I have a strict .htaccess file, that blocks countries like Russia or China.
Some of my clients, may - on occasion - travel to such countries.
What is the easiest/safest way to just let someone bypass the .htaccess rules?
Clients need to access sections of the website without logging in.
It is not known what country the client will be accessing from nor when the client will be accessing.
The only constant is the specific URL's available, some of which are global.
What we may sometimes know is - when a client complains they can not access.
No sure the route to go here.
To force clients to log in?
But then how do they access the log in page from blocked countries?
It is a real conundrum for me.
Current .htaccess:
order allow,deny
# Cambodia (KH)
deny from ###.###.###.#/##
deny from ... etc...
allow from all
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
Related
I'm trying to develop, test, and debug a website's CSS, and PHP code, and block the public from seeing any of the websites pages (by redirecting them to a parked "maintenance" page), while the site is still being developed. This site is NOT a WordPress site, so the problem is NOT solvable by simply applying a plugin. However it may be solvable by using .htaccess, if it's configured correctly.
I'm using the following code in the.htaccess file in the root of my websites tree:
<IfModule mod_rewrite.c>
# Allow the developer(s) (set to example.com's IP address for demonstration purposes) access to the website, via their IP address. #
RewriteCond %{REMOTE_ADDR} !^(93\.184\.216\.34)
# Allow users access to the directory containing the pages that handle HTTP error codes. #
RewriteCond %{REQUEST_URI} !^.*\/(error_documents)\/.+$ [NC]
# Allow users access to the parked "maintenance" page (duh!). #
RewriteCond %{REQUEST_URI} !^.*\/park\/index\.php$ [NC]
# During development and maintenance periods, redirect all others to the parked "maintenance" page. #
RewriteRule .* /park/index.php [R=302,L]
</IfModule>
Now, this works perfectly fine for it's intended purpose, but now I have (2) new problems:
It also blocks the Google Structured Data Testing Tool, which I need to give access to for testing the websites "Structured Data".
It also blocks the W3C Markup Validation Service, which I need to give access to, to check the markup's validity.
In order to solve these (2) problems, the following has to be accomplished:
Figure out the HTTP_USER_AGENT string the aforementioned (2) services are using, to access the website, and specifically allow those user agents (i.e. In consistency with the .htaccess code block, above, check that the request is NOT coming from those (2) services. If it is, then be sure NOT to redirect them to the parked "maintenance" page).
To give you an initial starting-point clue, that directive might look a little something like this:
RewriteCond %{HTTP_USER_AGENT} !^GoogSDTT
RewriteCond %{HTTP_USER_AGENT} !^W3CValidator
I found the answer to my question (with a little bit of online research):
With help from this page, and this page, from whatismybrowser.com, I was able to come up with the following .htaccess directive:
<IfModule mod_rewrite.c>
# Allow the developer(s) (set to example.com's IP address for demonstration purposes) access to the website, via their IP address. #
RewriteCond %{REMOTE_ADDR} !^(93\.184\.216\.34)
# Allow access from [ Google Structured Data Testing Tool ]. #
RewriteCond %{HTTP_USER_AGENT} !^.*(Google\-Structured\-Data\-Testing\-Tool).*$ [NC]
# Allow access from [ W3C Markup Validation Service ]. #
RewriteCond %{HTTP_USER_AGENT} !^.*(W3C_Validator|Validator\.nu\/LV).*$ [NC]
# Allow access from [ W3C CSS Validation Service ]. #
RewriteCond %{HTTP_USER_AGENT} !^.*(W3C_CSS_Validator).*$ [NC]
# Allow users access to the directory containing the pages that handle HTTP error codes. #
RewriteCond %{REQUEST_URI} !^\/(error_documents)\/.*$ [NC]
# Allow users access to the parked "maintenance" page (duh!). #
RewriteCond %{REQUEST_URI} !^\/park\/index\.php$ [NC]
# During development and maintenance periods, redirect all others to the parked "maintenance" page. #
RewriteRule .* /park/index.php [R=302,L]
</IfModule>
Please, let me know if I missed something, or if there is an error in my code.
Regards,
PS: And, no, I’m not worrying about someone spoofing the HTTP_USER_AGENT string, because this is meant to keep “normal” people from viewing the site. Others would eventually find some way to hack their way in, regardless of how many preventative security measures I take, and no matter how proactive I try to be. My father always warned me, “A thief can steal the salt out of a biscuit, and not even break the crust,
” and “Locks are only for honest people,” So I took heed to his advise, and don't worry so much about hackers anymore. Besides, even if they DO get in, what's the worst that can happen? They see a broken, or unfinished website?
I am very new to the idea of .htaccess and thought that it was what you used to do something like turn this:
http://www.domain.com/some/ugly/url/here.html
into this:
http://www.domain.com/niceurl
I was just told by my ISP that in order to get that to happen, no, it's done by putting the document into the web root folder. That .htaccess isn't used at all.
