i'm trying to apply some rules for a subfolder but not for another subfolder.
I have this
SetEnvIf Referer "((.+\.)?domain\.com|localhost)" localreferer
<DirectoryMatch "/bin(.+/)?">
Require env localreferer
</DirectoryMatch>
And it is working fine. But now I need that this rule does not apply to /bin/public. I will have /bin/private and /bin/public, i need to apply the rule for /bin/private
I tried with
SetEnvIf Referer "((.+\.)?domain\.com|localhost)" localreferer
<DirectoryMatch "/bin/private(.+/)?">
Require env localreferer
</DirectoryMatch>
But all bin's subfolders are allowed from all referer.
What would be the correct regular expression to allow /bin/public to be accessed from any referer and /bin/private only from the ones I have on the list
Thanks in advance
i found the issue and the solution. i need to use LocationMatch instead of DirectoryMatch, so
SetEnvIf Referer "((.+\.)?domain\.com|localhost)" localreferer
<LocationMatch "/bin(.+/)?">
Require env localreferer
</LocationMatch>
<LocationMatch "/bin/public(.+/)?">
Require all granted
</LocationMatch>
Related
I would like to rewrite directories of my RootDocument into thei'r own addresses.
For exaimple, I would like to be able to visit: http://localhost/FOO and be redirected to http://FOO.dev. Please note that the URL domain is static ass all subdirectory domains will have the same tol-level domain. I need to create a redirect within chunk of code:
<VirtualHost *:80>
ServerName 127.0.0.1
ServerAlias localhost
DocumentRoot /usr/local/var/www
<Location />
Options All
AllowOverride All
Require all granted
</Location>
<LocationMatch ^/[^.].+/$>
RewriteEngine on
/*
I NEED A REWRITE HERE WHEN I REACH THE DIRECTORY LOCATION
AS LOCATION IS ALREADY MATCHED, I'M NOT SURE HOW TO EXTRACT IT
*/
</LocationMatch>
<LocationMatch ^/[.].+/$>
Options none
AllowOverride none
Require all denied
</LocationMatch>
</VirtualHost>
Since I have already figured out how to get into directories I need to be at, how would I use my logic to extract and redirect me into correct place?
You need a two-step-approach for this, since you have to handle two separate requests in the scenario you want to set up:
This is the rule to redirect clients to the new host name:
RewriteEngine on
RewriteRule ^/?(\w+)(/?.*)$ http://$1.dev$2 [R=301]
This is the rule inside that host to remap the request onto the internal folder in the file system again:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(\w+)\.dev$
RewriteCond /%1 -d
RewriteRule ^/?(.*)$ /%1/$1 [END]
Obviously the rewriting needs to be loaded and enabled for this.
In case you receive back a http status 500 ("internal server error") for the first request (the one to be redirected) chances are that you are using a very old version of the apache http server. In that case try replacing the [END] flag with the [L] flag...
Above rules will work likewise in the http servers host configuration or in dynamic configuration files. However you should always prefer to place such rules inside the http servers (virtual) host configuration instead of using dynamic configuration files (.htaccess style files). Those files are notoriously error prone, hard to debug and they really slow down the server. They are only supported as a last option for situations where you do not have control over the host configuration (read: really cheap hosting service providers) or if you have an application that relies on writing its own rewrite rules (which is an obvious security nightmare).
A couple weeks ago, I had a wonderful time setting up an Apache and Django configuration to work while forcing SSL and operating behind an AWS load balancer.
Now that it is all working nicely, I'm still constantly receiving the common "Invalid HTTP_HOST header" error, and trying to figure out the right way to go about fixing it.
Searching has brought me to the following answer regarding the Apache configuration:
How to disable Django's invalid HTTP_HOST error?
Which recommends placing the following settings inside the <Directory></Directory> block in the VirtualHost file:
SetEnvIfNoCase Host .+ VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST}
This works, but according to Apache (https://httpd.apache.org/docs/2.4/howto/access.html) this method is deprecated.
I've read through the Apache docs but when I tried using the following code it just shut down access to the site and gave me a "Not Authorized" error.
<RequireAll>
Require host example.org
</RequireAll>
Not entirely sure what I'm missing. I know I can solve the problem using the first answer, just trying to figure out the "right" way using code that isn't deprecated. Site is using WSGIDaemonProcess to run the Django App and has the following set to force the SSL through AWS
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP:X-Forwarded-For} !=""
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
No need to use mod_setenvif as HTTP_HOST is already a variable and you can evaluate it directly.
