# Server & Environment

Server &amp; Environment

# Server Rules Not Working

## What This Means

This issue occurs when server-level protections applied by Steel Security do not take effect.

You may enable a hardening control, but the expected behavior does not occur.

---

## Common Symptoms

- restricted files or endpoints remain accessible  
- directory listing is still enabled  
- PHP execution is not blocked  
- changes appear to have no effect  

---

## Why This Happens

Server-level rules depend on your hosting environment and configuration.

This issue may occur if:

- your server does not support the required rule type  
- configuration overrides are disabled  
- rules are not being read or applied  
- another configuration is overriding the rules  

---

## How to Fix It

Try the following steps:

---

### 1. Confirm Your Server Type

- identify whether you are using Apache, Nginx, or IIS  
- ensure the control you applied is supported in your environment  

---

### 2. Check Apache Configuration (.htaccess)

If using Apache:

- ensure `.htaccess` overrides are enabled (`AllowOverride`)  
- confirm the file exists and is readable  
- verify no conflicting rules are present  

---

### 3. Check Nginx Configuration

If using Nginx:

- note that `.htaccess` is not supported  
- apply rules manually in your Nginx configuration  
- reload or restart the server after changes  

---

### 4. Check IIS Configuration (web.config)

If using IIS:

- confirm the `web.config` file is present  
- ensure rules are applied correctly  
- check for higher-level overrides  

---

### 5. Review Hosting Restrictions

- some hosting providers restrict server-level configuration  
- verify whether your hosting plan allows these changes  
- consult your hosting provider if needed  

---

## What to Expect After Fixing

After resolving the issue:

- server rules should take effect immediately  
- restricted behavior should function as expected  
- hardening controls will apply correctly  

---

## How to Verify

- test access to restricted files or endpoints  
- confirm expected responses (e.g., 403 Forbidden)  
- re-check behavior after applying fixes  

---

## When to Seek Help

If the issue persists:

- note your server type and hosting environment  
- document the specific control applied  
- include any relevant error messages  
- contact support with details  

---

## Key Principle

Server-level protections depend on your environment.

Understanding your server configuration is essential for effective hardening.

---

## Related

- [Apache (.htaccess) Hardening](https://docs.steelsecurity.com/books/hardening-reference/page/apache-htaccess-hardening)
- [Nginx Hardening](https://docs.steelsecurity.com/books/hardening-reference/page/nginx-hardening)
- [IIS (web.config) Hardening](https://docs.steelsecurity.com/books/hardening-reference/page/iis-webconfig-hardening)

# Nginx Configuration Issues

## What This Means

This issue occurs when expected protections are not applied on a server running Nginx.

Unlike Apache, Nginx does not support dynamic configuration through `.htaccess`.

---

## Common Symptoms

- hardening controls appear enabled but have no effect  
- restricted files or endpoints remain accessible  
- security headers do not appear  
- no visible change after applying protections  

---

## Why This Happens

Nginx uses centralized configuration files instead of per-directory rules.

This means:

- Steel Security cannot modify server behavior automatically  
- changes must be applied manually in the server configuration  
- rules will not take effect without proper configuration updates  

---

## How to Fix It

Try the following steps:

---

### 1. Confirm You Are Using Nginx

- check your hosting environment  
- review server response headers  
- consult your hosting provider if unsure  

---

### 2. Apply Rules Manually

- locate your Nginx configuration files  
- apply the required rules based on Steel Security recommendations  
- ensure the configuration reflects the desired protections  

---

### 3. Reload or Restart Nginx

- reload the configuration after making changes  
- ensure updates are applied to the running server  

---

### 4. Verify Configuration Scope

- confirm changes are applied to the correct server block  
- ensure no other configuration overrides your rules  

---

### 5. Check Hosting Limitations

- some hosting providers restrict access to Nginx configuration  
- use available control panel tools if provided  
- contact your hosting provider if necessary  

---

## What to Expect After Fixing

After resolving the issue:

- server-level protections should take effect  
- restricted behavior should function as expected  
- hardening controls will align with your configuration  

---

## How to Verify

- test access to restricted files or endpoints  
- confirm expected responses (e.g., 403 Forbidden)  
- inspect headers in browser developer tools  

---

## When to Seek Help

If the issue persists:

- document your server environment  
- note which controls are not applying  
- include configuration details if possible  
- contact support or your hosting provider  

---

## Key Principle

Nginx requires manual configuration for server-level protections.

Steel Security provides guidance, but implementation depends on your environment.

---

## Related

- [Nginx Hardening](https://docs.steelsecurity.com/books/hardening-reference/page/nginx-hardening)
- [Server Rules Not Working](https://docs.steelwp.com/books/troubleshooting/page/server-rules-not-working)
- [Changes Not Applying](https://docs.steelwp.com/books/troubleshooting/page/changes-not-applying)