Does anyone know if this is true? I see a lot of examples about what .htaccess DOES but not so much about what it can't do. Somehow I thought this was all that was needed.
Lastly, if someone types in www.domain.com/niceurl what will happen? Don't I need to have that linked (if not by htaccess, how?!) to the location of the actual file?
Thank you for any and all help. I realize that .htaccess questions abound but they're hard to pick through for the layperson and I'm hoping to answer this specific question.
Here's what I believe should be an answer you want, put the block below to your .htaccess
Answer:
## Enabling Apache's Mod_rewrite module.
RewriteEngine On
# Following line is required if your webserver's URL is not directly related to physical file paths (just / for root, e.g. www.domain.com/)
RewriteBase /
# Restricts rewriting URLs only to paths that do not actually exists
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
# Redirect www.domain.com/bar to www.domain.com/foo
Redirect 301 /bar /foo
# Internally load the long URL without changing URL in address bar
RewriteRule ^foo/?$ http://www.domain.com/some/ugly/long/thing/here.html [L,NC]
As a result, www.domain.com/bar will be redirected to www.domain.com/foo and /foo will internally load http://www.domain.com/some/ugly/long/thing/here.html
FYI:
Your website's URL doesn't have to be directly related to physical file paths. Your URL's segment can be served as alias to your URL's parameters. for e.g,
http://www.domain.com/index.php?key1=value1&key2=value2
can be represented as
http://www.domain.com/value1/value2
Note: you need to implement a server side script to be served as a
router to manipulate the URL segments.
For more information about using .htaccess, check this out
Ref: http://htaccess-guide.com/
.htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.
Below is a few examples,
# Custom Error Pages for Better SEO,
# for e.g, to handle 404 file not found error
ErrorDocument 404 http://www.domain.com/404page.html
# Deny visitors by IP address
order allow,deny
deny from 122.248.102.86
deny from 188.40.112.210
allow from all
# Redirects
Redirect 302 /en/my-dir/my-page.html /en/my-path/example.html
# Disallow some silly bots from crawling your sites
RewriteCond %{HTTP_USER_AGENT} (?i)^.*(BlackWidow|Bot\\ mailto:craftbot#yahoo.com|ChinaClaw|Custo|DISCo|Download\\ Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|Express\\ WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet).*$
RewriteRule .* - [R=403,L]
# Setting server timezone
SetEnv TZ America/Los_Angeles
# trailing slash enforcement,
# e.g, http://www.domain.com/niceurl to http://www.domain.com/niceurl/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://www.domain.com/$1/ [L,R=301]
Enable mod_rewrite and .htaccess through httpd.conf (if not already enabled) and then You can use this code in your DOCUMENT_ROOT/.htaccess file:
RewriteEngine On
RewriteRule ^niceurl/?$ some/ugly/url/here.html [L,NC]
This will allow you to use http://domain.com/niceurl in your browser and it will internally load http://domain.com/some/ugly/url/here.html without changing URL in browser.
If you also want to force redirection from ugly URL to pretty URL then add this redirect rule just below RewriteEngine On line:
RewriteCond %{THE_REQUEST} \s/+some/ugly/url/here\.html [NC]
RewriteRule ^ /niceurl [R=302,L,NE]
How can I redirect via .htaccess file, that only the index.html can be accessed via URL.
I already got this:
RewriteEngine on
RewriteBase /
Options +FollowSymlinks
RewriteRule ^/?login/?$ /php/login.php [NC,R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.html [L,QSA]
It works fine if somebody types in for example "www.mypage.com/skd/lasnd"
but if somebody types in a file which exists on the webserver, e.g. "www.mypage.com/php/login.php", he will be redirected to that page. How to forbid that?
To be more exact: my JavaScript & PHP scripts should be still allowed to access to every file on my webserver.
These lines:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
are conditions "if REQUEST_FILENAME is NOT a file, if REQUEST_FILENAME is not a directory" and if both are met then RewriteRule is taking place. This is usually to allow "friendly urls" to work and at the same time to not rewrite any images, css etc. You can block access to files with many ways, but you have to take care to not block too much (like said images etc). The simplest approach would be to put your files in subdirectory and add another .htaccess file in that directory with line
Deny From All
This will make httpd reny any request to whatever is in that directory and subdirectories (unless another .htaccess overwrite these rules) while your scripts will be able to access them without a problem.
I strongly recommend do read mod_rewrite docs
EDIT
There's no "my javascript" and "their javascript". There's request and that's all you can tell for sure. You cannot tell which access yours and which is not. "i only want to deny request via typing in the browser adress line" - you can't tell that either. You theoretically could check REFERER, and if there's none set then assume it's direct hit, but REFERER comes from browser so it can be faked as well. And I personally block all REFERERS by default, so all my requests are w/o any REFERER even these not direct. You could try cookies, but again - these can be be grabbed by script and sent back too. The only real option is to Deny from all to these files and "tunel" them thru some sort of script (i.e. PHP) that would do i.e. file() on target file only if user authenticated himself previously using login and password. Any other attempts are broken from the start.
try the following
RewriteRule /.* http://www.new-domain.com/index.html
I'm trying to set up a htaccess file that would accomplish the following:
Only allow my website to be viewed if the viewing user is coming from a specific domain (link)
So, for instance. I have a domain called. protect.mydomain.com . I only want people coming from a link on unprotected.mydomain.com to be able to access protect.mydomain.com.
