I’m setting up a quick internal project in a new addon domain in cPanel. This particular one has an SSL cert installed. I was building my .htaccess up and added a <Files config.php> directive to deny from all so that my config.php file isn’t accessible. I realise that storing it outside of the web root is the ideal but I can’t in this case.

Normally I would expect that when going to www.domain.com/config.php in a browser that I would get Apache’s default 403 Forbidden page. This is what happens on other domains on the same server. But in this case I’m being given a 404 not found error, stating:

Not Found
The requested URL /403.shtml was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I would normally expect this if I was attempting to define custom error documents but in this case, I’m not!
The only thing that makes this domain different to all the others in the same cPanel account is the fact it has an SSL certificate. And this 404 error is the same regardless of navigating using http or https. I’ve tried clearing cache and still the same.

Can anyone see anything in my .htaccess below that might be causing this?

DirectoryIndex /index.php

Options -Indexes +FollowSymLinks
ServerSignature Off

# PARSE PHP IN OTHER FILES
# AddType FOR PHP AS APACHE MODULE, AddHandler FOR CGI
AddType application/x-httpd-php .ics .xml

# ATTEMPT FORCE PDF DOWNLOAD
AddType application/octet-stream .pdf

# PREVENT ACCESS TO CONFIG
<Files config.php>
order allow,deny
deny from all
</Files>

# CACHING
# http://httpd.apache.org/docs/current/mod/mod_headers.html
<FilesMatch "\.(js|css|ico|png|gif|jpg)$">
Header set Cache-Control "max-age=172800, public, must-revalidate"
#Header set Expires "Thu, 15 Apr 2011 20:00:00 GMT"
</FilesMatch>

# PREVENT ACCESS TO STATS UPDATE SCRIPT AS IT'S CLI ONLY
<Files stats_update.php>
order allow,deny
deny from all
</Files>

Redirect 302 /preview http://otherdomain.com/documents/preview
Redirect 302 /sample http://otherdomain.com/documents/preview

RewriteEngine On

# REWRITE NON-WWW TO WWW
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301]

RewriteRule ^about/?$ /index.php [L]
RewriteRule ^contact/?$ /contact.php [L]
RewriteRule ^home/?$ /home.php [L]
RewriteRule ^order/?$ /order.php [L]

# MAINTAINANCE
#RewriteCond %{REMOTE_HOST} !^123\.123\.123\.123
#RewriteCond %{REQUEST_URI} !^/maintainance\.html$
#RewriteRule ^(.*)$ /maintainance.html [R=302,L]

EDIT: Could it be anything to do with the way cPanel handles primary and addon domains?
In a cPanel account you have a primary domain whose files live under public_html then you define addon domains (or subdomains) whose files live under public_html/addondomain.com/

Would the .htaccess for the primary domain at public_html/.htaccess be affecting/overriding that of addon domains at public_html/addondomain.com/.htaccess?
I know .htaccess does cascade down through directories but is that the case even above a particular domain’s DocumentRoot, e.g.: in the case of this addon domain?

EDIT 2: Just for info here are the responses to both HTTP requests, bypassing any caching

root@vps [/home/username]#curl -i 'http://www.mydomain.com/config.php'
HTTP/1.1 403 Forbidden
Date: Sun, 16 Sep 2012 19:05:10 GMT
Server: Apache
Content-Length: 331
Content-Type: text/html; charset=iso-8859-1


root@vps [/home/username]# curl -i 'http://mydomain.com/config.php'
HTTP/1.1 301 Moved Permanently
Date: Sun, 16 Sep 2012 19:05:20 GMT
Server: Apache
Location: http://www.mydomain.com/403.shtml
Content-Length: 244
Content-Type: text/html; charset=iso-8859-1

You see the 2nd one gets the 301 redirect but it’s redirecting to the 403.shtml. So the 403.shtml has already been injected before the rewrite to the www. happens.