I'm trying to restrict access to the TYPO3 backend and the install tool. Beacause of that, the IPMaskList isn't the best thing to do so. I tried an .htaccess file in the /typo3 directory and it worked quite well to certain point. The following code was used to accomplish that:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !=<my_ip>
RewriteRule ^(.*)$ https://example.com [R=301]
Only the computer with the listed ip can access the index.php or install.php, which is very good. But as soon as I click the login button, and the URL changes to https://example.com/typo3/login?loginProvider=1433416747, it throws a 404 error. First, I thought it was the configured IP, as the server is requesting a page, and not my computer, but I don't know how to implement that.
The problem might just be that you are missing the L flag on the RewriteRule. The missing L flag will cause processing to continue through the remaining directives which probably includes a front-controller pattern. Typo3 then generates a 404 because https://example.com is not a valid "Typo3" URL.
But also...
First, I thought it was the configured ip, as the server is requesting a page, and not my computer,
If the server itself is also making an HTTP request (although not sure why) then you will also need to permit the server's IP address in your rule. For example:
RewriteCond %{REMOTE_ADDR} !=<my_ip>
RewriteCond %{REMOTE_ADDR} !=<server_ip>
RewriteRule ^ https://example.com/ [R=301,L]
Additional changes:
Missing L flag. (Mentioned above)
Missing trailing slash after the hostname (the browser "corrects" it).
No point capturing the URL-path in the RewriteRule pattern.
Although if you simply ant to restrict access then why not serve a "403 Forbidden" instead. Change the RewriteRule accordingly:
:
RewriteRule ^ - [F]
(L flag not required here.)
UPDATE:
No, by default there's no .htaccess in that dir, only the one in the root dir. Only with a .htaccess in the typo3 dir it's resulting in a 404. That's my only content in this particular .htaccess.
By enabling the rewrite engine in the subdirectory then it's going to completely override any mod_rewrite directives in the parent .htaccess file (by default), regardless of whether you are accessing the site by your IP or not. It would seem there are mod_rewrite directives in the parent/root .htaccess file that are required for your Typo3 installation to function (a front-controller pattern perhaps). (I had assumed these were all in the /typo3/.htaccess file.)
There are two solutions:
Move the above rule to the top of the root .htaccess file, adjusting accordingly. And delete the /typo3/.htaccess file. For example:
# In the root ".htaccess" file
RewriteCond %{REMOTE_ADDR} !=<my_ip>
RewriteRule ^typo3(/|$) - [F]
OR
Don't use mod_rewrite to block the request. For example, use an Apache expression with mod_authz_core instead. For example:
# In the "/typo3/.htaccess" file
<If "! -R '<my_ip>'">
Require all denied
</If>
Related
I have assets[/admin/assets] directory which I restricted access from browser.
So whenever user requested on [/admin/assets] , I want to rewrite rule to [admin/index.html].
I tried with below setting , but this doesn't rewrite to expected path but show permission access error with 403.
RewriteRule /assets /index.html [L]
I have one solution for that by handling ErrorDocument. But I don't prefer it that way, I want to handle by RewriteRule .
This can be achieved using the mod_rewrite module in Apache web server. You can add the following code in your .htaccess file or server configuration file to rewrite the URL:
RewriteEngine on
RewriteCond %{REQUEST_URI} /assets
RewriteRule ^assets/(.*)$ /admin/index.html [L]
The RewriteEngine directive turns on the rewriting engine.
The RewriteCond directive specifies a condition that must be met before the RewriteRule is applied. In this case, the condition checks if the requested URL starts with "/assets".
The RewriteRule directive specifies the actual URL rewriting. The pattern "^assets/(.)$" matches any URL that starts with "/assets/", and captures the rest of the URL into a group (.). The URL is then rewritten to "/admin/index.html". The [L] flag specifies that this is the last rule to be applied, so no further rewriting should take place.
I set by Directory module with Require All Denied
You can't block access and rewrite the request. The <Directory> container will take priority. (But there's no point blocking the request when you want to rewrite it. You are essentially blocking it by rewriting.)
Remove the <Directory> block and directly inside the <VirtualHost> container (outside of any <Directory> section) use mod_rewrite:
RewriteEngine On
RewriteRule ^/admin/assets($|/) /admin/index.html [L]
Any requests to /admin/assets or /admin/assets/<anything> are internally rewritten to /admin/index.html.
I have a domain with two versions and I need to redirect 1 of the versions
test.example.ca
test.example.ca/en
test.example.ca/fr
I need the first domain test.example.com to redirect to test.example.ca/en anytime someone hits it. but i don't want test.example.ca/fr to redirect to test.example.com/en/fr
this is what I've been trying with no success.
RewriteCond %{HTTP_HOST} =test.example.ca
RewriteCond %{HTTP_HOST} !=test.example.ca/fr
RewriteRule ^(.*)$ https://%{HTTP_HOST}/en/$1 [R=301,L]
I understand the question such that you simply to not want requests to https://test.example.com/fr... to get redirected. So you want an exception.
I'd say this roughly is what you are looking for:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^test\.example\.com$
RewriteCond %{REQUEST_URI} !^/fr
RewriteRule ^ https://test.example.ca/en%{REQUEST_URI} [R=301,L]
Chances are that your question was wrong in a few details, to me it reads as if you were not really precise with your host names. But above should be the correct answer to what you actually asked.
You should implement such rules in the http server's host configuration. If you do not have access to that you can also use a distributed configuration file (".htaccess"). That file should be located in the DOCUMENT_ROOT folder defined for your http host. And you need to make sure that the interpretation of such files is enabled at all (see the documentation for the AllowOverride directive for that).
