I can't wrap my head around why the .env is still exposed. The website has an HTTPS certificate. I have the .env file denied in the .htaccess file like so:
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Require all denied
</Files>
It is blocked properly (403 forbidden error) on these URLs:
https://example.com/.env
http://example.com/.env
http://###.IPaddress.###/.env
But is still visible here by ignoring the "not secure" warning:
https://###.IPaddress.###/.env
Likewise, there is still the Apache Testing 123 page being served as the homepage for the above URL (when not accessing the .env file). How can I block this file?
CodePudding user response:
You probably have a default <VirtualHost *:443> that is catching the request (the first vHost that is defined in the server config is the "default") and this probably doesn't allow .htaccess overrides (ie. AllowOverride is not defined or set to None) so the .htaccess file is not processed.
You need to ensure that the default vHost that is catching the request either blocks requests to the IP address entirely, or redirects to the canonical hostname.
See the following question on ServerFault for more detail on configuring this: