EDIT: The reason of my problem is mod_userdir. So if your host has enabled mod_userdir like Hostgator reseller package for example http://support.hostgator.com/articles/specialized-help/technical/apache-htaccess/mod_userdir then be sure that you host can disable this. Apparently Hostgator refused to disable this for the specific hosting package
Recently I received a phishing warning from google related to a file that doesn't exist in my server. The reason that it appears as it is hosted on my server is because I'm on a shared/reseller Apache hosting package. So I discovered that I can access any file of another website which is hosted on the same server as my site if I know the username of the owner of the website.
Meaning I can access
http://mywebsite.com/~somebodyelsesusername/any_path_to_their_files.php
Well this behavior is undesirable, so I want to deny access to other's websites through my domain using .htaccess
How can I block every root folder for instance mydomain.com/~somefolder/ starting with ~ without knowing what follows next? Of course I have to block access to any files or folders of that folder. I tried
<DirectoryMatch "^\~|\/\~">
Order allow,deny
Deny from all
</DirectoryMatch>
But I guess I'm not doing it right.
The answer below answers in fact the question however it doesn't fix my problem due to special circumstances. So I marked it as correct and I will further investigate the issue
<DirectoryMatch> can only be used in the server configuration file, or virtual host context, not through .htaccess.
You can possibly block access using mod_rewrite. Make sure the module is enabled, then use the following directives:
RewriteEngine on
RewriteRule ^~ - [F,L]
Related
I am trying to redirect some pages on a Wordpress site. The pages would have this URL pattern:
domain.com/sponsored/something1/.../something2?par_t=param
But should be redirected to this one:
domain.com/sponsored/?par_t=param
So I need remove some parameters from the address but without updating the actual URL in the browser.
I have been tried adding this rule and some others into the .htaccess but no luck so far:
RewriteRule ^/sponsored/([A-Za-z0-9]+)/?$ domain.com/sponsored/$2 [QSA]
Is this possible? Any idea on how could this be achieved?
Thanks!
Sounds pretty straight forward, probably this is what you are looking for:
RewriteEngone on
RewriteRule ^/?sponsored/(.+)/?$ /sponsored/ [END,QSA]
In case you receive an internal server error (http status 500) using the rule above then chances are that you operate a very old version of the apache http server. You will see a definite hint to an unsupported [END] flag in your http servers error log file in that case. You can either try to upgrade or use the older [L] flag, it probably will work the same in this situation, though that depends a bit on your setup.
This rule will work likewise in the http servers host configuration or inside a dynamic configuration file (".htaccess" file). Obviously the rewriting module needs to be loaded inside the http server and enabled in the http host. In case you use a dynamic configuration file you need to take care that it's interpretation is enabled at all in the host configuration and that it is located in the host's DOCUMENT_ROOT folder.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).
So I am having a bit of trouble.
I have many products with the same part o URL that I recently changed:
https://www.website.com/shop/category-sample/product1/
https://www.website.com/shop/category-sample/product2/
https://www.website.com/shop/category-sample/product3/
https://www.website.com/shop/category-sample/product4/
I need the "category-sample" to be "category"
So the new URLS would look like this:
https://www.website.com/shop/category/product1/
And etc.
Thank you!
Assuming that you are using the typical apache http server with loaded rewriting module this should do what you are looking for:
RewriteEngine on
RewriteRule ^/?shop/category-sample/(.*)$ /shop/category/$1 [R=301,QSA,END]
In case "category" actually is a dynamic value, not a fixed literal this variant should do what you ask for:
RewriteEngine on
RewriteRule ^/?shop/(.+)-sample/(.*)$ /shop/$1/$2 [R=301,QSA,END]
That rule will work likewise in the http servers host configuration of in a dynamic configuration file (".htaccess" style file) if you have to use those.
If you receive an "internal server error" using those rules (http status 500) then chances are that you operate a very old version of the apache http server. Have a try using the L flag instead of the newer END flag then. You will find a corresponding hint in your http servers error log file in that case.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).
