I'm implementing Authentication in API using Lumen framework. I'm passing api_token in the header on localhost it's working fine. while uploading on Linux Server, it gives a null value in api_token header. I'm using postman to check the response
Here's my AuthMiddleware#handle code to check the value.
echo $request->header("api_token");
I googled it most of the time and found that public/.htaccess changes required but not worked for me.
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
on the end of my .htaccess
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
I don't know how to configure apache2 for request headers.
The underscore should be avoided for the request header key. hyphen is more common and you should rename the request header key to api-token. According to Apache 2.4 new features:
Translation of headers to environment variables is more strict than
before to mitigate some possible cross-site-scripting attacks via
header injection. Headers containing invalid characters (including
underscores) are now silently dropped. Environment Variables in Apache
has some pointers on how to work around broken legacy clients which
require such headers. (This affects all modules which use these
environment variables.)
Related
I have a subdomain called test.mysite.com and I have a CI4 installation inside a folder there called project. So the actual url for the CI4 installation is test.mysite.com/project/public/index.php. I want to remove the public/index.php portion from the url but continue to use the public folder to have my files, as they should.
I'm using this .htaccess on the project folder root:
DirectoryIndex /public/index.php
RewriteEngine on
RewriteCond $1 !^(index\.php|images|assets|css|js|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ ./public/index.php/$1 [L]
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
But it's not working. When I access test.mysite.com/project it leads me to a server list of files. I know the .htaccess file is being properly read because when I add an error there it gives me a warning
EDIT:
CI4 already comes with an htaccess inside the public folder:
# Disable directory browsing
Options All -Indexes
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
# If you installed CodeIgniter in a subfolder, you will need to
# change the following line to match the subfolder you need.
# http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
# RewriteBase /
# Redirect Trailing Slashes...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Rewrite "www.example.com -> example.com"
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
# Checks to see if the user is attempting to access a valid file,
# such as an image or css document, if this isn't true it sends the
# request to the front controller, index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([\s\S]*)$ index.php/$1 [L,NC,QSA]
# Ensure Authorization header is passed along
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
<IfModule !mod_rewrite.c>
# If we don't have mod_rewrite installed, all 404's
# can be sent to index.php, and everything works as normal.
ErrorDocument 404 index.php
</IfModule>
# Disable server signature start
ServerSignature Off
# Disable server signature end
When I access test.mysite.com/project it leads me to a server list of files
Because your DirectoryIndex is set to /public/index.php (which presumably does not exist, as the index document is located at /project/public/index.php) and directory indexes (mod_autoindex) is presumably enabled (it should be disabled, so that such a request results in a 403 Forbidden).
the difference is that the other website that is working is not on a subdomain and it’s on the root, so it’s not the same htaccess
I'm not sure why it would be any different?
With the .htaccess file in the /project subdirectory, arrange your mod_rewrite (and mod_dir) directives like this instead:
DirectoryIndex index.php
Options -Indexes
RewriteEngine on
RewriteCond $1 !^public/(index\.php|images|assets|css|js|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) public/index.php/$1 [L]
The presence of robots\.txt and favicon\.ico in the first condition implies you are rewriting requests from the document root. Since search engines request /robots.txt (in the document root), not /project/robots.txt (or /project/public/robots.txt). The same applies to /favicon.ico. If you are not rewriting these two requests then these two entries are not required.
This also assumes you are linking directly to your static resources using the public subdirectory. eg. /projects/public/images/foo.jpg. This isn't necessarily desirable since it exposes /public in the URL path. Users won't necessarily see this as it's not directly visible in the browser's address bar, but search engines and anyone who views the HTML source / network traffic will see it.
Just to add, that first condition (ie. RewriteCond directive) is "just" an opimisation. If it's set incorrectly, your site will probably work OK and you won't see a difference, except that it will be performing many more filesystem checks than it needs to do.
