Magento Apache configuration (app/etc/local.xml accessible warning)

Question

Just finished installing Magento on a Linux server.

When I go to the Magento "Admin Panel" I can see the following message at the top of the page.

Your web server is configured incorrectly. As a result, configuration files with sensitive information are accessible from outside. Please contact your hosting provider.

What is the most likely cause for this error message?

Thanks,

John Goche

Answer 1

Magento uses .htaccess files in various directories to deny access to the directory trees. You will find them in app, media, var, and wherever else Magento sees fit to stick them. They do various things like deny viewing (app, var), executing (media .htaccess). For these .htaccess files to work, it is really important that the following be set in either the doc root .htaccess or in the virtual server configuration.

Options FollowSymLinks
AllowOverride All

More than likely, Magento detects that the app directory .htaccess file isn't being allowed to deny network access to your app/etc/local.xml file, so all your database credentials and encryption key are visible to anyone with a web browser.

Another issue might be that your file/directory permissions are too lax.

For Magento running under FastCGI, SuPHP or LSAPI

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 550 pear #for Magento pre 1.5
chmod 550 mage #for Magento 1.5 and up
chmod 550 cron.sh

For Magento running under DSO (mod_php)

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod o+w var var/.htaccess app/etc
chmod 550 pear #for Magento pre 1.5
chmod 550 mage #for Magento 1.5 and up
chmod 550 cron.sh
chmod -R o+w media

For the question below, the app/etc folder is supposed to have the following .htaccess file in place. Trying to read anything through the server should throw a 403 error. Your next step is to get in touch with your web hoster to find out why that file is not being honored.

Order deny,allow
Deny from all

Note: If you are using alternative http servers like nginx, you must search down all of the .htaccess files created in Magento's directory tree and recreate all the .htaccess functions used by Magento in your nginx setups so you have the same file/directory protections as a standard Apache DSO install. Same goes for Windows installations on IIS.

Answer 2

I tried all the above and none worked on our web hosting. "AllowOverride All" would not work on our vhosts.conf and as a result, "Deny from all" was being ignored.

Add this code to .htaccess and it works a charm...

##### Block access to local.xml #####
RewriteRule ^(.*)local.xml$ - [F,L]

Answer 3

1.Add following in httpd.conf.

    <Directory "/var/www/html/app/etc">
        Options FollowSymLinks
        AllowOverride All
    </Directory>

1. set permission from ftp to local.xml =>600

2. sudo /etc/init.d/httpd restart

3. sudo /etc/init.d/httpd reload