I am trying to restrict access to my Laravel 5.3 app with Apache.
My app is available internally but receives post backs from various external sources. There is a port forward set up with NAT disabled so I can tell internal from external requests.
All URL's should show a 403 except if example.com/api/external/... is the URL. I have the following htaccess (default for Laravel 5.3)
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
my vhost config
<Directory /var/www/mailer/public/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Location />
Order deny,allow
deny from all
allow from 10.64.1.0/24
allow from 10.64.20.0/24
</Location>
<Location /api/external/smsPost>
Allow from all
</Location>
Whenever I access any URL from an external address I still get the 403 even on the allowed location.
You don't have permission to access /index.php on this server.
I think because it has /index.php even on example.com/api/external/smsPost that it is an issue with htaccess and the location directive not working for this purpose. Is there any way I can achieve what I need with this directive?
Many thanks.
Why don't you use a laravel middleware and bind it to your restricted routes?
public function handle($request, Closure $next)
{
if(Route::getCurrentRoute()->getPath() == "api/external/")
return response('You don't have permission to access /index.php on this server.', 403);
// return the $next closure, so other Middlewares can run
return $next($request);
}
Related
here is the thing. localhost development works fine. as I move to shared hosting try to configure codeigniter4 I'm facing issues with routes.
I use softaculouse to install CI4 on the main directory (public_html). when I try to configure the routes things work fine except
when I write the domain name.
example
https://example.com/ (Issue) it will send me to https://example.com/public/ (Code 500)
I contacted support they claim the issue in public folder I'm not allowed to add .htaccess so they deleted it for me .htaccess file in public. things work fine. however; when I write https://example.com/ works but the URL in the address bar changes to https://example.com/public
How to remove /public ?
is it a .htaccess configuration?
is it an issue with Apache configuration from hosting company side?
by the way
https://example.com/home (No problem)
https://example.com/en (No Problem) after modifying routes using {locale}
htaccess in public_html
# To prevent access to .env and other files
<Files .*>
# Apache 2.2
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Files>
<IfModule mod_alias.c>
RedirectMatch 301 ^/$ https://example.com/public
</IfModule>
This is htaccess which initially was generated inside public folder (Its standard generated by composer i think)
# Disable directory browsing
Options All -Indexes
# ----------------------------------------------------------------------
# Rewrite engine
# ----------------------------------------------------------------------
# Turning on the rewrite engine is necessary for the following rules and features.
# FollowSymLinks must be enabled for this to work.
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
# If you installed CodeIgniter in a subfolder, you will need to
# change the following line to match the subfolder you need.
# http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
# RewriteBase /
# Redirect Trailing Slashes...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Rewrite "www.example.com -> example.com"
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
# Checks to see if the user is attempting to access a valid file,
# such as an image or css document, if this isn't true it sends the
# request to the front controller, index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([\s\S]*)$ index.php/$1 [L,NC,QSA]
# Ensure Authorization header is passed along
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
<IfModule !mod_rewrite.c>
# If we don't have mod_rewrite installed, all 404's
# can be sent to index.php, and everything works as normal.
ErrorDocument 404 index.php
</IfModule>
# Disable server signature start
ServerSignature Off
# Disable server signature end
I have a Silverstripe platform website that has duplicate URLs for www, non-www, http and https
There seem to be multiple solutions but no definitive answer. Is there someone that knows the correct code for the htaccess file for Silverstripe?
