I want to deny access to urls starting with /mapname , so that urls like /mapname/mapname2 and /mapname/file1 etc, are blocked. But there is 1 url that I want to allow, for example /mapname/mapname.php/something/something/something.php/something . How do I do this using htaccess?
To deny access I used the following code example. This worked, but I can't figure out how to allow specific urls.
RewriteCond %{REQUEST_URI} /mapname
RewriteRule ^.*$ / [R=301,L]
In single RewriteRule one can do this using negative lookahead:
RewriteRule ^mapname(?!/something\.php/allow/this/uri/?$) - [F,L,NC]
You can use this :
RewriteRule ^mapname/something\.php/allow/this/uri/?$ - [L]
#Deny any other uri string starting with "/mapname
RewriteCond %{REQUEST_URI} ^/mapname
RewriteRule ^.*$ - [F,L]
Related
I want to deny access to all my posts/pages via their database id address e.g. /?p=1 , /?p=2 , ... etc
I am looking at doing this using .htaccess and would guess it would be best done with a RewriteCond rule. I have tried this but it doesn't appear to work.
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/?p=*
RewriteRule ^(.*)$ - [F,L]
Any help greatly appreciated
With your shown samples, please try following.
Please make sure to clear your browser cache before testing your URLs.
RewriteEngine ON
RewriteCond %{QUERY_STRING} ^p=[0-9]+ [NC]
RewriteRule ^ - [F,L]
As per OP's comments to match p or page with = digits try following then.
RewriteEngine ON
RewriteCond %{QUERY_STRING} ^(p|page)=[0-9]+ [NC]
RewriteRule ^ - [F,L]
I've a small, but hard to understand problem with .htaccess in CMS system.
I've mod expires, that cache stuff on whole website, but I don't want to cache stuff in /admin URL, I can't make another .htacess, couse I've MVC structure and no real directory that could hold all my admin stuff.
I've found directive, but it only works in server configuration and I want it to work on different hostings, so only in htaccess file.
EDIT- Rewrite
# Turn on URL rewriting
RewriteEngine On
# Installation directory
RewriteBase /
RewriteCond %{HTTP_HOST} !^www. [NC]
RewriteCond %{HTTP_HOST} ![0-9]$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [L,R=301]
# Protect hidden files from being viewed
<Files .*>
Order Deny,Allow
Deny From All
</Files>
# Protect application and system files from being viewed
RewriteRule ^(?:application|modules|system)\b.* index.php/$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Rewrite all other URLs to index.php/URL
RewriteRule .* index.php/$0 [PT]
You can apply your Expires directive using a <if> directive with an expression to match against /admin:
<If "%{REQUEST_URI} =~ /^\/admin\//">
# Your expiry directives
</If>
If you know the exact URL then you can try this pattern.
RewriteRule ^facebook/get/(.*)?$ http://$1 [NC,R]
RewriteRule ^wrapper/share/(.*)?$ http://example.com/wrapper/share/$1 [NC,R]
This will check for URL where <-any-value->facebook/get/<-any-value2-> and then will send to the <-any-value2->
Like
RewriteRule ^stats/(.*)$ admin/dashboard.php?mode=openstats&event_id=$1 [NC,L,QSA]
**If URL has stats/<--any-value--> then it will redirect/open admin/dashboard.php **
If your URLs doesn't have exact value but you do know the URL slot pattern then you can try this.
RewriteRule ^([^/.]+)/([a-zA-Z0-9_-]+)/$ wrapper/index.php?id=$2 [NC,L,QSA]
I have a problem, I want to secure the admin panel of my website using .htaccess but its a CGI script.
from WebBrowser it looks like: http://mysite.com/?op=adminpanel
of course its /cgi-bin/index.cgi?op=adminpanel
I've tried with:
<files index.cgi?op=adminpanel>
order deny,allow
deny from all
allow from my.ip.address
</files>
but not working, works when I use <files index.cgi></files> but the whole site got 403 error for everyone except for my ip
now i'm testing with:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !( my.IP)
RewriteCond %{QUERY_STRING} !(?op=adminpanel)
RewriteRule index.cgi - [F]
any help will be greatly appreciated
Per this article you can do it like this:
Let's say you want to block IP address 123.255.123.255 from accessing the page www.mydomain.com/index.php?option=com_my_special_component. Here is how you could write the rule:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.255\.123\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
The first line just turns on URL rewriting. The second line matches the IP address (use backslashes before each dot), the third line matches the querystring (ie. anything that comes after the ? in the URL) - in this case it would match if option=com_my_special_component comes anywhere in the URL after the ? (eg. index.php?id=1&option=com_my_special_component&action=dostuff would still match with this rule). The [NC] at the end of that line tells it to apply the rule regardless of whether any of the characters in the URL are uppercase or lowercase. The final line redirects the user to index.php with a 'forbidden' header - so they will get an error message in their browser, and tells mod_rewrite to stop interpreting any further rewrite rules.
