nativeInstallernginx

Understand default .htaccess file configuration

NOTE: The Approach A sections referred to below do not apply to Bitnami native installers. Users of Bitnami native installers should refer only to the Approach B sections.

One of our main goals is to configure Bitnami applications in the most secure way. For this reason, the configuration in the .htaccess files has been moved to the main application configuration files and set the AllowOverride option to None by default, if supported by the application.

NOTE: The Apache Software Foundation also recommends this configuration. To quote: “For security and performance reasons, do not set AllowOverride to anything other than None in your <Directory “/"> block. Instead, find (or create) the block that refers to the directory where you’re actually planning to place a .htaccess file.”

Approach A: Bitnami installations using system packages

Understand .htaccess files

If the application supports using .htaccess files from custom locations, the contents of this file can be found in the installdir/apache2/conf/vhosts/htaccess/APPNAME-htaccess.conf file. For example:

  • The installdir/apache2/conf/vhosts/APPNAME-vhost.conf file is the main application configuration file. It also sources the APPNAME-htaccess.conf file.

      <VirtualHost 127.0.0.1:80 _default_:80>
        ServerAlias *
        DocumentRoot installdir/APPNAME
        <Directory "installdir/APPNAME">
          Options -Indexes +FollowSymLinks -MultiViews
          AllowOverride All
          Require all granted
        </Directory>
        Include "installdir/apache2/conf/vhosts/htaccess/APPNAME-htaccess.conf"
      </VirtualHost>
    
  • The installdir/apache2/conf/vhosts/htaccess/APPNAME-htaccess.conf file ships the content of all .htaccess files required by the application. It typically looks like this:

      <Directory "installdir/APPNAME/cache">
        Deny from all
      </Directory>
      <Directory "installdir/APPNAME/images">
        # Protect against bug 28235
        <IfModule rewrite_module>
          RewriteEngine On
          RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase]
          RewriteRule . - [forbidden]
        </IfModule>
      </Directory>
      <Directory "installdir/APPNAME/includes">
        Deny from all
      </Directory>
      <Directory "installdir/APPNAME/languages">
        Deny from all
      </Directory>
      <Directory "installdir/APPNAME/maintenance">
        Deny from all
      </Directory>
      <Directory "installdir/APPNAME/maintenance/archives">
        Deny from all
      </Directory>
      <Directory "installdir/APPNAME/serialized">
        Deny from all
      </Directory>
    

    If not, the .htaccess file can be found at installdir/APPNAME/.htaccess.

  • Some applications do not have the installdir/apache2/conf/vhosts/htaccess/APPNAME-htaccess.conf file. For these cases, the file must be created manually.

Add a new section in the .htaccess file when installing a plugin

Some plugins, during their installation, create a .htaccess file in either the installdir/APPNAME/ or in the installdir/apps/APPNAME/plugins/ directory that cannot be read by Apache. For that reason, we recommend moving the content of that file to the installdir/apache2/conf/vhosts/htaccess/APPNAME-htaccess.conf file. Follow these steps:

  • Add a new entry in the installdir/apache2/conf/vhosts/htaccess/APPNAME-htaccess.conf file specifying the path where the htaccess file is (installdir/APPNAME/ or installdir/htdocs//plugins/) and pasting below the content of that file.

    NOTE: CONTENT is a placeholder, replace it with the content of the installdir/APPNAME/.htaccess file created by the plugin.

      ...
      <Directory "installdir/APPNAME">
      CONTENT
      </Directory>
    
  • Restart Apache to make the changes take effect:

      $ sudo installdir/ctlscript.sh restart apache
    

Approach B: Self-contained Bitnami installations

Understand .htaccess files

If the application supports using .htaccess files from custom locations, the contents of this file can be found in the installdir/apps/APPNAME/conf/htaccess.conf file. For example:

  • The installdir/apps/APPNAME/conf/httpd-app.conf file is the main application configuration file. It also sources the htaccess.conf file.

      <Directory "installdir/apps/APPNAME/htdocs">
          Options +MultiViews
          AllowOverride None
          <IfVersion < 2.3 >
          Order allow,deny
          Allow from all
          </IfVersion>
          <IfVersion >= 2.3>
          Require all granted
          </IfVersion>
      </Directory>
      Include "installdir/apps/APPNAME/conf/htaccess.conf"
    
  • The installdir/apps/APPNAME/conf/htaccess.conf file ships the content of all .htaccess files required by the application. It typically looks like this:

      <Directory installdir/apps/APPNAME/htdocs/cache>
        Deny from all
      </Directory>
      <Directory installdir/apps/APPNAME/htdocs/images>
        # Protect against bug 28235
        <IfModule rewrite_module>
          RewriteEngine On
          RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase]
          RewriteRule . - [forbidden]
        </IfModule>
      </Directory>
      <Directory installdir/apps/APPNAME/htdocs/includes>
        Deny from all
      </Directory>
      <Directory installdir/apps/APPNAME/htdocs/languages>
        Deny from all
      </Directory>
      <Directory installdir/apps/APPNAME/htdocs/maintenance>
        Deny from all
      </Directory>
      <Directory installdir/apps/APPNAME/htdocs/maintenance/archives>
        Deny from all
      </Directory>
      <Directory installdir/apps/APPNAME/htdocs/serialized>
        Deny from all
      </Directory>
    

If not, the .htaccess file can be found at installdir/apps/APPNAME/htdocs/.htaccess.

Watch the following video to learn how to configure .htaccess file (this video uses WordPress as a sample application):

Add a new section in the .htaccess file when installing a plugin

Some plugins, during their installation, create a .htaccess file in either the installdir/apps/APPNAME/htdocs/ or in the installdir/apps/APPNAME/htdocs//plugins directory that cannot be read by Apache. For that reason, we recommend moving the content of that file to the installdir/apps/APPNAME/conf/htaccess.conf file. Follow these steps:

  • Add a new entry in the installdir/apps/APPNAME/conf/htaccess.conf file specifying the path where the htaccess file is (installdir/apps/APPNAME/htdocs/ or installdir/apps/APPNAME/htdocs//plugins) and pasting below the content of that file.

    NOTE: CONTENT is a placeholder, replace it with the content of the installdir/apps/APPNAME/htdocs/.htaccess file created by the plugin.

      ...
      <Directory "installdir/apps/APPNAME/htdocs/">
      CONTENT
      </Directory>
    
  • Restart Apache to make the changes take effect:

      $ sudo installdir/ctlscript.sh restart apache
    
Last modification July 6, 2021