Alternative structure
An alternative approach is to have two .htaccess files. A basic /project/.htaccess file that simply rewrites everything to the public subdirectory and a more comprehensive (CI) .htaccess file at /project/public/.htaccess that actually routes the request to CI. This then allows you to omit public from all URLs, including URLs to your static resources.
For example:
/project/.htaccess
DirectoryIndex index.php
Options -Indexes
RewriteEngine On
# Unconditionally rewrite everything to the "public" subdirectory
RewriteRule (.*) public/$1 [L]
/project/public/.htaccess
The presence of mod_rewrite directives in the subdirectory .htaccess file naturally prevent a rewrite loop from the RewriteRule directive in the parent directory. (Assuming mod_rewrite inheritance has not been enabled.)
RewriteEngine on
RewriteCond $1 !^(index\.php|images|assets|css|js|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php/$1 [L]
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
Working for years with Codeigniter 3 I had this issue too. First I tried the .htaccess road but after realizing Codeigniter 3 could also benefit from a more secure structure, I applied the same experience to Codeigniter 4.
The basic idea is to move the whole framework to a folder off the web root. And move the public folder to the root (WEBROOT can also be a subfolder under the public html folder)
PRIVATEFOLDER
\codeigniter:
\app
\vendor
\writable
WEBROOT
assets\
index.php
.htaccess
Then I'll modify index.php (and spark and preload.php if used). This will do in index.php:
// This is the line that might need to be changed... etc
define('ENGINEPATH', 'PRIVATEFOLDER/codeigniter');
require ENGINEPATH . '/app/Config/Paths.php';
And /app/Config/Paths.php to this:
namespace Config;
class Paths
{
public $systemDirectory = ENGINEPATH . '/vendor/codeigniter4/framework/system';
public $appDirectory = ENGINEPATH . '/app';
public $writableDirectory = ENGINEPATH . '/writable';
public $testsDirectory = ENGINEPATH . '/tests';
public $viewDirectory = ENGINEPATH . 'app/Views';
}
Now, set the $baseURL to the WEBROOT url and you should be able to navigate without index.php and public, and the app code is protected outside the public folder.
I want to redirect HTTP and www to https://example.com.
I tried using:
# force HTTPS and www.
RewriteEngine On
RewriteCond %{HTTP_HOST} (?!^www\.)^(.+)$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^ https://www.%1%{REQUEST_URI} [R=301,L]
But the result is only https://www. - the domain disappeared!
My current .htaccess:
<IfModule mod_rewrite.c>
# REWRITE ENGINE CONFIG
#ExpiresActive On
DirectoryIndex under_construction.html index.html index.php
#Header set Cache-Control "max-age=259200, public"
#ExpiresDefault "access plus 3 days"
#Header unset ETag
#FileETag None
# Expires header for static content
#<FilesMatch "\.(ico|jpg|jpeg|png|gif|js|css|swf|jgz|js.jgz)$">
#Header set Cache-Control "max-age=31536000, public"
#ExpiresDefault "access plus 11 months"
#</FilesMatch>
# Auth for non-public projects
#AuthName "ZEN 2.2 Login"
#AuthType Basic
#AuthUserFile /Applications/MAMP/htdocs/username/.htpasswd
#AuthUserFile F:/wamp/www/username/.htpasswd
#AuthGroupFile /dev/null
#require valid-user
# REWRITE CORE RULES RULES -- PLEASE DON'T MODIFY --
# THESE ARE THE MAIN REWRITES THAT MAKE THE ENTIRE WORLD SPIN
AddDefaultCharset UTF-8
# IF NO IMAGE FOUND
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} \.(gif|jpg|jpeg|png)$
RewriteRule .* resources/static/images/no_image.png [L]
RewriteCond $1 !^(index\.php|resources|robots\.txt)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?page=$1&%{QUERY_STRING} [L,QSA]
RewriteRule ^robots.txt$ resources/static/robots.php [L]
# gZip minified js files
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteCond %{REQUEST_FILENAME}.jgz -f
RewriteRule (.*)\.js$ $1\.js.jgz [L]
AddType "text/javascript" .js.jgz
AddEncoding gzip .jgz
# gZip minified css files
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteCond %{REQUEST_FILENAME}.jgz -f
RewriteRule (.*)\.css$ $1\.css.jgz [L]
AddType "text/css" .css.jgz
AddEncoding gzip .jgz
</IfModule>
Need some help adding the redirection to HTTPS and non-WWW to the current .htaccess file.
