I have this configuration on NgINX Server and I need to have the same rule on another Web Server that runs Apache.
NgINX
if ($http_referer !~ "^https?:\/\/.*\.sitea\.com.*|https?:\/\/.*?\.siteb\.com.*|https?:\/\/sub\.sitea\.com.*|?$") {
add_header X-Frame-Options "DENY";
}
I try to use the following code, but I receive an Internal Server Error
Apache
<IfModule mod_headers.c>
<If "%{HTTP_REFERER} !~ m#^https?:\/\/.*\.sitea\.com.*$#">
Header append X-Frame-Options "DENY"
</If>
</IfModule>
Could you anybody help to find the right way to do that?
I find this solution that works fine with old Apache versions.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?:\/\/.*\.sitea\.com.*?$ [NC]
RewriteRule ^ - [E=NOFRAME:1]
Header append X-Frame-Options "DENY" env=NOFRAME
In this way I'm able to put X-Frame-Options conditionally according to a list of authorized domains.
This is a failback for old browsers that don't use Content Security Policy rules.
You can see here the full list.
Header append Content-Security-Policy "frame-ancestors sitea.com"
So modern browsers will use the CSP2 rule, older use the X-Frame-Options. Thanks to regex we could apply this option to a list of allowed domains.
Expressions came with Apache 2.4. Yours is definitely older than that.
Related
Good morning at all. I have a WordPress website and I want to redirect all urls to new domain but:
http://domain.it/?page_id=3668
http://domain.it/?team={name}-{surname}
I wrote this code in the htaccess file
#RewriteCond %{QUERY_STRING} !^team=([a-z-]+)$
#RewriteCond %{QUERY_STRING} !^page_id=3668$
#RewriteRule ^(.*)$ https://newdomain.it/ [L,R=301]
but it does not work correctly. In the Network tab of the Firefox developer tools, I see that there are some resources that are loaded from newdomain.it (for example css and images).
What I'm doing wrong?
This probably is what you are looking for:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^old\.example\.com$
RewriteCond %{QUERY_STRING} ^page_id=3668$ [OR]
RewriteCond %{QUERY_STRING} ^team=\w+-\w+$
RewriteRule ^ - [END]
RewriteRule ^/?(.*)$ https://new.example.com/$1 [R=301]
Is allows the two domains being served by the same http server, but that is not a requirement. If you operate two separate http servers then these rules belong into the one serving the old domain, obviously.
It is a good idea to start out with a 302 temporary redirection and only change that to a 301 permanent redirection later, once you are certain everything is correctly set up. That prevents caching issues while trying things out...
In case you receive an internal server error (http status 500) using the rule above then chances are that you operate a very old version of the apache http server. You will see a definite hint to an unsupported [END] flag in your http servers error log file in that case. You can either try to upgrade or use the older [L] flag, it probably will work the same in this situation, though that depends a bit on your setup.
This implementation will work likewise in the http servers host configuration or inside a dynamic configuration file (".htaccess" file). Obviously the rewriting module needs to be loaded inside the http server and enabled in the http host. In case you use a dynamic configuration file you need to take care that it's interpretation is enabled at all in the host configuration and that it is located in the host's DOCUMENT_ROOT folder.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).
I would like to rewrite directories of my RootDocument into thei'r own addresses.
For exaimple, I would like to be able to visit: http://localhost/FOO and be redirected to http://FOO.dev. Please note that the URL domain is static ass all subdirectory domains will have the same tol-level domain. I need to create a redirect within chunk of code:
<VirtualHost *:80>
ServerName 127.0.0.1
ServerAlias localhost
DocumentRoot /usr/local/var/www
<Location />
Options All
AllowOverride All
Require all granted
</Location>
<LocationMatch ^/[^.].+/$>
RewriteEngine on
/*
I NEED A REWRITE HERE WHEN I REACH THE DIRECTORY LOCATION
AS LOCATION IS ALREADY MATCHED, I'M NOT SURE HOW TO EXTRACT IT
*/
</LocationMatch>
<LocationMatch ^/[.].+/$>
Options none
AllowOverride none
Require all denied
</LocationMatch>
</VirtualHost>
Since I have already figured out how to get into directories I need to be at, how would I use my logic to extract and redirect me into correct place?
