Apache HTTPD - recursively deny specific file extensions and/or subdirs? - apache

I have an Apache 2.4 web server, and in its htdocs folder, there is a complicated structure of directories and subdirectories.
Is it possible to create a single, top-level .htaccess file that would deny specific file extensions (e.g. .bak)
and/or traversing into specific directory names (e.g. .git)
for the whole subdirectory structure?
E.g., I would like to respond with HTTP 403 Forbidden when requested:
htdocs/index.html.bak
htdocs/aaa/bbb/ccc/login.php.bak
htdocs/foooooooo/.git/subdir/some_pic.png
If not via .htaccess, then perhaps this can be achieved via httpd.conf?
Thanks!

Thanks! I ended up with the following .htaccess:
RewriteEngine On
RewriteRule \.bak$ - [F]
RewriteRule (^|/)\.git($|/) - [F]
Of course, this line in httpd.conf has to be uncommented first:
LoadModule rewrite_module modules/mod_rewrite.so

Related

Redirect access to .htaccess to another file

I was playing around with .htaccess files and I was wondering, completely out of curiosity, is it possible to redirect access to the .htaccess file itself to another file?
Example:
User goes to http://www.example.com/.htaccess
I want the user to be redirected to index.php?foo=bar
I've tried the following:
Redirect 301 /.htaccess /index.php?foo=bar
And
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^((?s).*)$ index.php?foo=bar [QSA,L]
</IfModule>
These methods work on any other file, but the .htaccess file itself always results in a 403 Forbidden page showing up.
Is this possible? If not, then why?
If you look in your webservers configuration file you will find some directive that prevents users from accessing .htaccess or .htpasswd file from the browser. For instance if I open up my apache configuration, located at /etc/apache2/apache.conf I can spot the following lines:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
So you should be able to change the above to:
Order allow,deny
Allow from all
you also need to make sure that you have the correct file permission on the .htaccess file and finally restart your server using:
sudo service apache2 restart
Of course doing the above would not be very secure.

How to enable apache rewrites step by step

I am writing scripts for Apache URL redirects.
I have researched the rewrite rules to be written.
Now I would like to know the procedure for implementing this.
Enabling mod_rewrites in http.conf
LoadModule rewrite_module modules/mod_rewrite.so
AddModule mod_rewrite.c
I have created .htaccess
Now I am not sure of the following.
1.Access rights required to do this.
2.The location to put .htaccess file
3.how to enable logs and write logs.
4.I have two web servers.Do I have to put this in both of them.
My rewrite rule looks some thing like this.
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} old_domain\.com [NC]
RewriteRule ^(.*)$ http://www.new_domain.com/test$1 [L,R=301]
It would be good if some one help me with the step by step procedure to perform this.
1.Access rights required to do this.
You need write access to the folder the htaccess file is going to be uploaded to, and the htaccess file itself must have read rights by the webserver (most likely, the "apache" user)
Additionally, you need to have at the very least:
AllowOverride FileInfo
in the server config for the document root directory
2.The location to put .htaccess file
Based on the rules you have, you want it in the document root. It's denoted in the server config by the DocumentRoot directive
3.how to enable logs and write logs.
See: http://httpd.apache.org/docs/current/mod/mod_log_config.html
Specifically the TransferLog and ErrorLog directives
4.I have two web servers.Do I have to put this in both of them.
Do the same thing for each. If both webservers use the same document root, then obviously you don't need to put the htaccess file in 2 places. If they have different document roots, then put the htaccess file in both document roots.

how do I force all traffic to https?

I'm trying to use .htaccess to send all traffic to https. I'm using the example in this answer: Need to redirect all traffic to https
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
This isn't redirecting anything for me. I placed it in var/www but it doesn't seem to have any effect. What did I do wrong?
Try [R,L] at the end of the rewrite rule:
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
R redirects to the provided link, and L breaks the flow if condition is met.
For reference you can see:
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
If that's the only rules you have in your htaccess file and it's in your document root then you need to check a few things because the rules are fine.
Make sure mod_rewrite is loaded. There should be a line in your httpd.conf file that looks something like:
LoadModule rewrite_module modules/mod_rewrite.so
Make sure it's uncommented.
Make sure the directory that your htaccess file is in (should be your document root) is allowed to override server settings via htaccess. In your vhost or server config, there should be something along the lines of
<Directory "/var/www/">
AllowOverride All
... (some other stuff)
</Directory>
Make sure the AllowOverride is at least FileInfo
Make sure your document root is actually where your htaccess file is in. Your vhost config should have a line like:
DocumentRoot /var/www/
Make sure the document root is for the right vhost. If you have separate vhosts for SSL and non-SSL, make sure the htaccess file is in the document root for the non-SSL vhost.

