I like to simplify code if possible but I am not to familiar with .htaccess, I had error documents redirect rule hard coded
ErrorDocument 403 http://example.com/error/404
Then I made it
ErrorDocument 403 http://%{HTTP_HOST}/error/404
my question is so that the .htaccess does not have to be manually modified is there a way to tell it if its https or http? because the above example if i use https ill have to hard code https I would like to check automatically.
Don't use an absolute URL in the ErrorDocument directive
ErrorDocument 403 http://example.com/error/404
You shouldn't be using an absolute URL in the ErrorDocument directive to begin with! This will trigger a 302 response (ie. a 302 temporary redirect) to the target URL. So, this won't send a 403 (or 404) response back to the user-agent on the first response.
(This format of the ErrorDocument directive should only be used in very exceptional circumstances since you also lose a lot of information about the URL that triggered the response in the first place.)
To internally serve a custom error document on the same server, this should be a root-relative URL, starting with a slash (no scheme or hostname). For example:
ErrorDocument 403 /error/404
However, /error/404 is unlikely to be a valid end-point. This should represent a valid resource that can be served. eg. /error/404.html.
(And this naturally gets round the issue of having to specifying HTTP vs HTTPS.)
To answer your specific question...
because the above example if i use https ill have to hard code https
(Although, arguably, you should be HTTPS everywhere these days.)
However, to do what you are asking, you could do something like the following using the REQUEST_SCHEME server variable, for example:
ErrorDocument 403 %{REQUEST_SCHEME}://%{HTTP_HOST}/error/404
Or, if the REQUEST_SCHEME server variable is not available then you can construct this from the HTTPS server variable using mod_rewrite and assign this to an environment variable. For example:
RewriteEngine On
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ - [E=PROTO:http%1]
ErrorDocument 403 %{reqenv:PROTO}://%{HTTP_HOST}/error/404
The %1 backreference contains s when HTTPS is on and is empty otherwise. So the PROTO environment variable is set to either http or https.
This does assume that the SSL is managed by the application server and not a front-end proxy (like Cloudflare Flexible SSL etc.).
Related
1.
I have a .haccess file that requires you do be accessing from a certain IP address:
<RequireAll>
Require ip XX.XX.XX.XX.XX YY.YY.YY.YY.YY ZZ.ZZ.ZZ.ZZ.ZZ
</RequireAll>
If someone tries to access the website from a IP other then X, Y, or Z then they get an error 403 Forbidden page. I have customized it using the following:
ErrorDocument 403 /.forbidden.php
2.
If someone tries to access a restricted file in the same directory (even if they are from ip addresses X, Y, or Z) then again they prompted with the SAME custom 403 Forbidden page.
My Question
How can I have two different custom 403 Forbidden pages based on why they are forbidden from accessing? In example 1 the forbidden page would /.wrongip.php and in example 2 the forbidden page would /.restricted.php
If this is about the extent of what you are doing then it is fine but if you are going to be doing a lot of redirecting I would consider doing this in PHP, but I digress. You are going to have to use Apache (2.4) module mod_rewrite to rewrite rules and conditions for the IP restriction portion. I would leave your custom 403 Forbidden as is for handling the other cases of that status code. If you are on shared hosting this module is usually enabled by most hosting providers by default.
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^111.222.333.444$
RewriteRule ^(.*)$ /.wrongip.php [L]
You will likely avoid confusion if you keep rule rewrites up near the top of your .htaccess file. You only need the RewriteEngine On line once in your file. RewriteCond is one of the conditions for the rule immediately following. You could have multiple conditions mapped to a single rule (using [OR] flag; AND behavior is by default).
In this solution, the ^ character indicates the start of a string. Likewise, $ indicates the end. So, ^(.*)$ is a wildcard and would match any file accessed on your server. Preceded by a single space separator, the /.wrongip.php portion indicates your custom error page to be redirected to. [L] is the flag to indicate the Apache server should stop processing other rules once it matches that one. Use this unless you are using multiple rules to construct a single URL, otherwise you may cause yourself a headache.
There is an additional flag, [R], that I would suggest being aware of and trying to use when possible for easier use in maintaining good practice with HTTP response codes. These help with search rankings and I would recommend specifying a 403 response because by default it will throw a 302 error which can negatively effect ranking over time. Changing the rule to RewriteRule ^(.*)$ /.wrongip.php [R=403,L] would cause the Apache server to issue an HTTP redirect to the browser (to /.wrongip.php) and communicate a 403 Forbidden error in the header. Since my example has all pages redirecting to /.wrongip.php for non-whitelisted IPs, most likely even /.wrongip.php itself, I think in your specific case the [R] flag would result in an HTTP redirect loop where they would keep requesting /.wrongip.php. In this case you should omit the [R] flag, this will cause the Apache server to do an internal redirect.
Without the [R] flag, the client won't have any idea that this redirect went on (hence internal), so you should still emulate the error code in the header of your /.wrongip.php file using PHP.
I have not tested it, but I assume something like
<Directory /var/www/mysite>
ErrorDocument 403 /.restricted.php
<RequireAll>
Require ip XX.XX.XX.XX.XX YY.YY.YY.YY.YY ZZ.ZZ.ZZ.ZZ.ZZ
ErrorDocument 403 /.wrongip.php
</RequireAll>
</Directory>
could do the trick.
