.htaccess redirect to 403 error - security

I have a website which watermarks photos (you may already know from previous q&a's). The orignal photos I use are secured using .htaccess using this code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !error.gif$
RewriteRule \.(gif|jpg|png)$ /error.gif [L]
When the user attempts to access the file it comes up with ERROR 404 which is fine but is there any way to get it to redirect to ERROR 403? (error.gif exists and is a 1x1 white pixel.)
I know .htaccess uses this to access 403 errors:
ErrorDocument 403 /error-docs/403.shtml
I have created this file in the area, and have added the above line(s) together but it still redirects to ERROR 404?
I'm not very well educated with htaccess, so any help with this will be highly appreciated.
Full Code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !error.gif$
RewriteRule \.(gif|jpg|png)$ /error.gif [L]
ErrorDocument 403 /error-docs/403.shtml
Thanks,
David

To return a 403, include an F in the brackets where the L is:
RewriteRule \.(gif|jpg|png)$ - [L,F]
You can replace the /error.gif with a - which stops url rewriting since you have a separate document that gets served for the 403 so the error.gif doesn't do anything. That also means you can get rid of the RewriteCond, too.

Related

htaccess Customized 403 Forbidden page not always working

I have a custom 403 page that works when I want to block specific pages, but it doesn't work when I want to match a specific HTTP_REFERER.
With the specific HTTP_REFERER I get the regular 403, To test the HTTP_REFERER I added a link on another site "mysite.com" towards this project, when I click on the link I get the server 403 response:
But I open my test page "forbidden-test" I do get my customized forbidden.php page
This is what I have in the htaccess, form the following example only RewriteRule ^forbidden-test$ - [F] works by showing my customized 403 page:
Options All -Indexes
# prevent folder listing
IndexIgnore *
RewriteEngine on
RewriteCond %{HTTP_REFERER} \
... (there are many here)
mysite\.com|\
[L,NC]
RewriteRule .* - [F]
#spam blacklist end
RewriteCond %{HTTP_USER_AGENT} \
12soso|\
192\.comagent|\
1noonbot|\
1on1searchbot|\
3de\_search2|\
3d\_search|\
3g\ bot|\
... (there are many here)
zyte\
[NC]
RewriteRule .* - [F]
#bad bots end
#Forbidden Test
RewriteRule ^forbidden-test$ - [F]
#ERRORS
RewriteRule ^forbidden/?$ forbidden.php [L,QSA]
ErrorDocument 403 /forbidden
Any thoughts?
Thanks
Pay attention to what that default error message is actually saying:
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Access to your custom error document is blocked. The internal request for that, goes through all of the rewriting again; and because the referrer of the original request is (still) wrong, access to your 403 document is forbidden now.
You need to add an exception to this referrer check, so that it allows access to your error document.
Easiest way here is probably to just put a rule at the very top, to do nothing, when this particular document is requested:
RewriteRule ^forbidden\.php$ - [L]
The - is a “non-rewrite”, it simply does nothing. The [L] flag is important here, to say “don’t process any other rules in this round.”
Also, since your error document seems to be a PHP script, you should define it like this directly,
ErrorDocument 403 /forbidden.php
Otherwise, this needs an extra round of rewriting, from /forbidden to /forbidden.php, and there is really no good reason for that.

URL changes when using ErrorDocument 403 in .htaccess

I have written a .htaccess file to make sure that visitors are always redirected to https and to www. In addition to that I have also added a custom html page for 404 errors.
When visitors try to access a forbidden file I want them to see my custom 404 message, as to not reveal that the path contains a forbidden file.
Here is the problem. When writing for example "example-domain.com/.htaccess" (no www or https) in the browser, the URL in the address field in the browser changes to "https://www.example-domain.com/missing.html". But I want it to say "https://www.example-domain.com/.htaccess" while displaying my 404 page.
It works for 404 errors. But when typing in a path in the address field which both triggers the 403 error and fulfill at least one of the rewrite conditions in my .htaccess file (missing https and/or www) I experience the above described problem.
Here is the code in the .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^example-domain.com [NC]
RewriteRule ^(.*)$ https://www.example-domain.com/$1 [L,R=301,NC]
ErrorDocument 403 /missing.html
ErrorDocument 404 /missing.html
Best regards

