I'm using Drupal 8. Multiple sites sharing a single codebase. One .htaccess file for all.
I am receiving the same "page not found error" across all sites. Hackers attempting to break in to the site, presumably.
For example, someone tries to visit https:domain1/wp-admin/admin-ajax.php and https:domain2/wp-admin/admin-ajax.php ... Different domain names, but always the same addresses.
Other addresses include /phpmyadmin/scripts/setup.php and /1/wp-includes/wlwmanifest.xml and so on.
Using .htaccess, what is the most efficient means of redirecting all of these to an internal or external site so that my pages are not even served?
Thank you!
So, the way Drupal and the web server work is that when request arrives, if it matches “serverName” and document root and they points to Drupal then the web-server will hand that to Drupal to handle.
So, you have to ask if this is Drupal destined and if so, handle the redirect at Drupal (probably using the redirect module )
If you want set it up at at web-server level and you have access or using .htaccess then like :
RedirectMatch ^/wp-admin/(.*)$ http://example.com/404/$1
Note, there are plenty of other ways to write the above , but it’s simplest and lightest
I think this is a very common issue about CMS vulnerabilities and hosting security. And security issues is something that can not be done by a simple static action because there's always a new vulnerability. So be careful to always run :
composer update
To have always the last bug fixes and securities updates. Specially when you use modules like webform. At the moment Drupal offers more than one module for better securing your app. And in your case you need to identify IP addresses used by hacking robots and blocking them by using Perimeter .
The good news that the community arround Drupal is very concerned about security. For further reading and securing Drupal you can uses those modules but the more modules you install the more you have performance issues:
https://www.drupal.org/project/clamav
https://www.drupal.org/project/file_upload_secure_validator
https://www.drupal.org/project/key
https://www.drupal.org/project/csp
https://www.drupal.org/project/noopener_filter
https://www.drupal.org/project/hsts
https://www.drupal.org/project/securelogin
...
I also recommend the use of fast 404/403 Drupal error pages to not allow using of Database or more code running to serve that kind of pages.
Related
I want to make the move to Webflow for a client project that require a CMS. I would like some more information about the logistics and best practices of adding domains though.
Say for instance I have a client’s home page and a blog hosted on Webflow and this is accessed by their custom domain. what if I still need to host additonal files, and other pages on a traditional hosting platform with cPanel?
Would it be best to point the www.clientwebsite.com to Webfllow and keep the clientwebsite.com pointing at traditional host with a 301 redirect to the www.clientwebsite.com
I could still have pages on the traditional host for example clientwebsite.com/page.html while being able to add additional pages to Webflow e.g. www.clientwebsite.com/page.html
Basically I want to be able to use the same domain name on both Webflow and traditional hosting with cPanel, I just want to know what the best way to do this is, is there a better way to achieve this, is there anything to be careful of/ or would be considered bad practice?
Thanks in advance
Typically, one hostname will resolve to one IP address, so one hosting platform has to be the entry point. If the sites can be logically separated, you should probably just use different hostname (blog.example.com, www.example.com, something.example.com) and point them to different hosting platforms.
If you need to have content from the 2 platforms served under the same hostname, then one platform will be the entry point and there it will have some internal rewrite/proxy rules to fetch and serve content from somewhere else. This is easily doable in all modern webservers (nginx, apache..) but I am not sure your CMS platform will allow it.
So i am building a website using NodeJS where i will use Nginx as a reverse proxy to my app/apps. I will be using jade and sharing some layouts between subdomain and displaying specific content according to subdomain. I am trying to figure out from alot of research the best method of structuring the app. Is the best way to run each subdomain as a separate app on the same server? Or can i link them as one app? Please share your ideas and suggestions so i can make a decision and begin my coding :)
The main issue with using the same domain across multiple apps is security in regards to cookies. If apps are independent, then you might want to ensure a vulnerability in one app would not necessarily affect your other apps.
Otherwise, with nginx, there is really no limitation on your setup, however you decide to go. You can use nginx to easily join or disjoin multiple domains and/or ports/servers, into whatever setup you wish.