The big outstanding issue I have is that if you get to protect.mydomain.com from unprotected.mydomain.com and click on a link in the protect.mydomain.com that goes to another page under protect.mydomain.com then I get sent back to my redirect because the http_referer is protect.mydomain.com . So to combat that I put in a check to allow the referrer to be protect.mydomain.com as well. It's not working and access is allowed from everywhere. Here is my htaccess file. (All this is under https)
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^https://(.+\.)*mydomain\.com
RewriteCond %1 !^(protect|unprotected)\.$
RewriteRule ^.*$ https://unprotected.mydomain.com/ [R=301,L]
You are matching your referer against ^https://(.+\.)*mydomain\.com. Which means if some completely other site, say http://stealing_your_images.com/ links to something on protect.mydomain.com, the first condition will fail, thus the request is never redirected to https://unprotected.mydomain.com/. You want to approach it from the other direction, only allow certain referers to pass through, then redirect everything else:
RewriteEngine On
RewriteBase /
# allow these referers to passthrough
RewriteCond %{HTTP_REFERER} ^https://(protect|unprotected)\.mydomain\.com
RewriteRule ^ - [L]
# redirect everything else
RewriteRule ^ https://unprotected.mydomain.com/ [R,L]
I have the following page: www.domain.com/index.php?route=information/contact and I'd like to rewrite it so that it shows up as: www.domain.com/contact, but there's more...
What's important, is that when someone types in www.domain.com/contact, it redirects them to www.domain.com/index.php?route=information/contact, which in turn, is rewritten as www.domain.com/contact.
I appreciate any help! Thanks.
Edit: To clarify
I want users to be able to enter www.domain.com/contact and be redirected to www.domain.com/index.php?route=information/contact.
However once redirected, I'd like a purely aesthetic rewrite so that www.domain.com/index.php?route=information/contact shows up as www.domain.com/contact (the same as what they typed in.)
Is this possible?
Edit: My .htaccess file currently...
Options +FollowSymlinks
# Prevent Directoy listing
Options -Indexes
# Prevent Direct Access to files
<FilesMatch "\.(tpl|ini)">
Order deny,allow
Deny from all
</FilesMatch>
# SEO URL Settings
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)\?*$ index.php?_route_=$1 [L,QSA]
RewriteCond %{QUERY_STRING} ^route=common/home$
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteRule ^index\.php$ http://www.domain.com/? [R=301,L]
### Additional Settings that may need to be enabled for some servers
### Uncomment the commands by removing the # sign in front of it.
### If you get an "Internal Server Error 500" after enabling, then restore the # as this means your host
doesn't allow that.
# 1. If your cart only allows you to add one item at a time, it is possible register_globals is on. This
may work to disable it:
# php_flag register_globals off
Try these rules in your .htaccess file:
Options +FollowSymlinks -MultiViews
RewriteEngine on
RewriteCond %{THE_REQUEST} ^GET\s/+index\.php [NC]
RewriteCond %{QUERY_STRING} ^route=information [NC]
RewriteRule . /warranty? [L,NC,R=301]
RewriteRule ^warranty$ /index.php?route=information/contact [L,NC]
L will make sure that user's URL in browser doesn't change and redirection happens internally.
Your question is extremely unclear, and I suspect that inexperience is to blame.
With the following rule:
RewriteRule /?(.*) index.php?route=information/$1
the location bar will read "/contact" but index.php will be invoked via an internal rewrite.
With a small modification:
RewriteRule /?(.*) index.php?route=information/$1 [R]
the location bar will read "/index.php?route=information/contact" and index.php will be invoked, after the redirect.
As always, the rule should follow the appropriate RewriteCond so as to avoid rewriting if an actual file is requested.
AFAIK, you can't make the address bar show a different address than the one that the page was loaded from. If you want the user to see www.domain.com/contact in the address bar when viewing the page, you need to make the server actually return the page content (not a redirect) when that URL is requested.
I think you might be misunderstanding URL rewriting: it's not for changing what the user sees in the address bar, it's for changing what the server sees when a request arrives from the user. If you create a rewrite rule that changes /foo to /bar, then when the user types /foo in their browser, the server will treat it as a request for /bar.
What you want, I think, is that when the user types www.domain.com/contact in their browser, the server should treat it as a request for www.domain.com/index.php?route=information/contact, but the browser should still show the pretty URL that the user typed. The way to do that is to simply rewrite /contact to /index.php?route=information/contact on the server. No redirect is needed; the user simply requests the pretty URL, and the server handles the request based on the equivalent ugly one and sends back the resulting page.