Problem:
I have a number of subdomains like foo.website.com, bar.website.com and so on.
One of them is the resources.website.com and the resources from it need to be available for all other ***.website.com subdomains.
Obviously, the browser with foo.website.com (with a .js resource from resources.website.com) is running into CORS problem.
Working code:
I am trying to configure my .htaccess of the resources.website.com to determine whether the request is performed from ***.website.com and the following solution works perfectly fine
<FilesMatch "\.(js|css|ttf|otf|eot|woff|ico)$">
SetEnvIf Origin "http(s)?://(.*\.website\.com)$" AllowOrigin=*
Header add Access-Control-Allow-Origin %{AllowOrigin}e env=AllowOrigin
</FilesMatch>
What I would like to do:
Id like to be able to keep the .com (the zone) outside of the .htaccess in the apache configuration files. (I have multiple environments under different zones so when the code, including the htaccess files, gets deployed on other zones, it is totally neutral).
In apache configuration files I have
SetEnv domain_zone com
.. and I would like to use this variable in the code above`s regexp (if its possible) like:
SetEnvIf Origin "http(s)?://(.*\.website\.%{domain_zone}e)$" AllowOrigin=*
.. but I obviously lack .htaccess skills. Thank you.
I'm trying to get a Django application running on my shared web server (hosted with DreamHost). There's one interface I'd like to lock down based on a white-list of IP addresses, but I'm having trouble figuring out how to do it. This interface lives at a virtual URL (in other words, there are no physical files on the server that correspond to the URL; the Django internals serve up the right thing based on the URL passed in). My shared host uses Apache as the web server, which then passes all necessary requests to Passenger.
I currently have an .htaccess file with the following contents in the root of my site:
SetEnvIf Request_URI ^/manage require_auth=true
AuthUserFile /home/myuser/.htpasswd
AuthName "Who Goes There?"
AuthType Basic
order deny,allow
deny from all
Satisfy any
Require user my_web_user
Allow from env=!require_auth
When I visit the /manage URL at my site, I get prompted for credentials just like I would expect. Visiting any other URL doesn't prompt me, so this rule set seems to work.
However, I can't figure out how to add the IP address white list into the mix. I'm aware that the Satisfy any directive is essentially a logical OR of the statements below it. Ideally, I'd like to be able to restrict access to this URL based on IP and require the user to login. But only for that particular path.
Is there something simple I'm missing here, or could the Apache / Passenger setup prevent me from being able to have my cake and eat it too?
You could specify the ranges you allow with "Allow from iprange" CIDR notation works fine, so that all those which do not match will be required to authenticate.
For example:
AuthUserFile /home/myuser/.htpasswd
AuthName "Who Goes There?"
AuthType Basic
Order deny,allow
Allow from 192.168.0.0/16
Satisfy any
Require user my_web_user
This means that all not in range 192.168.0.0 will have to authenticate.
I have a number of .html files on my web-server which I store in a specific folder. I have to protect them from unwanted users and let only a few people to be able to access this folder.
I would like to protect this specific folder, so users have to log in, but I don't want to use any PHP framework etc. It's only a simple HTML website created without PHP.
I have my own dedicated server, so there are some options to do it. For now I did basic HTTP Auth based on .htaccess and .htpasswd files, but I've just read it's no really secure because password is sent as plain text. I've found a similar option called .htdigest, but maybe there are more secure and also easy to set up ways to secure folder? Hope someone can recommend me a method to make it secure? Here is what I have on my server:
using CloudFlare Service (paid plan) which allows me to use SSL,
can install additional modules if needed.
Thank you for help!
you can use allow/deny directive
Order allow,deny
Deny from all
it will give user response code 403 forbidden page but if you want to return 404 response code then you can use below
RedirectMatch 404
references : http://httpd.apache.org/docs/current/sections.html