


# To prevent script injections and attempts to modify your PHP’s global and request variables(neo)
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>

# (last line means visitor is redirected to index with Forbidden message ([F)) (neo)

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]


#  SQL Injection Protection (neo)
RewriteEngine On
RewriteRule ^.*EXEC\(@.*$        - [R=404,L,NC]
RewriteRule ^.*CAST\(.*$         - [R=404,L,NC] 
RewriteRule ^.*DECLARE.*$        - [R=404,L,NC]  
RewriteRule ^.*DECLARE%20.*$     - [R=404,L,NC]
RewriteRule ^.*NVARCHAR.*$       - [R=404,L,NC]  
RewriteRule ^.*sp_password.*$    - [R=404,L,NC]
RewriteRule ^.*%20xp_.*$         - [R=404,L,NC]

## Block MySQL injections, RFI, base64, etc.(neo)
RewriteEngine On
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

# File injection protection, by (neo)
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]

# X-XSS-Protection , X-Security Header to help protect against XSS (neo)
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

# Protect against page-framing and click-jacking, X-Frame-Options (neo)
<IfModule mod_headers.c>
    Header always append X-Frame-Options SAMEORIGIN
</IfModule>

# Protect against content-sniffing, X-Content-Type nosniff (neo)
<IfModule mod_headers.c>
    Header set X-Content-Type-Options nosniff
</IfModule>

#Combine all three X-Security Headers, Extra Security Headers (neo)
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
</IfModule>



# Prevent from Clickjacking attack
Header set X-Frame-Options DENY

<ifModule mod_headers.c>

# Security improvements
Header unset Server

#Header unset X-Pingback
Header unset Accept-Ranges

#hacker fix (neo)
<ifModule mod_headers.c>
SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1
Header set X-XSS-Protection: "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: nosniff
</ifModule>


<IfModule mod_rewrite.c>
# Enable rewrite engine
RewriteEngine On

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

# PHP-CGI Vulnerability
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR]

#proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

</IfModule>


<IfModule php5_module>
php_flag session.cookie_httponly on
</IfModule>

When I comment this block the website works

<FilesMatch (\.php$|\.php56$)>

SetHandler fcgid-script

although I enabled deflate_module and filter_module.

!! UPDATE !!

Now after enabling the above modules, when I uncomment the below line, the browsers forces a download automatically.

<FilesMatch (\.php$|\.php56$)>
    SetHandler fcgid-script
</FilesMatch>

Thanks in advance.

That's a long htaccess. Have you tried commenting out parts of the htaccess to narrow down the issue? Have you checked the servers error log to see if you get any clues? — M. Eriksson, Aug 28 '18 at 05:35
500 is an inetrnal Server error. Look into the error logfile of your Apache for more informations — Jens, Aug 28 '18 at 05:36
for the regular expressions, would you not need to escape the //'s with a \ to look like \/\/ ? — Al.UrBasebelon Tomeh, Aug 28 '18 at 05:39
@Al.UrBasebelonTomeh - You don't need to do that in rewrite-rules since they don't use `/` as delimiter. https://stackoverflow.com/questions/3591452/do-you-have-to-escape-a-forward-slash-when-using-mod-rewrite — M. Eriksson, Aug 28 '18 at 05:42
This is what I get in apache_error.log [core:alert] [pid 10748:tid 1160] [client ::1:56222] C:/wamp64/www/abb/.htaccess: Expected before end of configuration, referer: http://nphdb.local/ — Hazem Taha, Aug 28 '18 at 05:50
Before the `` on line 255, add a ``. Or better yet, remove that `` on 255 since you're already inside an identical block. — M. Eriksson, Aug 28 '18 at 05:58
Check your error log again, the file could contain more than one error — M. Eriksson, Aug 28 '18 at 06:17
No more errors in your error log? Btw, I always get scared when there's rules in the htaccess for preventing SQL injections. That should be the applications responsibility, not the web servers. If that needs to be there, you're doing something wrong. — M. Eriksson, Aug 28 '18 at 07:04

score 0 · Answer 1 · answered Aug 28 '18 at 06:21

0

use this in .htaccess file:

RewriteEngine on
RewriteCond $1 !^(index\.php|resources|robots\.txt)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]

enable rewrite mode using below command

a2enmod rewrite

Edit the file /etc/apache2/sites-enabled/000-default

change the AllowOverride None to AllowOverride All.

change /etc/apache2/apache2.conf

 <Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
 </Directory>

to

 <Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
 </Directory>

Finally do this

 sudo service apache2 restart

If you do not want to change your htaccess. just follow rest of steps to solve this.

answered Aug 28 '18 at 06:21

vishal melwani

189
1
9

Where is the 000-default file in wamp env ? – Hazem Taha Aug 28 '18 at 06:28
1. The OP most likely already have `AllowOverride All`, or the htaccess-file wouldn't even been loaded and the OP wouldn't have gotten any errors. 2. Don't suggest turning on `Indexes`. That let's people browse folders under your document root if they don't contain an index file. 3. You're proposed rewrite-conditions isn't for opencart (they redirect to `index.php?_route_=$1` and not `index.php/$1`). – M. Eriksson Aug 28 '18 at 07:02
can you tell me which Operating System you are using ? – vishal melwani Aug 28 '18 at 07:06
Windows - Wamp @vishalmelwani – Hazem Taha Aug 28 '18 at 07:11
Windows may do not have such file to be set, As is having some auto set up. So suggest you to make change in your question to be more specific on windows. – vishal melwani Aug 28 '18 at 07:15
Have you go through this link i have suggest you: https://stackoverflow.com/a/12868024/5594477 – vishal melwani Aug 28 '18 at 07:25

score 0 · Answer 2 · answered Aug 28 '18 at 07:07

0

Best and simple. It's work on me and use it in every projects.

If any problem please comment first .. Thank you

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]

answered Aug 28 '18 at 07:07

Mhrishad

246
1
18

Have you used this htaccess with Opencart? Different applications have different needs. For example, Opencart don't redirect to `index.php/$1`, they redirect to `index.php?_route_=$1`. They also have some other rules in there so a generic htaccess doesn't always work. – M. Eriksson Aug 28 '18 at 07:10
On other hand i use this also. RewriteEngine on #RewriteBase / RewriteCond $1 !^(index\.php|images|admin|robots\.txt) RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond $1 !^(index\.php|images|admin|robots\.txt) RewriteRule .* index.php/$0 [PT,L] – Mhrishad Aug 28 '18 at 07:11
@MAHABUBHOSSAINRISHAD What about the other rules in the .htaccess ? – Hazem Taha Aug 28 '18 at 07:12
Many of that's i know. If i wrong please correct brother.. Redirect all Non-primary URLs to Primary URL (https), Redirect all Non-primary URLs to Primary URL (non-https), Creating a Vanity URL, Forcing https with SSL – Mhrishad Aug 28 '18 at 07:15

.htaccess is giving 500 internal server error

2 Answers2