how to generic .htaccess to prevent hotlink - linux

The following code works fine:
RewriteCond %{HTTP_REFERER} !^http://superwebx.com/.*$ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png|swf|css)$ - [F]
but I want to make a generic script serve me for several sites I manage, but fails try to get
RewriteCond %{HTTP_REFERER} !^http://%{HTTP_HOST}/.*$ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png|swf|css)$ - [F]

You can't use variables inside the regex. You can work around this by using a RegEx backreference like so:
RewriteCond %{HTTP_REFERER} ^https?://([^/]+)/ [NC]
RewriteCond %1#%{HTTP_HOST} !^(.+)#\1$
RewriteRule \.(jpe?g|gif|bmp|png|swf|css)$ - [F]
(note the # is just used as a boundry. It could be any character that isn't used in domain-names.)

Very old one, but here's your answer:
RewriteCond %{HTTP_HOST}##%{HTTP_REFERER} !^([^#]*)##https?://\1/.*

Related

.htaccess allow only user-agents that contain a specific word

I would like to know if there is a way to block all user-agents except the one that contains the word "chrome" using .htaccess
I used something like this, but this works unfortunately only if the exact name is given..
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} !Lynx/2\.8\.8dev\.12 [NC]
RewriteRule ^ - [F,L]
You can just use:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} !chrome [NC]
RewriteRule ^ - [F]

htaccess replacing underscores with hyphens

Is there a more efficient way to doing this?
The last /(.*)$ is an ID that I don't care to use. only whats before it.
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3-$4-$5-$6-$7-$8-$9-$10 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3-$4-$5-$6-$7-$8-$9 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3-$4-$5-$6-$7-$8 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3-$4-$5-$6-$7 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3-$4-$5-$6 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3-$4-$5 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3-$4 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2-$3 [NC]
RewriteRule ^about-us/news-room/(.*)_(.*)/(.*)$ index.php?go=/news/press-releases/$1-$2 [NC]
I found some solutions online but seem to get really confused on using the [N] flag? Not too sure here. Can anyone explain a better more efficient way to do this?
You can just let the rewrite engine loop internally for this:
RewriteRule ^about-us/news-room/(.+)/(.*)$ index.php?go=/news/press-releases/$1 [L,NC]
RewriteCond %{QUERY_STRING} ^go=/news/press-releases/(.*)_(.*)$
RewriteRule ^index\.php$ /index.php?go=/news/press-releases/%1-%2 [L]
The first rule sends the request to index.php, and the second rule removes the underscores and replaces them with dashes. Because the rewrite engine loops, it'll keep applying the rule until either the recursion limit is reached or all the underscores are gone.

.htaccess allow if url contains a word

I want to allow access to specific domains. For example if domain contains the word asdf it should allow access. I final attempt before asking was:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^.*asdf.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} !^.*1234.*$
#RewriteRule .* - [F]
So here I tried to restrict access to all but domains that contain asdf or 1234.
You need to use %{HTTP_HOST} for checking the domain in URL instead of %{HTTP_REFERER}.
Can you try this code:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^.*(asdf|1234)\. [NC]
RewriteRule .* - [F]
Anubhava gave me a clue but not with the http_host. Finally the problem was the OR.
Now the following worked like a charm:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^.*(1234|asdf).* [NC]
RewriteRule .* - [F]
So HTTP_REFERER did what it should do (check the domain accessing). And the | worked as the or argument I needed.

.htaccess Escaping Periods

I recently had an RFI attack where the query string had a bunch of ../../../ and I'd like to modify .htaccess to prevent any ../ in the query string.
I was trying this until I realized the period needed to be escaped:
RewriteCond %{QUERY_STRING} ../
RewriteRule .* - [F]
I then changed it to:
RewriteCond %{QUERY_STRING} \.\./
RewriteRule .* - [F]
But it still forbids any / in the query string.
Also, If I have the rule in {REQUEST_URI} would that make the {QUERY_STRING} redundant?
Thanks.
EDIT:
I have had success getting this to work by:
RewriteCond %{QUERY_STRING} (\.\./)
However, RewriteCond %{REQUEST_URI} \.\./ or RewriteCond %{REQUEST_URI} (\.\./) does not. I've also tried /\.\./ & (/\.\./)
The %{QUERY_STRING} is everything after the ?, so your rules successfully block a URL like htis:
http://domain.com/blah.php?../../../path
But your URI won't be checked. You can check against both by amending your rule:
RewriteCond %{QUERY_STRING} \.\./ [OR]
RewriteCond %{REQUEST_URI} \.\./
RewriteRule .* - [F]

mod rewrite htaccess

I'm trying to achieve te following rewrite:
The url, stenenkermis.be or www.stenenkermis.be will result in www.stenenkermis.be/2012/v1/
www.stenenkermis.be/2012/v1/page/param/param/ needs to result in
www.stenenkermis.be/2012/page.php?param1=&param2= (but the parameters are optionality the user can also go to home/ without parameters)
Currently this is my htaccess file:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^stenenkermis\.be$
RewriteRule (.*) http://www.stenenkermis.be/$1 [R=301,L]
RewriteRule ^$ /2012/v1/ [L,R=301]
RewriteRule ^2012/v1/([^/]+)/ /2012/$1.php [NC,R]
RewriteRule ^2012/v1/([^/]+)/([^/]+)/([^/]+) /2012/$1.php?arg1=$2&arg2=$3 [NC,R]
RewriteRule ^2012/v1/([^/]+)/([^/]+)/([^/]+) /2012/$1.php?arg1=$2&arg2=$3 [NC,R]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?stenenkermis.be/.*$ [NC]
RewriteRule \.(gif|jpe?g|png)$ - [F]
the only problem is that my url gets redirected to
http://www.stenenkermis.be/2012/page.php?param1=&param?= in the address bar ,I don't want the user to see this.
Can anyone help me with figuring this htaccess out?
Don't use R in your rewrite flags, since it means mod_rewrite is instructed to send an HTTP redirect to the user. Use QSA instead.
Fge is right, but your rules seem to be in the wrong order.
Rule of thumb: always start with the most complex the go to the less complex.
And of course, add QSA instead of R in the right places:
As a suggestion I've added all the static files (it's my rule in my prod environment):
Thus:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^stenenkermis\.be$
RewriteRule (.*) http://www.stenenkermis.be/$1 [R=301,L]
# Rewrite, but **keep on** with modified URL:
RewriteRule ^$ /2012/v1/ [NC,QSA]
RewriteRule ^2012/v1/([^/]+)/([^/]+)/([^/]+) /2012/$1.php?arg1=$2&arg2=$3 [NC,QSA,L]
RewriteRule ^2012/v1/([^/]+)/([^/]+) /2012/$1.php?arg1=$2 [NC,QSA,L]
RewriteRule ^2012/v1/([^/]+)/ /2012/$1.php [NC,QSA,L]
# operate with static files: forbid if not coming for original website:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?stenenkermis.be/.*$ [NC]
RewriteRule (.*)(\.(css|js|htc|pdf|jpg|jpeg|gif|png|ico))$ - [NC,F]
And now two hints:
Please try to use the RewriteLog directive: it helps you to track down such problems:
# Trace:
# (!) file gets big quickly, remove in prod environments:
RewriteLog "/web/logs/mywebsite.rewrite.log"
RewriteLogLevel 9
RewriteEngine On
My favorite tool to check for regexp:
http://www.quanetic.com/Regex (don't forget to choose ereg(POSIX) instead of preg(PCRE)!)

Resources