I have created a .htaccess file and trying to have a CAS login when the user goes to a url (ie: https://www.mycompany.com/users/forms/immigration.php)
I have created a filesmatch if the page begins with either imm or imp and ends in a .php, it should prompt a CAS login. I have used the FilesMatch tag and here the following code:
<FilesMatch "^(imm|imp)\.php$">
Authtype CAS
Require valid-user
</FilesMatch>
Is there a different directive tag I should use?
You will need to include .* after initial part to allow matching immigration.php:
<FilesMatch "^(imm|imp).*\.php$">
Authtype CAS
Require valid-user
</FilesMatch>
Related
My goal is to deny access to all dot-files e.g .htaccess, .env and send back a 404, but allow the letsencrypt-folder .well-known to be accessed
RewriteEngine On
RewriteRule "(^|/)\.(?!well-known)" - [F]
RedirectMatch 404 /\..*$
Any hint on how to achieve this is highly appreciated
Best endo
Try the following instead:
RewriteEngine On
RewriteRule (?:^|/)\.[^/]+$ - [R=404]
This will serve a 404 for any file (or rather, last URL-path segment) that starts with a dot. But it will permit .well-known/ - since this is a directory and so is also suffixed by at least a slash + filename.
UPDATE: Modified regex so that it matches the dot at the start of the last path-segment, rather than anywhere in the last path-segment!
Note that the F flag responds with a 403 Forbidden, not a 404 as requested.
Alternatively, you can use a <Files> (or <FilesMatch>) container, which only matches "files". For example:
<Files ".*">
# 404 Not Found
Redirect 404 /
# OR... 403 Forbidden
#Require all denied
</Files>
Although this does also block a request for /.well-known (no trailing slash) - although that's not strictly a valid request anyway.
<FilesMatch "\.html$">
How do I specify only .html files in base directory?
I want
https://www.example.com/page.html
But not https://www.example.com/directory/page.html
Since the rule is in .htaccess of the root directory, as became clear from the discussion below, try this
<FilesMatch "^\.(html|php)$">
<If "%{REQUEST_URI} =~ m#^/[^/]+\.(html|php)$#">
(your directives)
</If>
</FilesMatch>
See https://httpd.apache.org/docs/2.4/sections.html#file-and-web, https://httpd.apache.org/docs/2.4/mod/core.html#if and https://httpd.apache.org/docs/2.4/expr.html.
I am putting all of my website's content (aside from the home page) into a "content" folder at the root of the site. This is Apache 2.4.25.
I want http://www.example.com to serve the DirectoryIndex (i.e. index.html) at C:/DocumentRoot/. The following works fine for that.
<Directory "C:/DocumentRoot/website">
Options None
AllowOverride None
Require all granted
</Directory>
I then want to have http://www.example.com/anything1/anything2 serve the DirectoryIndex at C:/DocumentRoot/content/anything1/anything2. After adding the following, accessing http://www.example.com gives a Forbidden error, though the AliasMatch works.
AliasMatch "^/(.+)$" "C:/DocumentRoot/website/content/$1"
<Directory "C:/DocumentRoot/website/content/">
Require all granted
</Directory>
Any idea what's happening or have a better/working alternative?
In this case, mod_rewrite is a little easier to read and later extend then a negative assertion regex in the AliasMatch.
RewriteEngine ON
RewriteCond %{REQUEST_URI} !^/content
RewriteRule ^/(.+) "C:/DocumentRoot/website/content/$1"
A change to the AliasMatch so it ignores the DirectoryIndex (index.html) allows it to work as expected.
AliasMatch "^/(?!index.html)(.+)$" "C:/DocumentRoot/website/content/$1"
(?!index.html) ensures that the implicit index.html is not matched. The (.+) picks up anything else and pulls it from the content folder.
I'm looking for a solution with htaccess to block access to files that contains the word "scheduleBackup" (case sensitive).
I tried this but it does not work :
<filesMatch "/scheduleBackup/i">
Order allow,deny
Deny from all
</FilesMatch>
Thanks in advance for your help.
I finally found the answer :
<FilesMatch "_scheduleBackup_full_">
Order allow,deny
Deny from all
</FilesMatch>
Now it works !
Try this instead:
<FilesMatch "/website\.com_scheduleBackup_full_\d{4}-\d{2}-\d{2}_.+?\.zip/">
Order allow,deny
Deny from all
</FilesMatch>
i means insensitive case.
To block access to any file with scheduleBackup (ignore case) text you can use this code in your DOCUMENT_ROOT/.htaccess file:
RewriteEngine On
RewriteRule scheduleBackup - [F,NC]
I have the following .htaccess file on our xxx.yyy.edu site, in the root.
<FilesMatch "(.+)\.php">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
ShibRequestSetting redirectToSSL 443
</FilesMatch>
This should only match files that end in .php, and match all files that end in .php, then force authentication. That part of it appears to work fine.
However, it also matches the root url, http://xxx.yyy.edu and http://xxx.yyy.edu/. Which isn’t a good thing, since it is forcing the root of the site to be authenticated.
It does not match xxx.yyy.edu/index.htm, or any other url that has anything after the domain name, like xxx.yyy.edu/students.htm or even xxx.yyy.edu/x
I’ve tested it in www.regexr.com, and it does not match the root url there.
Any thoughts/suggestions appreciated.
You are getting authentication dialog because on your landing page default page is set to index.php.
Have this FilesMatch with negative lookahead to avoid index.php from authentication:
<FilesMatch "^(?!index\.php$).+?\.php$">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
ShibRequestSetting redirectToSSL 443
</FilesMatch>
Sounds like perhaps it is matching the newline with the "dot" (a la XRegExp). Try something like \w+:[\d\w\s\./]+\.php.