The problem when using code from here -> https://gist.github.com/vielhuber/f2c6bdd1ed9024023fe4
Is that the redirection is broken, and the result is https://www. only, no domain name is showing.
Try:
# force HTTPS and www.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [OR]
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [R=301,QSA,L]
Some webservers don't create the HTTPS header when http protocol is used. So if HTTPS is not on (is off or null) this condition is true.
# force HTTPS and www.
RewriteEngine On
RewriteCond %{HTTP_HOST} (?!^www\.)^(.+)$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^ https://www.%1%{REQUEST_URI} [R=301,L]
The problem with this code is, as the preceding comment suggests, it tries to redirect to www, not the domain apex. But it is also fundamentally flawed since the first condition is not always met (when HTTPS is off and www is requested), so the %1 backreference is not always set (so the domain name is omitted from the redirect - as you have found).
If you want a generalised (ie. without explicitly stating the hostname) solution then you would need to do something like the following instead:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\. [OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
The above rule block states... for all requests that are either for the www subdomain OR are for HTTP then redirect to HTTPS, less the www subdomain (if any) at the same URL-path.
The purpose of the 3rd condition - which must always match - is to simply capture the hostname less the www subdomain (if any). This is then referenced using the %1 backreference in the RewriteRule substitution.
NB: Test with a 302 (temporary) redirect first to avoid caching issues.
You will need to clear your browser cache before testing.
UPDATE: it is redirecting to domainname.com:443
That shouldn't be happening with the above directives, unless perhaps the port is explicitly included in the request? (But is that a redirect for http or https?)
You can try changing the 3rd condition to read:
RewriteCond %{HTTP_HOST} ^(?:www\.)?([^:]+)
Or hardcode the canonical hostname, which is arguably preferable and more reliable (without knowing your system). For example:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\. [OR]
RewriteCond %{HTTPS} off
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
With this hardcoded solution, it cannot possibly redirect to anything other than the canonical URL - regardless of the request or system configuration.
EDIT#1: if I remove the htaccess file completely, the website still redirect to :443 if access from https
To help with debugging, try the following in your .htaccess file and then access https://your-domain.com/. What happens?
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^ - [F]
If you see a 403 Forbidden response then your web application would seem to be triggering this redirect. If not and you are still redirected then something in the main server config / virtual host would seem to be triggering the redirect.
EDIT#2: Yes, the response when i browse the https is 403 Forbidden.
That would seem to suggest that your web application is triggering this redirect.
And this would seem to be further backed up by the fact that you only seem to get this malformed redirect when requesting a valid URL, ie. one which only the app knows about. For example, https://example.com/contact (a valid page) is redirecting to http://example.com:443/contact (ERROR), but https://example.com/does-not-exist does not redirect (you get an application error / 404).
I have the same problem as the User in this thread. I basically want to redirect all http requests to https without www using htaccess.
I have implemented a solution to this problem and it does a pretty good job.
However, it does not redirect to the corresponding URI. If I visit my website on port 80 example.com/news I will be redirected to https://example.com/index.php which is basically the root page..
I really need your help guys, I totally have no clue about htaccess..
EDIT This is what my mod_rewrite looks like..
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
The issue probably is that you first rewrite to index.php and then make an external redirection. Try changing the order of the rules. Note that the L flag only terminates the current walk through the rule set. It is restarted after that. So first do the external direction to switch to the https protocol, then do the internal rewriting if that is corrected.