You need a two-step-approach for this, since you have to handle two separate requests in the scenario you want to set up:
This is the rule to redirect clients to the new host name:
RewriteEngine on
RewriteRule ^/?(\w+)(/?.*)$ http://$1.dev$2 [R=301]
This is the rule inside that host to remap the request onto the internal folder in the file system again:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(\w+)\.dev$
RewriteCond /%1 -d
RewriteRule ^/?(.*)$ /%1/$1 [END]
Obviously the rewriting needs to be loaded and enabled for this.
In case you receive back a http status 500 ("internal server error") for the first request (the one to be redirected) chances are that you are using a very old version of the apache http server. In that case try replacing the [END] flag with the [L] flag...
Above rules will work likewise in the http servers host configuration or in dynamic configuration files. However you should always prefer to place such rules inside the http servers (virtual) host configuration instead of using dynamic configuration files (.htaccess style files). Those files are notoriously error prone, hard to debug and they really slow down the server. They are only supported as a last option for situations where you do not have control over the host configuration (read: really cheap hosting service providers) or if you have an application that relies on writing its own rewrite rules (which is an obvious security nightmare).
A couple weeks ago, I had a wonderful time setting up an Apache and Django configuration to work while forcing SSL and operating behind an AWS load balancer.
Now that it is all working nicely, I'm still constantly receiving the common "Invalid HTTP_HOST header" error, and trying to figure out the right way to go about fixing it.
Searching has brought me to the following answer regarding the Apache configuration:
How to disable Django's invalid HTTP_HOST error?
Which recommends placing the following settings inside the <Directory></Directory> block in the VirtualHost file:
SetEnvIfNoCase Host .+ VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST}
This works, but according to Apache (https://httpd.apache.org/docs/2.4/howto/access.html) this method is deprecated.
I've read through the Apache docs but when I tried using the following code it just shut down access to the site and gave me a "Not Authorized" error.
<RequireAll>
Require host example.org
</RequireAll>
Not entirely sure what I'm missing. I know I can solve the problem using the first answer, just trying to figure out the "right" way using code that isn't deprecated. Site is using WSGIDaemonProcess to run the Django App and has the following set to force the SSL through AWS
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP:X-Forwarded-For} !=""
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
No need to use mod_setenvif as HTTP_HOST is already a variable and you can evaluate it directly.
<Directory /var/www/html/>
Require expr %{HTTP_HOST} == "example.com"
Options
</Directory>
So, after messing with this for a long time I figured out that the problem I was dealing with may have something to do with the hostname reverse DNS lookup failing, since the IP address was pointing to an AWS EC2 instance instead of my domain.
After finally giving up on getting it right I returned to the post on how to disable the log error, and tried using the env variable, which seems to be working.
Apparently the correct format for Require is:
<Directory /var/www/html/>
SetEnvIfNoCase Host example\.com VALID_HOST
Require env VALID_HOST
Options
</Directory>
These guys had it right, just need to update it for the current "Require" directive.
How to disable Django's invalid HTTP_HOST error?
Am trying to do the following. My website is hosted on
www.sitehost.com/uk
But I own this domain.
www.mainsite.co.uk
Is it possible to redirect the user hitting www.mainsite.co.uk to www.sitehost.com/uk but retain the www.mainsite.co.uk?
I tried doing .htaccess redirect and it worked but it changed the URLs from www.mainsite.co.uk to www.sitehost.com/uk
Ideally it would work like so...
www.sitehost.com/uk/post/20
can be accessed via
www.mainsite.co.uk/post/20
I tried mod_proxy but it didn't seem to work all the way. Anyone know how to do this? Is this even possible with Apache?
This is possible if mod_proxy is enabled in your Apache config.
Once mod_proxy and mod_rewrite are enabled place this rule in your DocumentRoot/.htaccess file of sitehost host:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?sitehost\.com$ [NC]
RewriteRule ^ http://www.mainsite.co.uk%{REQUEST_URI} [L,P]
P flag is used for proxying the request to external URL.
Is it possible to turn off HTTP trace method via .htaccess using this directive?
TraceEnable Off
When I try to add this directive in .htaccess I get an internal server error, maybe it's only allowed in my main httpd.conf file?
Unfortunately this directive isn't allowed in .htaccess as per official docs:
TraceEnable Off
You need to put this in Apache config or your vhost setup.
In .htaccess you can use a workaround (as per the link shared by #donald123):
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule ^ - [F]
take a look on this http://www.ducea.com/2007/10/22/apache-tips-disable-the-http-trace-method/ it should be a solution for you