htaccess files downloading

[wise.dog6918]

Hello,

I don't even know how anyone else even registers on this site because I got javascript errors when trying to and it wouldn't populate the forms for me properly. Even if that had worked the entire process seemed way overly complex and wanted way too much info. Have you noticed a lack of activity recently?

Anyway, I cannot find anything about this anywhere or any solution that actually works. My .htaccess files are downloading when I try to visit them rather than denying access to them even though I have enabled options to deny access to them. They are WordPress websites.

cPanel Version 108.0.11
I used EasyApache to install Apache 2.4 and Nginx. PHP 8.0 and 8.1 but the sites are only using 8.0 for now.

AlmaLinux v8.7.0 STANDARD kvm

In cPanel I used WP Toolkit and installed WordPress. I did not make any configuration changes manually to cPanel or Apache or Nginx or most other things. I then noticed I could download the .htaccess file when I visited it in my browser. I then noticed in WP Toolkit there was a security option to disable this. I turned this on but it did not do anything.

I can see the lines are in the config files for both Apache and Nginx but they obviously do not work. I have even tried adding a section to the .htaccess file itself to block access to it but that also doesn't work. This is odd considering other files being blocked such as xmlrpc.php and wp-config.php and .user.ini all work fine.

I don't see any errors in logs that seem relevant either except in nginx I have a bunch of things that look like this:

2023/02/16 16:53:34 [crit] 376892#376892: unlink() "/var/cache/ea-nginx/proxy/REDACTED/f/98/7b18788fe1e8e07dc18af6f156e0698f" failed (2: No such file or directory)

In Apache I have this:
[Thu Feb 16 16:09:50.558644 2023] [ssl:warn] [pid 373713:tid 22473440681152] AH01909: server.example.com:443:0 server certificate does NOT include an ID which matches the server name

I don't know that those are related or what exactly to do to fix them either but I suspect they don't matter.

What would be causing this and how can I fix it?

Thank you for your time!

 

[cPRex]

Hey there! Activity on the Forums has been steadily increasing for years. I can say that we do have some major changes planned that will eliminate those issues and we're hoping to have that done this year.

Inside The WPT security options, I was successfully able to bock the access to the .htaccess file using that page. The interface seems like it could be potentially confusing - after you check the box next to the "block .htaccess" option, did you also click the blue "Secure" button at the top to save the settings?

 

[wise.dog6918]

Yes and there are all little green checkboxes next to everything. It seems to have saved properly. It added the right new parts in the config files to block things but in the case of the .htaccess files it just wasn't blocked and I can't figure out what might be the cause since I cleared the Nginx cache and restarted Apache and Nginx and PHP and I didn't notice anything in .htaccess that might interfere. Not sure what else to check or what else to change. I do think it's possibly something to do with Nginx though but I'm not 100% sure about that either. It's strange because I can get it to block some things but just not that. Not sure if it's using wrong regex for them or somehow something else could be conflicting somewhere or what that might be.

 

[cPRex]

If you check things in a private window, does that also not take care of the issue?

If not, it would be best to create a ticket with our team if you have root access to the server so we can take a look at the WPT system on our end.

 

[wise.dog6918]

I have tried a private window and different browsers and it didn't change. It doesn't really make sense to me. It definitely seems to be the server sending that file still. The site isn't behind Cloudflare or anything like that.

Unfortunately I won't be able to get them to approve allowing someone into the server since their site just went live and they have already denied allowing people in to fix things because they don't want to mess their site up. They use it to generate income and allow people to sign up for events so I don't think it can be down for any time and I think they are just worried about that.

Do you happen to have any other sorts of ideas of things to look at or things I could try that wouldn't cause downtime or be harmful to the operation of their sites? Or any ideas on how I could possibly narrow it down further without causing issues?

They have 3 separate WP installs. They have a main site, a shop site, and a dev site. It does the exact same thing on all of them. It did this before even touched the security feature in WP Toolkit. Even the dev site which is behind HTTP auth but I suppose that would make sense if it's Nginx causing it since Apache would not get access to the file as of yet and it uses the .htaccess file to assign the htpasswd file in there through cPanel.

I also noticed that Nginx tries to deny access through the file located at /etc/nginx/conf.d/server-includes/cpanel-static-locations.conf which seems to be included from the server block itself. However it's a bit different than the one WP Toolkit is adding and has more options. However even leaving the WP Toolkit option for "Block access to .htaccess and .htpasswd" disabled it still tries to download the .htaccess file.

The main reason I think it's Nginx is because I see it in the access logs for it giving a 200 response code on that file but do not see that in Apache.

Thank you very much for trying to help!

 

[cPRex]

Thanks for the additional details. While it may increase response times for a short period, you could always try uninstalling Nginx. That would reset the system to a default Apache configuration and help you rule out issues with Nginx delivering that page.

You could also try a standard "wget domain.com/.htaccess" on the command line to see any status codes that get mentioned on the server. You could try that both with and withing Nginx in place.

Hopefully one of those options would point you in the right direction.