I've done some code so that the url gets passed to the index page and the index page then decides which page to load in. Initially it would redirect unless a file or directory existed, which was fine for most cases, but things like the php files I wanted to keep private, as they should only be referenced by index.php, and not actually called themselves.
With a bit of help, I managed to switch it so that it would redirect everything, aside from certain extensions, such as images and css files. I've only just noticed it'll still attempt work on files that don't exist, and come up with the default 404 page, but I'd prefer it to be passed to my code like all the other pages.
How would I merge these two rules, so that the redirect will only not happen if both the file exists, and its extension is allowed?
1. RewriteCond %{REQUEST_FILENAME} !-f
2. RewriteCond %{REQUEST_URI} !\.(?:jpe?g|gif|txt|php|bmp|png|ico|tiff|css|js)$
Here were the old rules (specific to the redirecting):
# If the request is not for a valid directory
RewriteCond %{REQUEST_FILENAME} !-d
# If the request is not for a valid file
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?_page_location=$1 [L,NC,NE]
And here is it as it currently stands:
Options -Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L,NC]
# Add trailing slash to directories
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule [^/]$ %{REQUEST_URI}/ [L,R=301,NE]
# If the request is not for known file types
RewriteCond %{REQUEST_URI} !\.(?:jpe?g|gif|txt|php|bmp|png|ico|tiff|css|js)$
RewriteRule .* index.php?_page_location=$0 [L,QSA]
<FilesMatch "^(.*)\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
<FilesMatch "index\.php|info\.php">
Order allow,deny
Allow from all
</FilesMatch>
I would like to map "http://www.example.com/abc" to "http://www.example.com/test/abc" for having the shortest route possible. I am using pyroCMS for my users and content.
the default pyrocms file:
# Multiple Environment config
# Set this to development, staging or production
# SetEnv PYRO_ENV production
<IfModule mod_rewrite.c>
# Make sure directory listing is disabled
Options +FollowSymLinks -Indexes
# disable the Apache MultiViews directive if it is enabled on the server. It plays havoc with URL rewriting
Options -MultiViews
RewriteEngine on
# Keep people out of codeigniter directory and Git/Mercurial data
RedirectMatch 403 ^/.*/(vendor|composer\.json|composer\.lock|system/cms/cache|system/codeigniter|system/cms/config|system/cms/logs|\.git|\.hg).*$
# Send request via index.php (again, not if its a real file or folder)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
<IfModule mod_php5.c>
RewriteRule ^(.*)$ index.php/$1 [L]
</IfModule>
<IfModule !mod_php5.c>
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
</IfModule>
I would like to add this rule to the file:
RewriteRule ^([a-z0-9_]+)$ test/$1
To rewrite "BASE_URL/abc" to "BASE_URL/test/abc"
However,
i tried many positions as to where to put this RewriteRule, my website keeps giving a "Page Missing".
Is my RewriteRule ok? And where do i insert it?
PyroCMS has built-in modular routing ability. see here:
http://docs.pyrocms.com/2.2/manual/developers/basics/modular-routing
If your "http://www.example.com/abc" refers to a custom module,then, you can add a file named "routes.php" in a in config folder of your module.
the folder construction should like this :
addones/shared_addons/modules/your-module/config/routes.php
OR even you can edit the core route config file located at system/cms/config/routes.php and add this line or whatever your routing rules are:
$route['abd'] = 'test/abd';
OR more even, at your control pannel there is a redirect module that you can add redirections.
It all depends on what your rule is supposed to do and how it is supposed to interact (or not interact) with the rest of your site. And considering your entire htaccess file is mostly commented out code (which I removed to make it halfway readable), you just want to place it under RewriteEngine On.
However, since it blindly routes everything into test you need to add a few conditions and make it something lilke:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}/test%{REQUEST_URI} -f [OR]
RewriteCond %{DOCUMENT_ROOT}/test%{REQUEST_URI} -d
RewriteRule ^([a-z0-9_]+)$ test/$1 [L]