I have a site and I see that there are proxies which are messing up my seo, what I mean it's not that someone connects through proxy, but there are domains that when you go to it's EXACTLY like my site, even if I upload something to my ftp I can access it from the other site. I want to block all access from other domains to my content, blocking IP one by one is too hard, someone is making proxies all the time and they change IP every time. So what I want is that the site can only be accessed if in browser url there is my site name (example.com/mypage not proxy.com/mypage which shows same content except all occurrences of my site names are replaced)
Here is my current htaccess code. I'm using nginx as reverse proxy
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
RewriteRule ^inc/.*$ index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_URI} !-l
RewriteCond %{REQUEST_FILENAME} !\.(ico|css|png|jpg|gif|js)$ [NC]
RewriteRule ^(.*)$ index.php [QSA,L]
You can detect bots requests by googling random strings from your site, then follow links, then look into logs. Then block those ips.
You can enable some kind of javascript protection on your site. Detect current address/host then compare to yours. Redirect false to your domain.
Use imagination and patterns.
Related
So my site is going secure. Except one directory (/da) has old Flash content (that I cannot edit) that simply refuses to work under SSL. So, I pieced a few StackOverflow user solutions (THANK YOU!) together, wrote a HTTP --> HTTPS rewrite where I carve out an exception for the /da directory and got that much working just fine.
The only issue is with mobile browsers which play Flash content (such as Puffin and Photon). For some reason, they don't like the rewrite code and continue to open the /da directory under HTTPS... thus the Flash content doesn't work.
I thought that I could just exclude those browsers from the rewrite, but I can't get that piece to work. Please see below and let me know what I'm doing wrong. It's the "Puffin|BonEcho" line which I'm trying to get to work. Am I doing it wrong?
Or is there a better solution? Is there a way to get Puffin and Photon to comply with the HTTP/HTTPS rewrite script?
Thanks!
RewriteEngine On
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
# Force HTTPS for anything which isn't /da
RewriteCond %{HTTPS} =on
RewriteCond %{THE_REQUEST} ^[A-Z]+\s/da [NC]
RewriteCond %{HTTP_USER_AGENT} !"Puffin|BonEcho" [NC,OR]
RewriteRule ^(da) http://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Force HTTP for anything which is /da
RewriteCond %{HTTPS} !=on
RewriteCond %{THE_REQUEST} !^[A-Z]+\s/da [NC]
RewriteRule !^da https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Remove index.php from URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1
Our site, www.divestyle.co.uk uses an SSL certificate throughout the site, except when it goes to the online shop which is built in Magento, all on the same hosting. I built the main site which uses the SSL and the wordpress blog but for some reason the shop does not.
http://www.divestyle.co.uk/dive-shop/scuba-diving/regulators.html
You can see that the URL does not have the SSL padlock on.
Any ideas why not? We had some issues with the htaccess with the redirects which we fixed on another question, so I am adding the htaccess file on here too in case we need to add something to it. We obviously want to make sure that changing the URL to https will not affect any of the sales we can receive.
# -- concrete5 urls start --
# -- Force www: #
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
# force https
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.divestyle.co.uk/$1 [R,L]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# -- Wordpress #
RewriteRule ^divestyle_blog/index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule divestyle_blog/. divestyle_blog/index.php [L]
# -- /Wordpress #
# --Magento #
RewriteRule ^dive-shop/index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule dive-shop/. dive-shop/index.php [L]
# -- /Magento #
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>
# -- concrete5 urls end --
------- UPDATE -------
I have changed my .htaccess file so the 2nd one matches this, RewriteRule ^(.*)$ but the site is still coming as insecure. See the screenshots. It mentions about the images.
https://www.dropbox.com/s/3w6sfnjn8pgcxg8/Screenshot%202017-12-13%2007.38.04.png?dl=0
https://www.dropbox.com/s/zw8ujcg2wj9arpp/Screenshot%202017-12-13%2007.37.58.png?dl=0
When I asked the developer about the issues, he sent me this, not sure if this helps get to the bottom of this:
The 'httponly' option has been created like this on purpose. There is a type of website attack called XSS.
If someone managed to inject some javascript code onto your site (which on some sites can be via adverts) then they would be able to read the contents of any cookies. If the cookie contained a session id for a logged in user they would be able to read that and send it back out to someone and they would be able to log in as that user without requiring their username and password. A 'httponly' option tells the browser that the cookie should only be sent over http (which includes https in this definition) and not made available to javascript or anything else running within the local browser.”
This is probably guilty because of a bad syntax :
RewriteRule ^/?(.*) https://www.divestyle.co.uk/$1 [R,L]
You should match ^/(.*)$ as on the first rule
Forcing https is like magic. I had to try multiple solutions from the internet, that people claimed to work, and they didn't on my server.
Here is my snippet, that works ;)
# SSL
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Try it instead of your rule under # force https comment.
I have a website (WordPress multisite) for which I've moved a bunch of content from the route domain (http://domain[dot]com) to a sub domain (http://sub.domain[dot]com). Now I need to direct users to all the pages of the route site (http://domain[dot]com/page) to their new location (http://sub.domain[dot]com/page). But... and here's the bit I'm really struggling with... I need to omit the route url from this re-write as there is another 'geo-redirect' in place that I need to not affect. What I need to do therefore is redirect ONLY those sub page and NOT the parent/main domain.
