While assisting a friend with an OwnCloud install, I found that while the .htaccess file existed, it initially appeared that it wasn't being used. The web server was essentially allowing access to all folders and files without authentication.
Overveiw:
- Apache2 w/SSL
- 'AllowOverride All' (was set in apache config)
- .htaccess file was found in the directory with the necessary and expected syntax
- deny from all
- IndexIgnore *
Resolution:
While there was an 'AllowOverride All' instead of the default 'AllowOverride None' in the Apache config file, and no syntax errors were noted, it was NOT in the correct location for Apache to read it and enable as expected. It MUST be contained within the <Directory> </Directory> section or one needs to be added.
Once the syntax in the Apache config file was corrected, the site was secured.
Example:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>