<Directory /var/www/html/>
Require expr %{HTTP_HOST} == "example.com"
Options
</Directory>
So, after messing with this for a long time I figured out that the problem I was dealing with may have something to do with the hostname reverse DNS lookup failing, since the IP address was pointing to an AWS EC2 instance instead of my domain.
After finally giving up on getting it right I returned to the post on how to disable the log error, and tried using the env variable, which seems to be working.
Apparently the correct format for Require is:
<Directory /var/www/html/>
SetEnvIfNoCase Host example\.com VALID_HOST
Require env VALID_HOST
Options
</Directory>
These guys had it right, just need to update it for the current "Require" directive.
How to disable Django's invalid HTTP_HOST error?
I have an Apache configuration which is something like this:
<VirtualHost *:80>
ServerAlias *.example.com
VirtualDocumentRoot /var/www/%1
<Directory /var/www/>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
The idea is that it serves any subdomain request from a directory with the same name. For instance, the docroot for http://beta-a.example.com becomes /var/www/beta-a.
This works fine.
My question is this: Is there any way to modify the extracted part of the request based on some logic? Ideally a regex. For example, I'd like to take all requests like:
http://beta-a.example.com
http://beta-b.example.com
http://beta-c.example.com
And remove everything after and including the - so that the docroot would become /var/www/beta. Basically, I'd like to find some way to have alternate host names that get served from the same docroot. I know of the rule:
%N.M insert (part of) the name
But this requires that I specify an explicit length and does not seem to allow any application of logic for the extracted substring.
Although not exactly what I am looking for, I'll offer a workaround which I'm using here. I can add an additional subdomain in the second position which accomplishes almost the same thing. So using these:
http://beta.a.example.com
http://beta.b.example.com
http://beta.c.example.com
All the above will be served from docroot /var/www/beta.
I have a public website with an admin area. So I want to protect this admin area using HTTP authentication.
The admin area has this URL: http://mypublicwebsite.com/myadminarea/
myadminareais not a physical directory on my server, there's a routing system based on the requested URL.
Is there an easy way to define that every URL that matches http://mypublicwebsite.com/myadminarea/* must use http authentication?
I've found this answer, but it seems too complicated to me.
Thanks.
You can use it using mod_setenvif and mod_auth. Place this code in your root .htaccess:
SetEnvIfNoCase Request_URI "^/myadminarea" SECURED
AuthType Basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require valid-user
Order allow,deny
Allow from all
Deny from env=SECURED
Satisfy any
PS: Make sure you create passwords as per Apache manual instructions.
I've just found a solution using the LocationMatch apache directive, to be added in my virtualhost definition:
<VirtualHost *:8080>
...
<LocationMatch "/myadminarea/.*">
AuthType basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require valid-user
Order allow,deny
Allow from all
</LocationMatch>
</VirtualHost>
I want to redirect the user to the authentication page only if the request is 'https'.
Currently I have written the following in my .htaccess file to do the same, but it doesn't work.
SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Allow from env=IS_HTTPS
Is the regex for determining HTTPS correct? Earlier I had the SetEnvIf statement as follows. This too didn't work.
SetEnvIf %{SERVER_PORT} ^80$ IS_NON_SSL
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Allow from env=!IS_NON_SSL
But as per the documentation for SetEnvIf directive (http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html), the SERVER_PORT variable is not available.
I don’t think that the value Request_Protocol can be used to determine this – according to the docs page you linked, that contains something like (e.g., "HTTP/0.9", "HTTP/1.1", etc.) – so the protocol itself will always be HTTP; and that makes sense, as HTTPS is not a real “protocol”, but only the common name for HTTP with TLS “wrapped around it”, on the OSI level below it (6).
I’m not sure about the actual order of request processing (and don’t know where to find it right now off the top of my head) – but maybe you could combine this with mod_rewrite to achieve what you want? A RewriteCond is able to check whether HTTPS is used by checking the variable HTTPS for the value on – and a RewriteRule following that condition could set an environment variable for you using the [E] flag – something like this:
RewriteCond %{HTTPS} ^on$
RewriteRule . - [E=IS_HTTPS]
This will set the environment variable IS_HTTPS with an empty value, but that should be enough to check it with Allow from env=IS_HTTPS.
Mind giving this a try? As I said, I’m not sure if this will work because of processing order – but tryin’ cost nuffin, right?
You can try:
SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Satisfy any
Order deny,allow
Deny from all
Allow from env=IS_HTTPS