Here's (a recent iteration) of what I'm working with:
# ignore the home page, not working :(
RewriteCond %{HTTP_HOST} !^(.*)\.routetogreatness\.com$ [NC]
# redirect all the sub pages, works
RewriteCond %{HTTP_HOST} ^routetogreatness.com [NC]
RewriteRule ^(.*)$ http://global.routetogreatness.com/$1 [L,R=301]
Any help will be very gratefully received.
I think what you are searching for is a condition that checks if the file that is requested is not a filename. That's what RewriteCond %{REQUEST_FILENAME} !-f. It is true if %{REQUEST_FILENAME} (I believe an absolute path to a file on the server, based on the request), is not a file. (Please note: I haven't tested this code as I don't have access to a server at this location, but I think it should work.)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTP_HOST} ^domain.com [NC]
RewriteRule ^(.*)$ http://sub.domain.com/$1 [L,R=301]
An other solution would be to only rewrite the url if the requested url contains a slash. It would redirect domain.com/folder/index.php, but not domain.com/index.php.
RewriteCond %{REQUEST_URI} ^/([^/]+)/(.+)$
RewriteCond %{HTTP_HOST} ^domain.com [NC]
RewriteRule ^(.*)$ http://sub.domain.com/$1 [L,R=301]
Okay, so the above solution didn't quite work out for me as it turned out that while this worked beautifully on sub/child page, it would skip over parent pages as well as the home page (like domain/news for example. I've eventually run with this:
RewriteCond %{REQUEST_URI} !^/$
RewriteCond %{HTTP_HOST} ^domain.com [NC]
RewriteRule ^(.*)$ http://sub.domain.com/$1 [L,R=301]
This just skips over the home page or root URL and redirects everything else, even 404s.
Well it's kind of hard typing a title to describe what I want to do.
Basically I have a website that I've been asked to develop a mobile site for. This website has various domains (such as .co.za,.com,.za.net) but they all run from the same folder on the server (so I only have one .htaccess file).
I want to be able to redirect the traffic that goes to www.example.co.za to m.example.co.za and traffic that goes to www.example.com to m.example.com.
How would I need to modify this .htaccess file to achieve that.
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "alcatel|amoi|android|avantgo|blackberry|benq|cell|cricket|docomo|elaine|htc|iemobile|iphone|ipad|ipaq|ipod|j2me|java|midp|mini|mmp|mobi|motorola|nec-|nokia|palm|panasonic|philips|phone|playbook|sagem|sharp|sie-|silk|smartphone|sony|symbian|t-mobile|telus|up\.browser|up\.link|vodafone|wap|webos|wireless|xda|xoom|zte" [NC]
RewriteRule ^$ http://m.example.com/ [L,R=302]
How about:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "alcatel|amoi|android|avantgo|blackberry|benq|cell|cricket|docomo|elaine|htc|iemobile|iphone|ipad|ipaq|ipod|j2me|java|midp|mini|mmp|mobi|motorola|nec-|nokia|palm|panasonic|philips|phone|playbook|sagem|sharp|sie-|silk|smartphone|sony|symbian|t-mobile|telus|up\.browser|up\.link|vodafone|wap|webos|wireless|xda|xoom|zte" [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?(.*)$ [NC]
RewriteRule ^(.*)$ http://m.%2/ [L,R=302]
I am using a mod_rewrite to force two pages to use HTTPS, while all other pages should remain HTTP. Currently, I can successfully force HTTPS on the pages I need -- however, when I try to change all other pages to HTTP, my HTTPS pages become unsecure. I am guessing this is because the rule is changing the URLS for the assets which the HTTPS page is loading for some reason.
Any ideas? Here is the .htaccess file I'm working with.
(Note that the ENV:HTTPS method is required on my host)
# FORCE HTTPS (WORKS JUST FINE)
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteCond %{REQUEST_URI} ^(/index\.php|)/(donate|achdebit)/?$
RewriteRule ^(.*)$ https://www.site.org/$1 [R,NC,L]
# FORCE HTTP (IF ADDED, BREAKS THE SITE)
RewriteCond %{ENV:HTTPS} on [NC]
RewriteCond %{REQUEST_URI} !^(/index\.php|)/(donate|achdebit)/?$
RewriteRule ^(.*)$ http://www.site.org/$1 [R,NC,L]
I believe you are correct when you surmise that the second rule will force assets (css/js etc) that the secure page requests to be redirected to http. To prevent this add the following
# FORCE HTTP (IF ADDED, BREAKS THE SITE)
RewriteCond %{ENV:HTTPS} on [NC]
RewriteCond %{REQUEST_URI} !^(/index\.php|)/(donate|achdebit)/?$
#NEW# only redirect requests that are not for existing files
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ http://www.site.org/$1 [R,NC,L]
or explicity exclude assets by replacing #new above with
#only redirect requests that are not for existing files
RewriteCond %{REQUEST_URI} !\.(css|js|png|gif|etc) [NC]