I want to get all pages pointing to https ://www
This is the current code in the htaccess file -
ErrorDocument 401 /base/401.txt
### SILVERSTRIPE START ###
# Deny access to templates (but allow from localhost)
<Files *.ss>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>
# Deny access to IIS configuration
<Files web.config>
Order deny,allow
Deny from all
</Files>
# Deny access to YAML configuration files which might include sensitive information
<Files ~ "\.ya?ml$">
Order allow,deny
Deny from all
</Files>
# Route errors to static pages automatically generated by SilverStripe
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
<IfModule mod_env.c>
# Ensure that X-Forwarded-Host is only allowed to determine the request
# hostname for servers ips defined by SS_TRUSTED_PROXY_IPS in your _ss_environment.php
# Note that in a future release this setting will be always on.
SetEnv BlockUntrustedIPs true
</IfModule>
<IfModule mod_rewrite.c>
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
<IfModule mod_dir.c>
DirectoryIndex disabled
</IfModule>
RewriteEngine On
# non-www to www redirect
#RewriteCond %{HTTP_HOST} ^bolstered.com.au$ [NC]
#RewriteRule (.*) https://www.bolstered.com.au/$1 [R=301,L]
# http to https redirect
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ (.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Deny access to potentially sensitive files and folders
RewriteRule ^vendor(/|$) - [F,L,NC]
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
RewriteRule composer\.(json|lock) - [F,L,NC]
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !\.php$
RewriteRule .* index.php?url=%1&%{QUERY_STRING} [L]
</IfModule>
### SILVERSTRIPE END
I typically keep the SilverStripe part between ### SILVERSTRIPE START ### and ### SILVERSTRIPE END ### untouched and put my rules only before or after those of silverstripe.
There is no issue with having RewriteEngine On twice.
I also did not bother to check if mod_rewrite exists, because all my servers will have it enabled and I wouldn't let a client put it on a server without it.
Here is a full example of a .htaccess that I would typically use in silverstripe a project:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost [NC]
RewriteCond %{HTTP_HOST} !^127.0.0.1 [NC]
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^www\.examle\.org [NC]
RewriteRule ^ https://www.examle.org%{REQUEST_URI} [R=301,L]
### SILVERSTRIPE START ###
# Deny access to templates (but allow from localhost)
<Files *.ss>
Require ip 127.0.0.1
</Files>
# Deny access to IIS configuration
<Files web.config>
Require all denied
</Files>
# Deny access to YAML configuration files which might include sensitive information
<Files ~ "\.ya?ml$">
Require all denied
</Files>
# Route errors to static pages automatically generated by SilverStripe
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
<IfModule mod_rewrite.c>
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
<IfModule mod_dir.c>
DirectoryIndex disabled
DirectorySlash On
</IfModule>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Deny access to potentially sensitive files and folders
RewriteRule ^vendor(/|$) - [F,L,NC]
RewriteRule ^\.env - [F,L,NC]
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
RewriteRule composer\.(json|lock) - [F,L,NC]
RewriteRule (error|silverstripe|debug)\.log - [F,L,NC]
RewriteRule ^Security - [F,L,NC]
# Process through SilverStripe if no file with the requested name exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php
</IfModule>
### SILVERSTRIPE END ###
Step-by-step explanation:
Turns on the rewrite engine
RewriteEngine On
The 4 RewriteCond are all conditions connected to the RewriteRule below it.
RewriteCond %{HTTP_HOST} !^localhost [NC]
RewriteCond %{HTTP_HOST} !^127.0.0.1 [NC]
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^www\.examle\.org [NC]
Multiple conditions will be a logical AND, unless you add a [OR].
[NC] stands for no-case, so not case-sensitive
The first 2 are an exception for localhost/127.0.0.1 to ensure a redirect will not be done when I am developing on my workstation.
3 is checking if https if off
4 is checking if the domain is correct
So speaking in pseudo code, it's like this:
if ($HTTP_HOST != "localhost" && $HTTP_HOST != "127.0.0.1" AND ($HTTPS != "on" OR $HTTP_HOST != "www.examle.org") {
do_redirect();
}
The actual redirect
RewriteRule ^ https://www.examle.org%{REQUEST_URI} [R=301,L]
It's redirecting to the desired domain and attaches the path (/foo/bar) and the query paramters (?foo=bar) to it.
R=301 is the http response code. If you wanted a temporary redirect you could make it 302.
L means Last I think, which will stop the processing at this point and will not continue to try other rules below.
Alternatives:
.htaccess is the best way to do it. But it's worth pointing out that this is not the only option.
You could do it in plain PHP, in the config of any/most webservers, ...
And SilverStripe has builtin methods for doing the check & redirect:
Director::forceSSL();
Director::forceWWW();
but as said, .htaccess is much better (much faster and only a single redirect)
**I'm working on an apache secured web server hosted on an ubuntu-server.16.04
I'm sending on prod my first project on symfony and I did quite well since now. I'm trying to rewrite url so when I want to go on my project dashboard, the url would be "../dashboard/" instead of (actually like this) "../index.php/dashboard/"
But when I try to go on this url, the server redirect me out of the symfony app and throw me a basic apache 404 error, not a symfony handled error.
I think this can be edited in the .htaccess file but I can't find out how to make him perform all url as symfony routes, that's my question.
Tried multiple code found on google
htaccess
DirectoryIndex index.php
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
RewriteCond %{HTTP:Authorization} .
