Close .tpl access with .htaccess

[crombiecrunch]

Thank you for this info

[pure|ws]

This still does not work for me on https.

 

Accessing the .tpl file over http is not allowed but if I switch to use https, lo and behold, the tpl contents are exposed.

[WebWorker]

Sorry to hear you're still having a problem, I'm fairly confident that one rule is all you need. If you need some more advanced help please provide your .htaccess file and what type of web server you're running.

[bear]

This still does not work for me on https.

 

Accessing the .tpl file over http is not allowed but if I switch to use https, lo and behold, the tpl contents are exposed.

 

If it's the site in your signature, that appears to be running on Plesk? It's been a while since I've used that CP, but if I remember right the httpdocs and httpS doc folder is on the same level, requiring duplicate copies of your files? Did you also duplicate the htaccess file in the secure directory?

 

/

../httpdocs

..../site_files

..../.htaccess

../httpsdocs

..../secure_site_files

..../??

[ChrisGooding]

Was going to point out the same thing bear.

 

We have LOADS of customers who that catches out. Parallels (especially Plesk/Virtuozzo) sure know how to make life complicated

 

Domain section or the actual Domain anyone!!!!

[Redsign]

It does not appear to be.

If I use http, it blocks it but if I am over my https, the contents of the .tpl files are being displayed.

 

I just checked ours on both http and https and it blocked both with the code from this thread..

 

So I can only assume it's your server config?

 

Ben

[pure|ws]

Thanks for all the help so far but this thing is driving me nuts.

Our WHMCS install is not on a Plesk CP. It's on a bare LAMP.

Let me try a couple of settings and see how it goes.

If this fails, I may need to start sending PMs to some of you here

[pure|ws]

It took a little bit of experimentation but in the end, we ended up modifying the ssl.conf file with the directives posted in this thread.

 

We are good now. I just don't want to leave our issue on this topic open.Thanks everyone!

[Blueberry3.14]

This still does not work for me on https.

 

Accessing the .tpl file over http is not allowed but if I switch to use https, lo and behold, the tpl contents are exposed.

 

I use https, and I get a 403, as intended.

[gerrybakker]

I have a strange problem with this addon. It works great on my older WHMCS site that has been upgraded to 4.1.2 but not on a brand new 4.1.2 install for a different site on the same server. I can add the namespinner.tpl and the {include file="namespinner.tpl"} line to everything except for the configureproductdomain.tpl file - if I add that line to that file all of the CSS formatting goes away and completely ruins the look of the cart when I try to look up a domain name. Any idea why?

[sparky]

In configureproductdomain.tpl try it this way

{include file="$template/namespinner.tpl"}

[gerrybakker]

That fixed it !!!!

 

Thank you.

[vchosting]

Thanks for this - never considered this until now

[isixhosting]

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

 

robots.txt

-------------------------------

User-agent: *

Disallow: /*.tpl$

-------------------------------

 

without the --------- lines

Google doesn't accept wildcards [ * ]

[bear]

...and robots.txt doesn't prevent anything from accessing, it merely suggests not to spider it to those bots that listen. Disallow via other means keeps them from even seeing it, rather than calling attention to their existence.

[3awh]

Does anyone know if i have wordpress v 3.0 can I put

<Files ~ "\.tpl$">

Order allow,deny

Deny from all

</Files>

at the top of the wordpress stuff with out effecting anything?

[HerrZ]

in wordpress there are no tpl files. so this would not effect your wp installation.

[3awh]

in wordpress there are no tpl files. so this would not effect your wp installation.

 

Great thanks