LiteSpeed Server ignoring <Files> and RewriteRule [F] directives

[hiloval]

"Hello,

I have a serious security issue on my server (running CyberPanel with OpenLiteSpeed). A file in my web root, .user.ini, is publicly downloadable. I have tried
to block it, but the server is ignoring all access control rules for it.

What I have tried:

1. I added the following block to the "Rewrite Rules" section for the virtual host in the CyberPanel UI:
1 <Files ".user.ini">
2 Require all denied
3 </Files>
After saving and restarting LiteSpeed, the file is still downloadable.

2. I also tried adding a direct RewriteRule to the same section in CyberPanel:
1 RewriteEngine On
2 RewriteRule ^\\.user\\.ini$ - [F,L]
After saving and restarting LiteSpeed, this rule is also ignored and the file is still downloadable.

My httpd_config.conf loads the vhost configuration correctly using a configFile directive. The server is simply not obeying fundamental security directives for
this vhost.

Why would my LiteSpeed server be ignoring both <Files> and RewriteRule [F] directives? Is there a global configuration that could be overriding this?

Thank you."

 

[Cold-Egg]

Putting "RewriteRule ^\.user\.ini$ - [F,L]" at the top of the .htaccess file should work. You can also set a static context to restrict the file from being accessed.