Can't seem to get 404 page working

First of this is my .htaccess file
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?id=$1 [L,QSA]
I've got that working but when I go to a page like example:
localhost/test
it loads the same page but shows no content.
localhost/test
is not on my server and I can't seem to get the 404 to work I've tried everything for the past 3 days
I've lost the code for the 404 in the htacces as my computer crashed
What I'm Trying to do is bring up the 404 when there isn't an id from the database so when people go to an invalid link there will be a 404 page
Just add the following code to the beginning of your .htaccess file:
ErrorDocument 404 /404.php
Then create a new file 404.php at the root of your website. This file will be displayed when the user tries to access a URL that does not match an existing file and is not handled by your Rewrite rules.
in your index.php you are doing a lookup based on the path in the url or some other variable. If you get a no match just respond with a
header("HTTP/1.0 404 Not Found");
followed by the output you want on your error document.

htaccess redirect to different page on 403 Forbidden Error

Can't find this for the life of me. We have the indexes protected so if someone goes to CDNdomain.com/1/ they won't see anything unless they do CDNdomain.com/1/something.jpg. When they visit /1/ they are presented with a 403 Forbidden error. What I would like to do is when they are shown a 403 Forbidden error to instead redirect them to ourRealdomain.com.
Any ideas?
You can try something like this in the htaccess file in the document root of CDNdomain.com:
RewriteEngine On
# make sure this is the right host
RewriteCond %{HTTP_HOST} cdndomain.com$ [NC]
# make sure this is a request for an existing directory
RewriteCond %{REQUEST_FILENAME} -d
# redirect
RewriteRule ^(.*)$ http://ourRealdomain.com/ [L,R=301]
Note that this will also redirect /: http://CDNdomain.com/ to http://ourRealdomain.com/. If you want to avoid that, change the regex match from ^(.*)$ to ^(.+)$. If you want to put these rules in the vhost config for the CDNdomain.com, add a slash after the ^: ^/(.+)$.

How can I get non existant files mapped correctly in .htaccess?

Duplicate:
How to rewrite non existant files to
‘default’ files?
(.htaccess)
How would I "rewrite" to a location if a file doesn't exist? I don't want to use a 404 redirect, but an actual rewrite.
So for example, let's say it is a directory with images. If the image isn't found, then it rewrites to a default image?
I.e.,
images/1.jpg
images/2.jpg
images/default.jpg
if someone tried to access "website.com/images/3.jpg",
since that doesn't exist, I want it to go to:
"website.com/images/default.jpg"
This was a previous "posted" solution, but didn't quite work:
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteRule /images/.* /images/error.jpg [L]
It still doesn't "get" the right image (just goes as a regular 404 request).
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteRule ^images/.* /images/error.jpg [L]
Obviously this only redirects if missing file is under /images/... but you can easily modify it for your own needs
Well, your previous posted solution is on the right track, but there's some slight craziness with it. Try this:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule images/.* /images/default.jpg [L]
You should better send a 404 status code if the file really doesn’t exist rather than just a substitute with a status code other than 404. Otherwise the URL will be handled as valid.
So in your case I recommend you to set the ErrorDocument of the images directory to your default image:
<Directory "/path/to/your/images/">
ErrorDocument 404 /images/default.jpg
</Directory>
But note that the <Directory> block is only available in the server or virtual host configuration context and not the per-directory context (thus .htaccess).
If you cannot use the above, you could use a custom script as your custom error document to check what URL has been requested (see Request_URI environment variable) and send the default image if necessary. The ErrorDocument directive then should look like this:
ErrorDocument 404 /your-error-404.script
re-write your 404 document for your images folder:
(In your .htaccess file in your images folder)
ErrorDocument 404 default.jpg

Resources