I was having trouble with some opensource software which I couldn't figure out. Eventually I found somebody with different problems but same error codes who solved it with adding the following lines to .htaccess:
<Limit GET POST>
order deny,allow
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
allow from all
</Limit>
But I am not sure what this means and if it is safe in terms of security?
The additional <Limit> container allows PUT and DELETE type requests, which have probably been disabled on the server. It is best practise to restrict access methods that are not required.
However, your software probably implements a REST API, in which case the PUT and DELETE request methods are probably required (hence your earlier error messages).
Incidentally, those two blocks can be combined:
<Limit GET POST PUT DELETE>
order deny,allow
allow from all
</Limit>
.htaccess files are per-directory Apache config files. If you have access to the main server config then they are not required and best disabled (performance and security). However if you are on a shared server you probably have no choice.
Related
How can I allow GET requests only from specific domains by using htaccess in a more reliable way than using Referer (which can be manipulated).
Current, imperfect, solution:
SetEnvIfNoCase Referer domain\.com ALLOWED_DOMAIN
Order Deny,Allow
Deny from All
Allow from env=ALLOWED_DOMAIN
The soluton can be also based on IP of a domain (not the user's machine).
Use the LIMIT directive in your htaccess instead this way.
<Limit GET POST>
order deny,allow
deny from all
allow from domain.com anotherone.com onemore.com
</Limit>
Let me know if this answer works for you.
I would like to block all countries except mine which is Brunei. The domain is .bn
<Limit GET POST PUT>
order deny,allow
deny from all
allow from .bn
allow from *.bn
allow from *.*.bn
allow from *.*.*.bn
</Limit>
My Name Address: smp-85-139.simpur.net.bn so I believe the code below works:
allow from *.*.*.bn
But i still got forbidden access. Anything missing here?
I tried with IP but still blocked..
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 202.152.*.*
</Limit>
My IP is 202.152.85.139
UPDATE:
It appears my web host is using nginx so this setting won't work at all if I'm right.
Here is an .htaccess allow list for Brunei Darussalam, courtesy of Country IP Blocks. The data is correct and current as of 4/20/13.
If your hosting company allows you to use .htaccess you can copy and paste the below data into an .htaccess file and load it into your root:
<Limit GET POST>
order deny,allow
allow from 61.6.192.0/18
allow from 103.4.188.0/22
allow from 103.12.208.0/23
allow from 103.16.120.0/22
allow from 103.17.24.0/22
allow from 103.18.172.0/22
allow from 103.20.24.0/22
allow from 118.103.248.0/21
allow from 119.160.128.0/18
allow from 156.31.0.0/16
allow from 158.161.0.0/16
allow from 192.94.122.0/24
allow from 202.12.26.0/24
allow from 202.59.230.0/24
allow from 202.90.36.0/24
allow from 202.93.208.0/20
allow from 202.152.64.0/19
allow from 202.160.0.0/19
allow from 202.160.32.0/20
deny from all
</Limit>
I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
I'd like to allow my friend to upload some photos for me over FTP to my server (shared host). It's a trusted friend but I'd still like to block the execution of any php or similar scripts etc.
How can I use .htaccess (in a directory above the one I allow FTP to acces) to block everything except a list of approved extensions (images) and disallow htaccess (to prevent any further modifications)?
Does such method still have security risks?
Thanks!
You should be able to use
<FilesMatch ".+">
Order Deny,Allow
Deny From All
Allow From localhost # OR WHATEVER HERE
</FilesMatch>
<FilesMatch "\.(jpg|gif|stuff)$">
Order Deny,Allow
Allow From All
</FilesMatch>
EDIT
For preventing further modifications to htaccess, you need to set filesystem permissions accordingly (aka OS dependent), since you are most likely to give your friend full FTP access (including delete/overwrite/append).
I found this web site to generate a .htaccess to block an access from certain country.
The problem with this is that I want to allow access only within Norway. If I use this service, the list will be very long since I have to list all the country IP addresses.
Is there any way to allow access within country, my case is Norway?
Change all occurences of 'deny' to allow, and all occurrences of 'allow' to deny. Then move the 'deny from all' condition at the end to the beginning of the list.
eg.
<Limit GET HEAD POST>
order allow,deny
deny from 41.205.32.0/19
deny from ....
allow from all
</LIMIT>
becomes
<Limit GET HEAD POST>
order deny,allow
deny from all
allow from 41.205.32.0/19
allow from ....
</LIMIT>
There's some good tutorials about .htaccess.
There are many geoip database vendors that offer solutions for the problem detailed instructions on the subject. Check out http://www.maxmind.com/app/mod_geoip for an apache module that comes with their database which would probably be a perfect fit for your problem.