htaccess Customized 403 Forbidden page not always working - .htaccess

I have a custom 403 page that works when I want to block specific pages, but it doesn't work when I want to match a specific HTTP_REFERER.
With the specific HTTP_REFERER I get the regular 403, To test the HTTP_REFERER I added a link on another site "mysite.com" towards this project, when I click on the link I get the server 403 response:
But I open my test page "forbidden-test" I do get my customized forbidden.php page
This is what I have in the htaccess, form the following example only RewriteRule ^forbidden-test$ - [F] works by showing my customized 403 page:
Options All -Indexes
# prevent folder listing
IndexIgnore *
RewriteEngine on
RewriteCond %{HTTP_REFERER} \
... (there are many here)
mysite\.com|\
[L,NC]
RewriteRule .* - [F]
#spam blacklist end
RewriteCond %{HTTP_USER_AGENT} \
12soso|\
192\.comagent|\
1noonbot|\
1on1searchbot|\
3de\_search2|\
3d\_search|\
3g\ bot|\
... (there are many here)
zyte\
[NC]
RewriteRule .* - [F]
#bad bots end
#Forbidden Test
RewriteRule ^forbidden-test$ - [F]
#ERRORS
RewriteRule ^forbidden/?$ forbidden.php [L,QSA]
ErrorDocument 403 /forbidden
Any thoughts?
Thanks

Pay attention to what that default error message is actually saying:
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Access to your custom error document is blocked. The internal request for that, goes through all of the rewriting again; and because the referrer of the original request is (still) wrong, access to your 403 document is forbidden now.
You need to add an exception to this referrer check, so that it allows access to your error document.
Easiest way here is probably to just put a rule at the very top, to do nothing, when this particular document is requested:
RewriteRule ^forbidden\.php$ - [L]
The - is a “non-rewrite”, it simply does nothing. The [L] flag is important here, to say “don’t process any other rules in this round.”
Also, since your error document seems to be a PHP script, you should define it like this directly,
ErrorDocument 403 /forbidden.php
Otherwise, this needs an extra round of rewriting, from /forbidden to /forbidden.php, and there is really no good reason for that.

Related

Block a specific file

I want to use mod_rewrite to block access to a file.
Let's say index.html as an example.
I know you can use FileMatch but I want to use mod_rewrite to do this.
I tried doing something like this:
RewriteEngine On
RewriteCond %(REQUEST_URI} !^/index\.html$
RewriteRule (.*) - [L]
But that doesn't work, how to I archive that?
You can use the F flag to deny access to a given file:
RewriteEngine On
RewriteRule ^index.html$ - [F]
Deny access to any file that ends with .pdf:
RewriteRule \.pdf$ - [F]
If your file used to exist there are a couple of options. Rather than saying "Access Denied" to the browser, search engine, or user. If you removed the file and have no other file to takes it's place then you can respond with a 410 Gone error by using the G flag.
RewriteRule ^yourfile.html$ - [G,L]
If it's in some directory, then you have to include the directory as well, but since we're using .htaccess we won't need the preceding slash.
RewriteRule ^some-directory/yourfile.html$ - [G,L]
If you've moved the file, then you can respond with a 301 Redirect response to let the users, search engines, and everyone else know that the file has a new permanent location
RewriteRule ^old-directory/yourfile.html$ new-directory/yourfile.html [R=301,L]
If you want to tell people that the file still exists but they can not access it because it's now privileged, then you can make the request for the file respond with 403 forbidden.
RewriteRule ^some-directory/yourfile.html$ - [F,L]
You can learn more about the various rewrite flags on this page.

Symfony 2 404 Custom page for missing resource

So, I have been trying to add a 404 controller in case an image is missing and I need to go and get it.
Initially, I tried a NotFoundHttpException/ResourceNotFoundException listener which loaded a class to deal with it. This worked great, if it was a Symfony2 routing issue.
Problem is, it isn't. It is a /web/bundles/mysite/images/missingimage.jpg 404, which is handled by Apache it seems.
So with .htaccess I tried:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^app\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .? - [L]
RewriteRule .? %{ENV:BASE}/app.php [L]
ErrorDocument 404 /web/404.txt
</IfModule>
Just to see if I could get that to work, but I get the feeling it wouldn't and it didn't.
So how can I get my setup to forward to a Symfony2 page when it encounters a 404 within the /web folder.
I am guessing it should be .htaccess, but I am not having much look.
In the end, I want it to go to:
/web/app.php/FourZeroFourHandler/web/bundles/mysite/images/missingimage.jpg
or:
/web/app_dev.php/FourZeroFourHandler/web/bundles/mysite/images/missingimage.jpg
Depending on whether I am in prod or dev.
And ideas?
You have two options.
First one is to route all images via your Symfony2 app. The LiipImagineBundle does this in order to generate thumbnails. Like that you could redirect all 404 to your custom error page. Downside would be that even for a static image the whole Symfony2 kernel needs to be booted. That's time and resource expensive.
The second option is to redirect from Apache2 to a route that is unknown or to a route that throws a 404 / HttpNotFoundException:
/*
* #Route('/404', name="not_found")
*/
public function notFoundAction()
{
return new HttpNotFoundException();
}
That gives you more control over the error message since you can render a twig template or log an error message.
You are right. I also had some trouble with the custom controller when I inserted ErrorDocument in my .htaccess. The solution is to edit your vhost instead. Go to /etc/apache2/sites-available and select the file (by default it's called default) where your virtual host ist stored. Replace the AllowOverride option in the <Directory>. And replace it with these lines:
AllowOverride FileInfo
ErrorDocument 404 /not_found.html
Solution was found here. Don't forget to reload your apache configuration:
sudo service apache2 reload

