.htaccess exclude URI - .htaccess

Have working htaccess, which block specific countries and/or languages,
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^NL$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^BY$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^UA$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^RU$ [NC,OR]
RewriteCond %{HTTP:Accept-Language} (nl) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (be) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (uk) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (ru) [NC]
RewriteRule ^(.*)$ cap.html [L]
but I need to give access to specific route eg api.html to any country/language.
I try to add exception
RewriteCond %{REQUEST_URI} !^/api\.html
but it does not work, I've tried hundreds of conditions but gave up for 6 hours, please advise what I'm doing wrong.
RewriteEngine On
# Exclude countries, forbidden by law
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^NL$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^BY$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^UA$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^RU$ [NC,OR]
RewriteCond %{HTTP:Accept-Language} (nl) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (be) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (uk) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (ru) [NC]
RewriteCond %{REQUEST_URI} !^/api\.html
RewriteRule ^(.*)$ cap.html [L]
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [L]
RewriteRule ^.*$ index.php [L]

Try :
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^NL$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^BY$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^UA$ [NC,OR]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^RU$ [NC,OR]
RewriteCond %{HTTP:Accept-Language} (nl) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (be) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (uk) [NC,OR]
RewriteCond %{HTTP:Accept-Language} (ru) [NC]
#rewrite everything to "cap.html" except "api.html"
RewriteRule ^((?!api\.html).*)$ cap.html [L]

Your current code seems logical, but you can try by merging the conditions together, and moving the last condition to the top:
RewriteCond %{REQUEST_URI} !^/api\.html [NC]
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(?:NL|BY|UA|RU)$ [NC,OR]
RewriteCond %{HTTP:Accept-Language} (?:nl|be|uk|ru) [NC]
RewriteRule ^ cap.html [L]

I solved problem in little bit different way
Just created api.php file and added rule to skip existing files
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(?:NL|BY|UA|RU)$ [NC,OR]
RewriteCond %{HTTP:Accept-Language} (?:nl|be|uk|ru) [NC]
RewriteRule ^ cap.html [L]
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [L]
RewriteRule ^.*$ index.php [L]

Related

two types of redirections on .htaccess getting error

I want to do two things using .htaccess
redirect non www (http://domain.com) to www (http://www.domain.com)
I am also trying to redirect mobiles to go for a different URL
(http://www.domain.com/mobile) from (http://www.domain.com)
the code I am using:
RewriteCond %{HTTP_HOST} ^domain.com [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|googlebotmobile|iemobile|iphone|ipod|#opera mobile|palmos|webos" [NC]
RewriteCond %{HTTP_USER_AGENT} "acs|alav|alca|amoi|audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-" [NC,OR]
RewriteCond %{HTTP_USER_AGENT}"dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lgc|lg-d|lg-g|lge-" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|opwv" [NC,OR]
RewriteCond %{HTTP_USER_AGENT}"palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|w3cs|wap-|wapa|wapi" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "wapp|wapr|webc|winw|winw|xda|xda-" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "up.browser|up.link|windowssce|iemobile|mini|mmp" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "symbian|midp|wap|phone|pocket|mobile|pda|psp" [NC]
RewriteRule ^$ http://www.domain.com/mobile [L,R=302]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /default.htm [L]
</IfModule>
can someone help me please?

Only redirect if not mobile?

I need to create a redirect if the user agent is not mobile. Unfortunately I can't get it done.
#RewriteCond %{HTTP_USER_AGENT} !"android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC,OR]
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule ^/?$ "https\:\/\/example\.com\/home" [R=302,L]
Any help is much appreciated. Thank you.
Got it done
# REDIRECT DESKTOP
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteCond %{HTTP_USER_AGENT} !(android|blackberry|googlebot-mobile|iemobile|iphone|ipod|opera\smobile|palmos|webos) [NC]
RewriteRule ^/?$ "https\:\/\/example\.com\/home" [R=302,L]
# REDIRECT MOBILE
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^example\.com\/home$ [OR]
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteCond %{HTTP:x-wap-profile} !^$ [OR]
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC,OR]
RewriteCond %{HTTP:Profile} !^$
RewriteRule ^/?$ "https\:\/\/example\.com\/mobile" [R=302,L]

RewriteCond using .htaccess to redirect

How to redirect below url and match with RewriteCond
http://example.com/team/home/index.cgi/"><script>alert(7229)</script>
http://example.com/team/home/index.cgi/?"onmouseover="alert(173)"
i need RewriteCond which can match the above url and redirect to rewriterule which is set for other RewriteCond's
Updated query for .htaccess file, please check below code is written for xxs,sql injection prevention, but not solving problem completley
------------------------------------------------------
Header set X-XSS-Protection "1; mode=block"
RewriteBase /
RewriteEngine On
#RewriteCond %{HTTP_USER_AGENT} !^.*Chrome.* [NC]
#RewriteCond %{HTTP_USER_AGENT} !^.*Firefox.* [NC]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
#RewriteRule ^/script/i$ [NE,L]
#RewriteRule ^([^\"]+\.cgi)/.* $1 [R=301,L]
RewriteRule ^(.*)$ /cgi-bin/team/home/index.cgi? [R]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
#END OF XSS FIX
You can also check for REQUEST_URI in addition to QUERY_STRING:
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{REQUEST_URI} onmouseover [NC]
RewriteRule ^ - [F]

needed to remove image extension using htaccess

I need to change or redirect the "example.com/photos/logo.jpg" to "example.com/photos/logo" when user comes from google image search.
Therefore I've used:
RewriteCond %{REQUEST_URI} photos/.*\.(gif|jpg|jpeg|png)$ [NC]
RewriteCond %{HTTP_REFERER} ^http://www.google.[a-z]{2,4}(.[a-z]{2,4})?/url\?.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://www.bing.com/images/search?q=\?.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !(.*bot.*|slurp) [NC]
RewriteRule ^gallery/(.*) /$1 [L,R=301]
Try:
RewriteCond %{HTTP_REFERER} ^http://www.google.[a-z]{2,4}(.[a-z]{2,4})?/url\?.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://www.bing.com/images/search?q=\?.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !(.*bot.*|slurp) [NC]
RewriteRule ^photos/(.*)\.(jpe?g|png|gif)$ /photos/$1 [L,NC,R=301]

.htaccess file blocks Payment Notification from paypal

Here is an example of $_POST data from paypal's IPN:
cmd=_notify-validate
&test_ipn=1
&payment_type=instant
&payment_date=18%3A49%3A30+Nov+01%2C+2010+PDT
&payment_status=Completed
&address_status=unconfirmed
&payer_status=unverified
&first_name=John
&last_name=Smith
&payer_email=buyer
%40paypalsandbox.com
&payer_id=TESTBUYERID01
&address_name=John+Smith
&address_country=United+States
&address_country_code=US
&address_zip=95131
&address_state=CA
&address_city=San+Jose
&address_street=123%2C+any+street
&business=seller%40paypalsandbox.com
&receiver_email=seller%40paypalsandbox.com
&receiver_id=TESTSELLERID1
&residence_country=US
&item_name=something
&item_number=AK-1234
&quantity=1
&shipping=3.04
&tax=2.02
&mc_currency=USD
&mc_fee=0.44
&mc_gross=10
&mc_gross_1=10
&txn_type=web_accept
&txn_id=30112149
&notify_version=2.1
&custom=10points
&charset=windows-1252
&verify_sign=AFcWxV21C7Zyy8mw-cdzleMW.oxFXxXE
When I try to send this with my .htaccess file I get an 403 error.
.htaccess:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule .* - [F]
How do I change the .htaccess file to make it allow the $_POST data?
You can enable logging on the rewrite engine. (Just for debugging.) You will see the exact rule where is dies.
Possibly this line:
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
I believe that is matching on any full stop following by an alpha-numeric character in the query string. Seems like that would fail requests like "shipping=3.04"
Found the sinner:
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]

Resources