It is a good idea to start out using a R=302 temporary redirection first. And to only change that to a R=301 permanent redirection once everything works as desired. That prevents nasty caching issues on the client side.
We have a Wildcard SSL Certificate that is supposed to work on any subdomain of a given domain.
So in this server we have this file structure:
/home/DOMAIN/public_html/subdomainx
/home/DOMAIN/public_html/subdomainy
etc...
Now, the Certificate is installed, but when you visit any subdomain over https (example: hxxps://subdomainx.domain.com ) it points to
/home/DOMAIN/public_html/index.php
We need that when you visit a subdomain via https
hxxps://subdomainx.domain.com
That it points to the the same directory that it's http equivalent:
/home/DOMAIN/public_html/subdomainx
Our provider tells us that this is not possible, that the current behaviour is correct, and that we should do some htaccess to achieve this.
I've tried a few things, incluiding this solution, that seems to be what I need: Advice on Configuring .HTaccess file to Redirect HTTP Subdomain to HTTPS Equivalent
But can't get it to work.
Any tips?
Thanks.
You don't want the [R] flag in your rewrite rule, or the hostname in the target. You want to rewrite the URI so that a "subdomainx" is prepended to it. Something along the lines of:
RewriteEngine On
# We don't want the main domain or www
RewriteCond %{HTTP_HOST} ^((?!www).*)\.domain.com$ [NC]
# Make sure that if we rewrite, the destination actually exists (to prevent loops and properly return 404's)
RewriteCond %{DOCUMENT_ROOT}/%1%{REQUEST_URI} -f [OR]
RewriteCond %{DOCUMENT_ROOT}/%1%{REQUEST_URI} -d
# rewrite
RewriteRule ^(.*)$ /%1/$1 [L]
Note that the %{DOCUMENT_ROOT}/%1%{REQUEST_URI} checks have to be made so that proper 404's get returned without information disclosure. This makes it so when you request for http://test.domain.com/badfile.html, the 404 message says "/badfile.html" is not found, instead of "/test/badfile.html" is not found.
I've got the follow problem.
I have a website and for the directories /members and /admin I have a .htaccess which forces these URLs to go to https://
All other URLs are forced to go to normal https://
Now, for /members which is https:// I have in the pages a reference to /js/script.js which in imported into the page, but ofcourse this directory /js is forced to normal http:// while the page is displayed in https://
Internet Explorer users are shown a popup if they want to view non-secure content in the secure page, if they click yes, it's ok. If they click no, then the javascript doesn't work.
The /js is used in the normal http:// website and also in the /members secure website. This also is the case for the /images directory
So i'm not sure how to solve this problem. Other than say that /js and /images can be https or http. But I have no clue on how to configure this in the htaccess file.
Any help would be much appreciated!
This is the htaccess file I use now :
#Turn SSL on everything, except members and admin
RewriteCond %{HTTPS} =off
RewriteCond %{REQUEST_URI} ^(/members|/admin)
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Turn SSL off everything, except members and admin
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^(/members|/admin)
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
There are quite a few approaches. Here are just a few.
Number 1. Add this before your rules:
# do not do anything for js/css/image files
# (will affect ALL such files in ALL folders)
RewriteRule \.(css|js|jpe?g|gif|png|ico)$ - [L]
The rule above will leave protocol as is for ALL css/js/image files (anywhere on a site)
Number 2. Add this before your rules:
# do not do anything to any files in css/js/images folders
RewriteRule ^(css|js|images)/ - [L]
The rule above will leave protocol as is for ALL files in css/js/image folders (e.g. example.com/js/main.js, example.com/images/logo.png or even example.com/js/compress.php
If you want -- you can combine them into single rule (to be more specific) -- but that is unnecessary (from my point of view).
I faced the same issue an year back. Was able to arrive at a conclusion on my own finally.
Check out my question and answer htaccess (https to http)
In your images and js directories create their own .htacess file with the following in it:-
RewriteEngine off
This will turn off writes for all files in that folder.
In your html do not specify the domain on the links so do /js/myscript.js instead of http://mydomain.com/js/myscript.js this way it will just inherit the same protocol as the page they are viewing it on.
Hey, My host is absolutely terrible. For some odd reason creating a subdomain in cPanel simply does not work, and their support lines are always busy. I thought I could get around this by using .htaccess. I'm sure it's not that hard, but I'm kind of new to mod_rewrite and have had little success searching in the last 5 hours. Heres the situation:
/home/user/public_html automatically redirects to http://www.example.com
Since I'm using a CMS in public_html it has already added the rule in .htaccess to redirect anything unfamiliar after example.com/ to a 'Page Not Found'
/home/user/subdomain needs to redirect to http://subdomain.example.com
How should I go about creating a subdomain redirection to an absolute path? Or How can I add an exception in my .htaccess
I doubt you'll be able to get your subdomain to function outside of your public_html folder (although I'm no server admin). Typically that requires DNS modifications or tweaking the server's configuration. Have you tried making a sub-directory and rewriting calls to the subdomain? For example this placed in the .htaccess within your public_html directory:
RewriteCond %{HTTP_HOST} ^subdomain\.example\.com$
RewriteRule (.*) /subdomain/$1 [L]
I'm not sure if that would work (never needed to test it myself), but it's more likely to function than trying to target files that live outside the directory specified by the webhost as the location of your domain's files.
Good luck!
Try this rule:
RewriteCond %{REQUEST_URI} !^/home/user/
RewriteCond %{HTTP_HOST} !^www\.example\.com$
RewriteCond %{HTTP_HOST} ^([^/.]+)\.example\.com$
RewriteRule ^ /home/user/%1%{REQUEST_URI} [L]
But your webserver already needs to be configured so that every request of foobar.example.com gets redirected to this specific virtual host.