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]
RewriteRule ^ %{ENV:BASE}/index.php [L]
</IfModule>
<IfModule !mod_rewrite.c>
<IfModule mod_alias.c>
RedirectMatch 302 ^/$ /index.php/
</IfModule>
</IfModule>
You need to enable apache rewrite.
Please follow these steps :
In a terminal use the following commands:
$sudo a2enmod rewrite
Change AllowOverride in apache conf file:
$sudo nano /etc/apache2/apache2.conf
Change the AllowOverride from None to All in this block
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
At last, restart apache2
$sudo service apache2 restart
I'd like my users to go to
red.example.com
and what they actually see is a page served up from
blue.example.com/red
Is this possible using .htaccess? Essentially it's a redirect, but I don't want to have the URL change in the address bar.
Edit
Adding virtual host info.
RewriteEngine On
RewriteRule /<none> / [L,R]
<IfDefine USE_PHP_FPM>
<Proxy "unix:/opt/bitnami/php/var/run/wordpress.sock|fcgi://wordpress-fpm" timeout=300>
</Proxy>
</IfDefine>
<Directory "/opt/bitnami/apps/wordpress/htdocs">
AuthType Basic
AuthName Coincurve
AuthUserFile "/opt/bitnami/apache2/wordpress_users"
Require valid-user
Options +MultiViews +FollowSymLinks
AllowOverride None
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
# Require all granted
</IfVersion>
<IfDefine USE_PHP_FPM>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://wordpress-fpm"
</FilesMatch>
</IfDefine>
RewriteEngine On
#RewriteBase /wordpress/
RewriteRule ^index\.php$ - [S=1]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
Include "/opt/bitnami/apps/wordpress/conf/banner.conf"
</Directory>
Include "/opt/bitnami/apps/wordpress/conf/htaccess.conf"
I've only got one actual server at mydomain.com. the red and blue subdomains are just both pointing to that mydomain.com's IP address.
If the subdomains are all pointing to the same place (the root of the main domain) then you probably don't need to "redirect" to a different hostname (that would involve the use of mod_proxy and configuring a reverse proxy). In other words blue.example.com/red points to the same as red.example.com/red - so it becomes a relatively simple internal rewrite.
(Although your vhost config is incomplete, I assume you have some ServerAlias directives in there somewhere?)
For example:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^red\.example\.com [NC]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^ /red%{REQUEST_URI} [L]
The check against the REDIRECT_STATUS environment variable is to ensure we only rewrite the initial request from the client, ie. not rewritten requests, thus avoiding a rewrite loop. REDIRECT_STATUS is empty initially and set to "200" after the first successful rewrite. Otherwise, this unconditionally rewrites everything, so it's possible to have a /red subdirectory inside the root /red directory if you wished.
I Deployed a Laravel web application on a Tumbleweed openSUSE. I can access all routes defined in routes/web.php, but all routes in routes/api.php returned 404 not found.
Here's my apache2 httpd.conf file:
Include /etc/apache2/uid.conf
Include /etc/apache2/server-tuning.conf
<IfDefine !SYSCONFIG>
Include /etc/apache2/loadmodule.conf
</IfDefine>
<IfDefine !SYSCONFIG>
Include /etc/apache2/global.conf
</IfDefine>
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
Include /etc/apache2/mod_reqtimeout.conf
Include /etc/apache2/mod_cgid-timeout.conf
Include /etc/apache2/mod_usertrack.conf
Include /etc/apache2/mod_autoindex-defaults.conf
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf
Include /etc/apache2/errors.conf
Include /etc/apache2/ssl-global.conf
# forbid access to the entire filesystem by default
<Directory />
Options None
AllowOverride All
<IfModule !mod_access_compat.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order deny,allow
allow from all
</IfModule>
</Directory>
<Directory "/srv/www">
AllowOverride All
</Directory>
AccessFileName .htaccess
<Files ~ "^\.ht">
<IfModule !mod_access_compat.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
allow from all
</IfModule>
</Files>
DirectoryIndex index.html index.html.var
Include /etc/apache2/default-server.conf
and this is my .htaccess file I put inside the htdocs folder
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
RewriteEngine On
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
I hope someone can help me on this. I'm pretty new to linux especially openSUSE. Also, I'm sorry for my bad English.
If you are defining routes inside api.php, then your URL should be called prefix as API:
http://someurl.com/api/get/user