• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Allow/Deny Directives No Longer Work

S

StvnT

New Pleskian
Has anyone encountered anything like this before?

We're running Plesk 8.1.1 on two servers and recently they both started ignoring Allow/Deny directives in vhost.conf and .htaccess files. This appears to be server-wide on both machines.
Apache reports no errors and the rest of the settings contained in the vhost.conf and .htaccess files run fine. All other modules seem to be working fine.
We experimented and tested domains that were known to be working correctly as well as with newly created domains but aren't able to get Allow/Deny to work at all.

Nothing had changed in our configurations prior to the issue so we're not sure why working systems would have suddenly stopped.
mod_authz_host is configured in the httpd.conf to load and shows up when running httpd -t -D DUMP_MODULES.

Both of our affected servers are running Plesk 8.1.1. Maybe a bug?

Mac Mini
Fedora Core 5
Plesk 8.1.1
Apache 2.2
 
Thanks for replying Jllynch and sorry you're having a similar issue.

Our vhost.conf and .htaccess are pretty simple:

.htaccess:
order deny,allow
deny from all

vhost.conf:
<Directory /var/www/vhosts/example.com/httpdocs/>
order deny,allow
deny from all
</Directory>
 
We've also noticed that .htaccess files can be directly access even though they are specifically denied in our apache config:

<Files ~ "~\.ht">
Order allow,deny
Deny from all
</Files>

So, http://www.example.com/.htaccess would load the .htaccess file even though it should be blocked.

We've reached out and purchased Plesk support but have apparently entered a support black hole. We got a confirmation of payment but no instructions on submitting a ticket, no support ID (so we can't submit a ticket https://www.parallels.com/support/plesk/form/), our phone calls have been bounced around without ever reaching a support person, and our Parallels Plesk rep isn't able to help. We're concerned about the security implications this means and my hope is that maybe a mod or someone who can get the ball rolling can help us get us the support we've paid for...
 
Yep I can verify that .htaccess files are also being displayed as plain text, instead of getting a 403 forbiden request.
 
Are you using Sitebuilder on the site at all? Is it sitebuilder related?

Any update there at all?
 
Last edited:
You must log in or register to reply here.

Similar threads

brother4
Question Best way to block direct PHP file access and ensure .htaccess rules are always applied with Nginx as a reverse proxy?
Replies
1
Views
1K
brother4
brother4
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
3K
NewGate
N
enerspace
Internal backup over CIFS / SSHFS mount
Replies
12
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
C
Issue Apache mod_substitute & mod_proxy_html not doing anything, using mod_proxy
Replies
1
Views
838
ConquerThis
C
O
Question Where in Plesk can I configure 301 redirect for non-existing subdomains?
Replies
2
Views
1K
olegos76
O
Back
Top