.htaccess redirect to 403 error

I have a website which watermarks photos (you may already know from previous q&a's). The orignal photos I use are secured using .htaccess using this code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !error.gif$
RewriteRule \.(gif|jpg|png)$ /error.gif [L]
When the user attempts to access the file it comes up with ERROR 404 which is fine but is there any way to get it to redirect to ERROR 403? (error.gif exists and is a 1x1 white pixel.)
I know .htaccess uses this to access 403 errors:
ErrorDocument 403 /error-docs/403.shtml
I have created this file in the area, and have added the above line(s) together but it still redirects to ERROR 404?
I'm not very well educated with htaccess, so any help with this will be highly appreciated.
Full Code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !error.gif$
RewriteRule \.(gif|jpg|png)$ /error.gif [L]
ErrorDocument 403 /error-docs/403.shtml
Thanks,
David
To return a 403, include an F in the brackets where the L is:
RewriteRule \.(gif|jpg|png)$ - [L,F]
You can replace the /error.gif with a - which stops url rewriting since you have a separate document that gets served for the 403 so the error.gif doesn't do anything. That also means you can get rid of the RewriteCond, too.

I'm using htaccess to create pretty URLs, but they seem to be causing a facebook login error

Here is my htaccess code:
RewriteEngine On
RewriteRule ^home/?$ index.php [L]
RewriteRule ^search/?$ search.php [L]
RewriteRule ^([a-zA-Z0-9\-\_]+)/?$ pages.php?a=$1 [L]
Here is the error I receive when I try to login or out from this page:
OAuthException: Error validating access token.
This does not happen when I access the page directly at:
http://www.example.com/pages.php?a=4
Per request:
Facebook passes the authentication back in the URL string, so that must include that during the rewrite..
Whenever you rewrite urls, you need to make sure it appends all submitted variables... (QSA Flag)
Simply adding adding QSA will fix it:
[QSA,L]
Two great pages to check out:
http://corz.org/serv/tricks/htaccess.php
http://corz.org/serv/tricks/htaccess2.php
Pretty much if your dealing with a common rewrite, either of those pages can answer almost any question you may have...
(the second link is all about rewrites)

How can I get non existant files mapped correctly in .htaccess?

Duplicate:
How to rewrite non existant files to
‘default’ files?
(.htaccess)
How would I "rewrite" to a location if a file doesn't exist? I don't want to use a 404 redirect, but an actual rewrite.
So for example, let's say it is a directory with images. If the image isn't found, then it rewrites to a default image?
I.e.,
images/1.jpg
images/2.jpg
images/default.jpg
if someone tried to access "website.com/images/3.jpg",
since that doesn't exist, I want it to go to:
"website.com/images/default.jpg"
This was a previous "posted" solution, but didn't quite work:
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteRule /images/.* /images/error.jpg [L]
It still doesn't "get" the right image (just goes as a regular 404 request).
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteRule ^images/.* /images/error.jpg [L]
Obviously this only redirects if missing file is under /images/... but you can easily modify it for your own needs
Well, your previous posted solution is on the right track, but there's some slight craziness with it. Try this:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule images/.* /images/default.jpg [L]
You should better send a 404 status code if the file really doesn’t exist rather than just a substitute with a status code other than 404. Otherwise the URL will be handled as valid.
So in your case I recommend you to set the ErrorDocument of the images directory to your default image:
<Directory "/path/to/your/images/">
ErrorDocument 404 /images/default.jpg
</Directory>
But note that the <Directory> block is only available in the server or virtual host configuration context and not the per-directory context (thus .htaccess).
If you cannot use the above, you could use a custom script as your custom error document to check what URL has been requested (see Request_URI environment variable) and send the default image if necessary. The ErrorDocument directive then should look like this:
ErrorDocument 404 /your-error-404.script
re-write your 404 document for your images folder:
(In your .htaccess file in your images folder)
ErrorDocument 404 default.jpg

Resources