WAMP Apache rewrite issue in .htaccess

I am working in a WAMP environment trying to create a bare bones front controller and have started with creating an .htaccess file in my project root (i.e. www/molecule/ The .htaccess contains:
Options +FollowSymLinks
IndexIgnore */*
# Turn on the RewriteEngine
RewriteEngine On
# Rules
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php
Apache rewrite_module is enabled in my WAMP settings, and also uncommented in the httpd.conf, but getting an Internal Server Error when I try to load any pages with that .htaccess in the directory. The Apache Error log reads:
[alert] [client 127.0.0.1] C:/wamp/www/molecule/.htaccess: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
Can someone point me in the right direction?
It looks like you didn't turn on your mod_rewrite module. Find your httpd.conf file and do a search for mod_rewrite, the line should look something like this:
LoadModule rewrite_module modules/mod_rewrite.so
Make sure you uncomment that by removing the # in front of it.
if it is related to hosting site then ask to your hosting company or if you want to enable it in wamp local machine then check this youtube step by step tutorial related to enabling rewrite module in wamp apache
https://youtu.be/xIspOX9FuVU?t=1m43s
Wamp server icon -> Apache -> Apache Modules and check the rewrite module option
it should be checked but after that restart all services in wamp

How to debug .htaccess RewriteRule not working

I have a RewriteRule in a .htaccess file that isn't doing anything. How do I troubleshoot this?
How can I verify if the .htaccess file is even being read and obeyed by Apache? Can I write an echo "it is working" message, if I do write it, where would that line be echoed out?
If the .htaccess file isn't being used, how can I make Apache use it?
If the .htaccess is being used but my RewriteRule still isn't having an effect, what more can I do to debug?
Enter some junk value into your .htaccess
e.g. foo bar, sakjnaskljdnas
any keyword not recognized by htaccess
and visit your URL. If it is working, you should get a
500 Internal Server Error
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request....
I suggest you to put it soon after RewriteEngine on.
Since you are on your machine. I presume you have access to apache .conf file.
open the .conf file, and look for a line similar to:
LoadModule rewrite_module modules/mod_rewrite.so
If it is commented(#), uncomment and restart apache.
To log rewrite
RewriteEngine On
RewriteLog "/path/to/rewrite.log"
RewriteLogLevel 9
Put the above 3 lines in your virtualhost. restart the httpd.
RewriteLogLevel 9 Using a high value for Level will slow down your Apache server dramatically! Use the rewriting logfile at a Level greater than 2 only for debugging!
Level 9 will log almost every rewritelog detail.
UPDATE
Things have changed in Apache 2.4:
FROM Upgrading to 2.4 from 2.2
The RewriteLog and RewriteLogLevel directives have been removed. This functionality is now provided by configuring the appropriate level of logging for the mod_rewrite module using the LogLevel directive. See also the mod_rewrite logging section.
For more on LogLevel, refer LogLevel Directive
you can accomplish
RewriteLog "/path/to/rewrite.log"
in this manner now
LogLevel debug rewrite_module:debug
The 'Enter some junk value' answer didn't do the trick for me, my site was continuing to load despite the entered junk.
Instead I added the following line to the top of the .htaccess file:
deny from all
This will quickly let you know if .htaccess is being picked up or not. If the .htaccess is being used, the files in that folder won't load at all.
Generally any change in the .htaccess should have visible effects. If no effect, check your configuration apache files, something like:
<Directory ..>
...
AllowOverride None
...
</Directory>
Should be changed to
AllowOverride All
And you'll be able to change directives in .htaccess files.
To answer the first question of the three asked, a simple way to see if the .htaccess file is working or not is to trigger a custom error at the top of the .htaccess file:
ErrorDocument 200 "Hello. This is your .htaccess file talking."
RewriteRule ^ - [L,R=200]
On to your second question, if the .htaccess file is not being read it is possible that the server's main Apache configuration has AllowOverride set to None. Apache's documentation has troubleshooting tips for that and other cases that may be preventing the .htaccess from taking effect.
Finally, to answer your third question, if you need to debug specific variables you are referencing in your rewrite rule or are using an expression that you want to evaluate independently of the rule you can do the following:
Output the variable you are referencing to make sure it has the value you are expecting:
ErrorDocument 200 "Request: %{THE_REQUEST} Referrer: %{HTTP_REFERER} Host: %{HTTP_HOST}"
RewriteRule ^ - [L,R=200]
Test the expression independently by putting it in an <If> Directive. This allows you to make sure your expression is written properly or matching when you expect it to:
<If "%{REQUEST_URI} =~ /word$/">
ErrorDocument 200 "Your expression is priceless!"
RewriteRule ^ - [L,R=200]
</If>
Happy .htaccess debugging!
Perhaps a more logical method would be to create a file (e.g. test.html), add some content and then try to set it as the index page:
DirectoryIndex test.html
For the most part, the .htaccess rule will override the Apache configuration where working at the directory/file level
If you have access to apache bin directory you can use,
httpd -M to check loaded modules first.
info_module (shared)
isapi_module (shared)
log_config_module (shared)
cache_disk_module (shared)
mime_module (shared)
negotiation_module (shared)
proxy_module (shared)
proxy_ajp_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
version_module (shared)
php5_module (shared)
After that simple directives like Options -Indexes or deny from all will solidify that .htaccess are working correctly.
To test your htaccess rewrite rules, simply fill in the url that you're applying the rules to, place the contents of your htaccess on the larger input area and press "Test" button.
http://htaccess.mwl.be/
Check whether the permission to read and execute the .htaccess by apache process is possible. Looking into the error_log of Apache will help you to sort the permission related error.
Why not put some junk in your .htaccess file and try to reload apache. If apache fails to start you know its working. Remove the junk then reload apache if it loads congrats you configured .htaccess correctly.