Whether you decide to go with multiple domains or multiple paths on a single domain have more to do with what kinds of apps you have in mind, and how logically separate would they appear to be from one another. With the help of the rewrite directive, even if you make a "wrong" choice initially, if you do have a desire, you could always fix it later on (preserving all existing links flawlessly), pretty much without any ill effect.
I am running multiple web applications (totally separated in different folders and running on different ports) on server with nxinx as proxy for different subdomains. However, if you want to make more subdomains for one application, the best way should be to structure it by URL.
For example you have mysite.com/books but you want books.mysite.com to be go to domain for books. You make proxy in nginx configs to redirect traffic from mysite.com/books to books.mysite.com.
Is it possible to apply .htaccess command only for mobile device?
For example, I have a script in a page that show a word (for example: Hello). So, I want to use .htaccess for replace that word to Hello mobile when an user with mobile device visit that page.
Is it possible? And, how to do it?
What you describe is possible, but it has nothing directly to do with .htaccess style files.
You can implement content post processing rules by means of the substitution module. It probably is a good idea to take a look at the documentation.
In general there are many very interesting modules for the apache http server out there. However note that they typically are not offered, so not available in cheap hosting provider environments. You probably will have to maintain your own system for that. A virtual system at a providers site is an affordable alternative for many situations.
I have a rogue website that is redirecting to my website. It doesn't have any content, 1 page, and some bad backlinks and no relationship with us or our niche, so it's safe to say its up to no good.
We want to distance ourselved from this as best as possible. I've requested that the registrar identify the culprit or remove the redirect, however, I wondered if it was possible to stop the site redirecting to our site full-stop.
We're using IIS7.5 on a Windows 2008 Server, and to date I've looked at blocking requests through urlrewriting but I've had no success. I've also read that request filtering may be an option but again little knowledge as to the capabilities of using this.
I would appreciate any advice regarding the 2 approaches above as to whether they are suited to what I want to achieve and if possible links to a clear example.
Here is an existing post that covers this exact topic. You will need to use URL Rewrite to implement the solution.
I want to create a dynamic website that does not support IIS. The area where I work does not allow anything to be installed in the server. The have a windows based server and I would like to create a dynamic website. IIS not allowed and server side languages like asp.net, php are not allowed. They did not say anything about client side. Is it possible to do?
In short, a general answer to your question Is it possible? would be No, it's not. And if you still find a way, it's not going to be worth the effort.
For one thing, even without programming languages like ASP.NET or PHP, you still need a web server such as IIS to serve static content. There are of course alternatives to IIS specifically, but no web server at all means no serving web sites at all.
If you would be given an opportunity to server static content, you could possibly produce a web site that is dynamic at least on a per visit basis using client side scripting and cookies, but the things you could make that site do would be very limited, and without anything other than serving static content there is no saving things between sessions, or in any way affecting the server side of the application.
You have to ask yourself why you need to serve this website. Is this something your company would benefit from? If so, could you convince the IT department to setup an environment to serve it? Are there any other alternatives? And, perhaps the most important one: there are lots of free or almost free web hosting solutions out there. Why not just use one of them?
There are many excellent reasons why you would want to create a dynamic website without using a web server. Here are a couple:
You are creating a website as a means of presenting a dataset with hyperlinks that you want to be able to archive on read-only media and ignore for 10 years or more (as you can do with books), and still be able to read (IIS is very poor at backwards compatibility).
You need to present your data to people who have no access to servers or the internet and have no idea how to turn their PC into a web server (there are many millions of such people in the developing world)
Yes, it's challenging, but if you want something to be readable by anyone, anywhere, anytime, and all you can count on are web browsers, there's no option.
By saying you want to do it without IIS, I'm assuming you're implying Apache as well (since you reference no server-side languages).
It depends what you mean by 'dynamic'. Essentially you'll be limited to
JavasScript, which means that you can manipulate information and elements already on the page.
iFrames - this would let you load external pages into elements and pages on the page. These could be dynamic, and if they were on the same server you could manipulate it as well. If it was from an external server, then you wouldn't have control over it from that page.
If you are able to set up an HTTP proxy, you can use JavaScript together with a service like CouchOne. You will need the proxy, since browsers restrict AJAX calls.