Have a look at
https://httpd.apache.org/docs/trunk/custom-error.html and https://httpd.apache.org/docs/trunk/mod/core.html#errordocument for more information on how such configurations work.
I have two vhosts in one server thats using apache - my main page is www.alleOne.com and the other is www.sch2.com. I have a custom page that if www.sch2.com or any other uri page in www.sch2.com/madeup is down a 503 error code, it should redirect to my custom page http://www.alleOne.com/corp/en/service-unavailable.html. This page has a timer and will redirect in 5 seconds to www.alleOne.com ( This part works already). I am trying to see if what I wrote below is correct? Also in the rewrites-enabled were would I add my rules under what vhost www.alleOne.com or www.sch2.com?
RewriteCond %{ENV:REDIRECT_STATUS} !=503
RewriteRule !^www.sch2.com$ http://www.alleOne.com/corp/en/service-unavailable.html [L,R=503]
You can't do this with mod_rewrite. Rewrite rules are used to modify requests, you want to modify the response (redirect based on the status). You can use ErrorDocument directive for your purpose.
In www.sch2.com configuration, use
ErrorDocument 503 http://www.alleOne.com/corp/en/service-unavailable.html
More information: ErrorDocument Directive
I'd like to cut off access to a subdirectory on my site but I want any access in the subdirectory to be a 404 error, not a 403 forbidden. How can this be accomplished?
Try:
RewriteRule ^directory/ - [L,R=404]
This redirects all requests for the folder "/directory/", they get a 404 response.
I think, 410 error better
RewriteRule ^directory/ - [L,R=410]
or my search:
RewriteCond %{HTTP_USER_AGENT} (googlebot|bingbot|Baiduspider) [NC]
RewriteRule .* - [R=410,L]
on russian wiki
404 Not Found [19] - the most common mistake when using the Internet, the main reason - an error in writing the address of a Web page. The server understood the request, but did not find the corresponding resource at the specified URL. If the server knows that there was a document at this address, then it is desirable for it to use code 410. Answer 404 can be used instead of 403 if you need to carefully hide certain resources from prying eyes. Appeared in HTTP/1.0.
Redirect 404
Put this into the .htaccess file in the directory that you want off the record. The Redirect directive is part of mod_alias and can be used to send any status code, not just redirects.
You could also for the time being change which page a user will see when confronted with a 403 error, but I wouldn't recommend doing this long-term.
.htaccess:
ErrorDocument 403 /your404pagehere.php
I have the following line in my .htaccess file and it works.
ErrorDocument 404 http://localhost/error.php?code=404
When I change it to either of these it doesn't work anymore (don't know which is correct):
ErrorDocument 404 error.php?code=404
ErrorDocument 404 /error.php?code=404
The .htaccess file and error.php are in the same directory. Why is this happening?
Note: I'm on Wampserver
FULL .HTACCESS FILE
RewriteEngine on
RewriteRule ^([a-z]+)$ $1.php
ErrorDocument 404 http://localhost/error.php?code=404
The reason this is not working is because of the query string.
When you don't supply a full URL to the ErrorDocument directive, Apache treats is as a local file path relative to DocumentRoot. Slightly confusingly, you do need to use the leading / even though it is technically a relative path.
Now, what you want to do is actually not as simple as it may seem on the face of it. Because you are now dealing with a local path, the query string portion no longer has a special meaning, and will be treated as a literal part of the file name - and obviously the file is not called error.php?code=404, it's just called error.php. Thankfully though, it is possible with a little bit of messing around, because ErrorDocument does generate an internal request which is passed through the standard routing engine. What we will need here is a little bit of mod_rewrite magic.
Try the following:
ErrorDocument 404 /error-404.php
RewriteEngine On
RewriteRule ^/?error-([0-9]+)\.php$ /error.php?code=$1 [L,QSA]
This assumes that your .htaccess and error.php files both reside in the DocumentRoot.
In my opinion, 404 (like 403, 502, ...) code is a HTTP code so it could be logic that the instruction ErrorDocument, which reference to HTTP process in your case, needs a http:// instruction.
Using DaveRandom's solution, I simply added the R flag to RwriteRule and it works.
Try this configuration:
ErrorDocument 404 /error-404.php
RewriteEngine On
RewriteRule ^/?error-([0-9]+)\.php$ /error.php?code=$1 [L,R,QSA]
For me it works on Apache 2.4.12
It showing lot of urls as 404 not found. Of course there is badly formed querystring in the url.
http://www.example.com/ref=http%3A%2F%2Fwww.example.org/
Bbove url is failing to reach .htaccess verification.
RewriteRule ^(.*)$ index.php?request_url=$1 [QSA,L]
If that url reach/passthrough the above .htaccess rule, I can simply add R=301, but that url does not reach/passingthrough that .htaccess rule and shows 404 error.
it wont work because the urls are encoded and will be decoded as (%2F for / and %5C for \) respectively.
Apache has Security limitations for these kind of requests
check these Urls for more info
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
http://securitytracker.com/id/1018110 (Look at section 4. Solution)
To make it work either pass decoded request or enable AllowEncodedSlashes in apache config and restart the apache service
http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes