I'm building something that I want to release as an open source project. To make it easier to use I'd like to go without the public-folder approach, where you hide all other files than index.php (and assets) from public_html. Meaning, I'd like to do it like WordPress, where you simply toss the code on a server and it works, in that URL you tossed it in.
Here is the content of my htaccess-file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
</IfModule>
Does this code really prevent access to other files? For example, is there any way an attacker could access vendor/Acme/Libraries/Foo.php? Based on my tests it does, but that doesn't mean there isn't a way to circumvent it.
Let's look at your rule closely:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
Here this rule is saying that if request is NOT for a valid file then rewrite it to /index.php. Which means /index.php will be invoked for any non-file requests but that also means you are allowing direct access to all the files.
btw QSA is useless here and can be removed.
You cited Wordpress here. Which basically uses /index.php for any non-file, non-directory requests thus allowing direct access to any valid file OR directory.
If you really want to block access to all the files and directories then you probably will need this rule:
RewriteRule ^ index.php [L]
but I am not sure if you want to handle direct access to resources like images, js/css files via index.php also.
Yes, an attacker can still access your other code files, using only the rule you provided. But:
On a properly configured server, a call to vendor/Acme/Libraries/Foo.php would execute that file, not display its contents. Which might or might not be good enough, and there's still the possibility of a configuration error that would display the source code.
You can block web access to the remaining files by adding Deny directives, for example:
<Location />
Order deny,allow
Deny from all
<Files index.php>
Allow from all
</Files>
</Location>
Related
I'm slowly starting to learn how to use HTACCESS and the code below doesn't work for some reason the options part itself works.
Options +FollowSymlinks
RewriteEngine on
Options ALL -Indexes
So I'm already restricting users from accessing directories but is there any way to restrict them from accessing all files in certain folders directly?
Right now people are restricted from folders /php/ /css/ etc but if they type /css/style.css they will access that file
Options -Indexes is not used to restrict access per say. It's to prevent listing files in your directory so that they can't access or see all your files in the folder. So if there is no index file it will give a forbidden error.
You need to explicity block access and use other directives. You can use <file> with order, Rewriterule etc.
An example of blocking file types in a directory would be like this.
For instance I have an images directory and want to block jpeg, jpg, png and gifs
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/images [NC]
RewriteCond %{REQUEST_URI} \.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]
Side note, blocking CSS is prevent irrelevant anyway because the browser has to load it to view the page properly. There's no point to do so because you can inspect any element to see the styles on all modern browsers.
How can I redirect via .htaccess file, that only the index.html can be accessed via URL.
I already got this:
RewriteEngine on
RewriteBase /
Options +FollowSymlinks
RewriteRule ^/?login/?$ /php/login.php [NC,R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.html [L,QSA]
It works fine if somebody types in for example "www.mypage.com/skd/lasnd"
but if somebody types in a file which exists on the webserver, e.g. "www.mypage.com/php/login.php", he will be redirected to that page. How to forbid that?
To be more exact: my JavaScript & PHP scripts should be still allowed to access to every file on my webserver.
These lines:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
are conditions "if REQUEST_FILENAME is NOT a file, if REQUEST_FILENAME is not a directory" and if both are met then RewriteRule is taking place. This is usually to allow "friendly urls" to work and at the same time to not rewrite any images, css etc. You can block access to files with many ways, but you have to take care to not block too much (like said images etc). The simplest approach would be to put your files in subdirectory and add another .htaccess file in that directory with line
Deny From All
This will make httpd reny any request to whatever is in that directory and subdirectories (unless another .htaccess overwrite these rules) while your scripts will be able to access them without a problem.
I strongly recommend do read mod_rewrite docs
EDIT
There's no "my javascript" and "their javascript". There's request and that's all you can tell for sure. You cannot tell which access yours and which is not. "i only want to deny request via typing in the browser adress line" - you can't tell that either. You theoretically could check REFERER, and if there's none set then assume it's direct hit, but REFERER comes from browser so it can be faked as well. And I personally block all REFERERS by default, so all my requests are w/o any REFERER even these not direct. You could try cookies, but again - these can be be grabbed by script and sent back too. The only real option is to Deny from all to these files and "tunel" them thru some sort of script (i.e. PHP) that would do i.e. file() on target file only if user authenticated himself previously using login and password. Any other attempts are broken from the start.
try the following
RewriteRule /.* http://www.new-domain.com/index.html
I'm working on this legacy project that has a rather odd setup that I'm looking to get rid of but my htaccess skills are a little lacking in this department.
Here's the directory structure.
/index.php
/www
page1.php -> symlink to index.php
page2.php -> symlink to index.php
page3.php -> symlink to index.php
/www is the public directory and people visit http://site/page1.php. However, each of those files with an * actually symlinks to /index.php.
I find this arrangement idiotic and would like to get rid of the symlinks and simply have any /www/*.php request simply point at index.php without the page actually redirecting to index.php.
Any ideas for an htaccess rule(s) that could solve this problem? At its most basic core, I'd like to keep the same functionality without having to have a thousand symlinked files.
It looks like the index.php file is not in your document root (which I'm assuming is www), and because of that, I don't think there's a way you can do this from your .htaccess file. In order to access something outside of your document root, you'll need to setup an alias in either your server config or your vhost config:
# Somewhere in vhost/server config
Alias /index.php /var/www/path/to/index.php
# We need to make sure this path is allowed to be served by apache, otherwise
# you will always get "403 Forbidden" if you try to access "/index.php"
<Directory "/var/www/path/to">
Options None
Order allow,deny
Allow from all
</Directory>
Now you should be able to access /var/www/path/to/index.php. Note that other files in the /var/www/path/to directory is safe as long as you don't create an Alias (or AliasMatch or ScriptAlias) that points to them. Now that you can access index.php via the /index.php URI, you can setup some mod_rewrite rules in the .htaccess file in your document root (www) to point things to index.php:
# Turn on the rewrite engine
RewriteEngine On
# Only apply the rule to URI's that don't map to an existing file or directory
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Rewrite all requests ending with ".php" to "/index.php"
RewriteRule ^(.*)\.php$ /index.php [L]
This will make it so when you request http://site/page1.php, the browser's address bar is unchanged but the server actually serves /index.php, which is aliased to /var/www/path/to/index.php.
You can tweak the regular expression ^(.*)\.php$ to something more appropriate if need be. This just matches anything that ends with a .php, including /blah/bleh/foo/bar/somethingsomething.php. If you want to limit the directory depth, you can tweak the regular expression to ^([^/]+)\.php$, etc.
looking for some htaccess rewrite rules to block all access to a directory except for the server itself. It's a directory full of images and flash swf files. Yes I know it's sort of odd to not want direct access to a file its own directory, but to allow it to be seen by the user when referenced in other html outside the protected directory, but thats what i'm after. I have tried a few different methods as shown below:
# send them to index.php
Options +FollowSymlinks
RewriteEngine on
#RewriteRule ^(.*)$ ../User/ [NC]
#RewriteRule ^(.*)$ [R=301,L,NC]
# no one gets in here!
#deny from all
Options All -Indexes
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 192.168.0.0/33
</Limit>
None of them seem to really do what I want. some of them block access to everything, including the server itself. Other redirect the request to another page, but because it keeps the same url, the links on the 'page' the user gets redirected to wont work.
If possible I would not even like to do a 404 warning, because while this disallows users access to the directory, the user will still know that that directory exists.
You can simply use this one line rule to do that:
RewriteRule ^mydir/ - [L,R=404,NC]
That way all the files under /mydir/ will generate 404 errors to your visitors but your server will still have access to those files.
I think I know how to hide the files but how do I use mod_rewrite to allow only the web service to be called in the same directory?
Here is the directory/file structure
/var/www/html/xmlrpc/xmlrpc.server.php
/var/www/html/xmlrpc/xmlrpc.client.php
/var/www/html/xmlrpc/xmlrpc.class.php
/var/www/html/xmlrpc/xmlrpc.ini
/var/www/html/xmlrpc/logs
Important note: /var/www/html/xmlrpc/logs has 777 permission
before you start harping on me I plan to move this into a non public directory and give the correct permissions. But I was asked to see if I could hide it with the .htaccess file.
.htaccess
AuthType Basic
AuthName "My hidden files"
AuthBasicProvider file
AuthUserFile /var/www/html/xmlrpc/.pswds
Require valid-user
.pswds
user:5/abcde1abcdE
Also I'm a newbie with mod_rewite/mod_alias and need this URL:
http://127.0.0.1/xmlrpc/xmlrpc.server.php
to be this:
http://127.0.0.1/xmlrpc/v1/
How does one do this?
Also on know on the virtual host setup in Apache you can set the log file paths/names, can this be done from the .htaccess file as well?
Examples are welcome as this is a learning experience for me as well.
Ah mod_rewrite. Try this in the xmlrpc directory:
RewriteEngine On
RewriteRule ^v1/$ xmlrpc.server.php [L]
Some questions though - does xmlrpc.server.php take any get parameters? Can you guarantee that the url will always include a trailing slash?
To enforce a trailing slash as well as some other stuff, try this:
# Allows direct linking to files
RewriteCond %{REQUEST_FILENAME} !-f
#Checks if the url is missing a slash, if so, evaluate rule below
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://127.0.0.1/$1/ [L,R=301]
The last rule will have to be adjusted depending on where you put the .htaccess file. If it's at the root, then it will work for all lower directories. If it's in the xmlrpc folder, then you can leave off the localhost.
Also remember to restrict access to the .htaccess file:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Someone else will have to answer the other questions - not as familiar with that.