Note: recently updated due to security issue with original recommendation. (Thanks Rich for the feedback)
I love the fact that OS X comes with a pre-configured Apache server set up to serve web pages by default from each users’
folder. By default the ability to control access via
files has been left disabled.
No problem, right?
Well, if you have fresh Leopard installation (not an upgrade) it’s easy… simply edit the
.
However, if you upgraded from an earlier version of OS X (Panther in my case) a small shell game happened without you knowing it. In Panther, the
along with the other Apache configuration files was located in
. I had edited this in the past and everything was working peachy keen under Panther. Unfortunately, when I upgraded to Leopard, despite having my
file correctly set up to allow
files, Apache appeared to ignore my wishes.
Move back 3 inches, commence hammering forehead against desk.
This created a pretty scary security issue, as now, anyone on the same network (say when I go to a public access point) can now get my Sites directory listing and access everything in it. I have personal and development sites not intended for mass consumption I keep there. WTF?
Following a little frustration, the simple answer surfaced: sometime between Panther and Leopard, Apple chose to move the Apache configuration directory from
to
. When I upgraded to Leopard, the OS X installer created the
directory, but it did not copy my old
file settings over to this new directory. It also left the original
directory in place, which unbeknownst to me had become a red herring.
So here’s what you’d need to edit in
or in your the /private/etc/apache2/users/’your username’.conf file to reactivate all
files.
<Directory /Users/some_username_here/Sites>
Options FollowSymLinks
AllowOverride All
Order deny,allow
Deny from all
</Directory>
This would allow
files to be allowed anywhere inside your personal Sites folder.
After editing the correct
file (specifically,
), Apache once again began respecting the
files in my
directory.
Sometimes it’s the little things…
This is a great tip. I was just struggling with mod_rewrite while trying out a few CMSes on my Mac.
This is a pretty big mistake that’s undocumented, being as I only found an explanation of the problem and a working solution on this page. I’m going to use this as my first submit to Digg, hopefully this critical piece of information can get spread around and save many other people from incessant smashings of head-into-desk.
Thanks! Let’s hope Snow Leopard doesn’t move too much else around.
Hi! I’m on an upgrade install of 10.6, and your post helped a ton! The config files have been placed in the same place as they were in 10.5, so I was able to find it all. Interestingly, I noticed that PHP 5 and the rewrite module are enabled by default in SL. Also, the ‘shell game’ (nice wordplay BTW) has been replaced with a simple copying of your old httpd.config right next to the new one with the suffix “~orig”.
Hope that helps anyone else out!
best,
Evan
Translation without the collapsed Directory sections:
No, no, no. Do not *EVER* change the AllowOverride setting in “Directory /”, and please don’t offer this advice to other people. It’s a security hole, and it’s a HUGE performance hit.
Instead, you need to find the block that actually refers to your document directory. For example, if your files are in /Users/bobba/web then you need to find (or create) a “Directory /Users/” block, or a “Directory /Users/bobba/web” or possibly even a “/Users/*/web” block.
The reason? Well, “/” refers to your filesystem root, not your document root. So when you say ‘AllowOverride All’ in “Directory /” you are telling Apache to honor .htaccess files placed ANYWHERE in the entire filesystem. This means that they can even be outside of the Apache document tree entirely. A security problem, but also a performance problem, as Apache now has to scan the entire directory tree leading to your files, ON EVERY REQUEST.
So, in summary, please don’t do that.
Rich, your absolutely correct. On a mac you should edit the /etc/apache2/users/.conf file to only open access to your own Sites directory (or as you mention the entire User block).
Thanks for the advice, but it doesn’t work for me. Can anyone explain this .htaccess error:
[Fri Jun 04 11:38:51 2010] [alert] [client 99.250.28.33] /Library/WebServer/Documents/.htaccess: Invalid command ‘\xef\xbb\xbfAuthType’, perhaps misspelled or defined by a module not included in the server configuration
There is nothing misspelled in my simple .htaccess file.