If you want to ban multiple IP addresses, you can add new lines for them, but you need to add an [OR] flag to the end of each line except the last one - for example:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.255\.123\.255 [OR]
RewriteCond %{REMOTE_ADDR} ^124\.255\.124\.255 [OR]
RewriteCond %{REMOTE_ADDR} ^125\.255\.125\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
Since you are block access to an admin page, you probably want to only allow your IP. In that case you would just put an exclamation mark in front of the IP address to say if it's any IP other than this one, then rewrite.
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.255\.123\.255
RewriteCond %{REMOTE_ADDR} !^124\.255\.124\.255
RewriteCond %{REMOTE_ADDR} !^125\.255\.125\.255
RewriteCond %{QUERY_STRING} option=com_my_special_component [NC]
RewriteRule ^(.*)$ index.php [F,L]
Hope that helps.
Try this in the .htaccess file :
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !=10.0.0.1
RewriteCond %{REMOTE_ADDR} !=10.0.0.2
RewriteCond %{REMOTE_ADDR} !=10.0.0.3
RewriteRule ^(.*)$ - [R=403,L]
if the url begins with /admin and the remote address is not one of the three listed, send the browser on its merry way.
reference : https://www.concrete5.org/community/forums/chat/restrict-urls-starting-with-abc-to-specific-ips-.htaccess-guru
you can change this line (RewriteCond %{REQUEST_URI} ^/admin) to this :
RewriteCond %{REQUEST_URI} .*/admin
for very url contain "/admin".
I want to allow access to my site when there is s=stick_path or s=stick_relative in the query string otherwise deny the access. e.g allow access when www.domain.com/?s=stick_path but deny access when www.domain.com/?s=ck_relative or www.domain.com/?s=action_path.
I have tried for simple example like www.domain.com/?s=stick_path but it does not seem to work.
RewriteCond %{QUERY_STRING} !^s=stick_path$
RewriteRule ^.* - [F,L]
I think one can trick the .htaccess rule if s parameter is present twice like www.domain.com/?s=stick_path&s=action_path
The rules you have work for me when I try to go to http://localhost/?s=stick_path, but if you want to be able to check anywhere for the query string, try:
RewriteCond %{QUERY_STRING} !(^|&)s=stick_path(&|$)
RewriteCond %{QUERY_STRING} !(^|&)s=stick_relative(&|$)
RewriteRule ^.* - [F,L]
This works if either s=stick_path or s=stick_relative is anywhere in the querystring.
Answer pulled from an OP's update
RewriteEngine ON was missing in the .htaccess.
So, the correct code was:
RewriteEngine on
RewriteCond %{QUERY_STRING} !^s=stick_path$
RewriteRule ^.* - [F,L]
Basically I do not want people that visit my site to get all of the files, but all the things I tried and found on the internet disallow the usage of GET variables after the index.php. I'm using a rewrite to make domain.com/lol go to index.php?lol.
This is my current .htaccess file, if you'd like to modify it to make it easier for me, go ahead too.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.com [NC]
RewriteRule .? http://domain.com%{REQUEST_URI} [L,R=301]
RewriteRule ^act/(.*)$ index.php?act=$1
RewriteRule ^code/(.*)$ index.php?code=$1
RewriteRule ^login$ index.php?login
RewriteRule ^logout$ index.php?logout
RewriteRule ^add$ index.php?add
RewriteRule ^tac$ index.php?tac
RewriteRule ^profile$ index.php?profile
Following rule stops direct requests to index.php (either with or without) arguments:
# block direct requests to index.php and redirect it to /
RewriteCond %{ENV:REDIRECT_STATUS} =""
RewriteRule ^index.php$ /
If needed, you can change the rewrite target and/or add some more conditions based on what exactly is allowed and what's not.