I need to block URLs that containt specific words which can be everywhere in the URL.
For example: www.mytest.de/main/:aaa or www.mytest.de/:aaa/main
So I need to block all URLs which contain :aaa. The same will be for :bbb and :ccc.
Not all URLs containing ":" should be blocked, only specific ones.
So I added
<LocationMatch ":aaa">
Require env VAR
</LocationMatch>
<LocationMatch ":bbb">
Require env VAR
</LocationMatch>
How is it possible to put this all in one line like:
<LocationMatch ":aaa" ":bbb">
Require env VAR
</LocationMatch>
Thank you
Related
I'm going mad over Apache .htaccess
I'm trying to setting as protected my subfolders using relative address, but it seems impossible.
The path of Apache folder is structured like this:
/var/www/apachedir
now I want to protect
/var/www/apachedir/subfolder/*
What I tryied is putting in /var/www/apachedir/ an .htaccess file like this
<FilesMatch "subfolder\/.*">
Order Allow,Deny
Deny from all
</FilesMatch>
but it seems not woking good.
I don't want to use ModRewrite and I want to make this .htaccess reusable.
So, listen, if I put the site over an other server that has a direcory structure like /var/www/zzz it has to protect files in /var/www/zzz/subfolder/*.
Also the file .htaccess has to stay in the root folder /var/www/apachedir.
There's a way to do it?
Edit:
I don't want to use ModRewrite but also I don't want to use Redirectmatch.
I want to know if there's a way to set it up with FilesMatch without ModRewrite or Redirectmatch.
I don't want to use ModRewrite.
You can use RedirectMatch to block access to a known path:
Redirectmatch 403 ^/subfolder/
I want to know if there's a way to set it up with FilesMatch
No, because the FilesMatch (and the non-regex Files) directive(s) literally match against files only, not directories. eg. <Files "*.jpg"> matches all .jpg files in any subdirectory.
There are various methods to block access to that subdirectory...
Use a <Directory> section in the server config
If you have access to the server (virtual host) config then you can use the <Directory> (and <DirectoryMatch>) directive(s) to target specific directories. But this is not permitted in .htaccess. For example:
<Directory "/var/www/apachedir/subfolder">
Require all denied
</Directory>
Create an additional .htaccess file in that subdirectory
The equivalent userland .htaccess way of doing this is to create an additional .htaccess file in that subdirectory (ie. at /subfolder/.htaccess) with a single Require all denied directive. The .htaccess file itself is equivalent to the <Directory> directive in the server config.
Aside: Order, Deny and Allow are Apache 2.2 directives and formerly deprecated on Apache 2.4 (which you are far more likely to be using). You should be using the equivalent Require (mod_authz_core) directives instead, as used above.
Use Redirect 403 (mod_alias) - not a "redirect"
I don't want to use ModRewrite but also I don't want to use Redirectmatch
RedirectMatch (and Redirect) are part of mod_alias - this is a base module and compiled into Apache by default (unlike mod_rewrite), so using the prefix-matching Redirect directive (no need for the regex variant RedirectMatch) is a reasonable solution as #anubhava suggests in his answer, depending on the scenario and existing directives. For example:
Redirect 403 /subfolder/
Despite the use of the Redirect directive, this is not an external (HTTP) redirect. The 403 response is served via an internal subrequest.
Set an environment variable and check with mod_authz_....
Alternatively, you can set an environment variable when the /subfolder is requested (using SetEnvIf) and check for this using the Require directive. This allows you to keep the condition separate from the directives that actually permit access. For example (using Apache 2.4 mod_authz_core):
SetEnvIf Request_URI "^/subfolder/" BLOCK_ACCESS
<RequireAll>
Require all granted
Require not env BLOCK_ACCESS
</RequireAll>
NB: If you are doing any URL-rewriting with mod_rewrite then you might need to check for REDIRECT_BLOCK_ACCESS instead in the above Require directive.
<If> expression (Apache 2.4)
On Apache 2.4 you can also use an <If> expression to target that specific subfolder with a containing mod_authz_core directive. For example:
<If "%{REQUEST_URI} =~ m#^/subfolder/#">
Require all denied
</If>
Although, strictly speaking, these methods target the URL-path, not the file-path.
I'm using SetEnvIf and Deny to block access to certain countries in my .htaccess.
But I need to exclude certain URLs from this blocking, and thus I'm setting another environment variable for those URLs.
How do I Deny based on a combination of variable 1 and variable 2 ?
SetEnvIf GEOIP_COUNTRY_CODE xx BlockedCountry
SetEnvIf Request_URI "^/important" NeverBlock
In pseudo code I want to do this now:
Deny from env=BlockedCountry && !NeverBlock
From Apache documentation :
Syntax: Deny from all|host|env=[!]env-variable
[host|env=[!]env-variable] ...
Which means you can combine conditions one after the other (there is no "boolean" operators in between).
So in your case, it should look like this
Deny from env=BlockedCountry env=!NeverBlock
Update
From what you said, it looks like this implies an OR condition instead of an AND (what you want). To do so, you can use this workaround
SetEnvIf GEOIP_COUNTRY_CODE xx MustBeBlocked
SetEnvIf Request_URI "^/important" !MustBeBlocked
Deny from env=MustBeBlocked
With this technique, you set/unset the environment variable depending on the case, which simulates an AND condition.
On a Codeigniter application I want to limit http post request size (in bytes) with limitRequestBody htaccess directive. Since all requests are written to index.php this setting affects to all form submissions. That is problematic. What I really want is limit post size to certain urls. For example, if I have two urls, like below
mysite.com/member/login
mysite.com/contact
I only want to apply this setting only to the mysite.com/member/login. Not for mysite.com/contact
I tried with apache's LocationMatch and IF Directives to specifically target the url but unfortunately none of it worked. Instead server went into a redirect loop.
<LocationMatch "^/member/login">
limitRequestBody 128
</LocationMatch>
<If "%{REQUEST_URI} ^/member/login">
limitRequestBody 128
</If>
Is there anything wrong with the above approach? Syntax? or any other way to get this done?
How are the Apache2 (2.4) CGI environment variables CONTEXT_DOCUMENT_ROOT and CONTEXT_PREFIX defined?
From experimentation, I've determined the following:
CONTEXT_DOCUMENT_ROOT appears to be the full local path to the original request when DirectoryIndex or ErrorDocument call a CGI script.
CONTEXT_PREFIX appears to be the original REQUEST_URI, sans any query part, when DirectoryIndex or ErrorDocument have called a CGI script. (In these cases, REQUEST_URI is set to the URI of the CGI script, rather than the original.)
However, I can't seem to find any official documentation from Apache on these variables. Does anyone here have a link to such documentation, or more authoritative knowledge to share?
CONTEXT_PREFIX and CONTEXT_DOCUMENT_ROOT tell you how apache used an Alias directive (or similar feature - like mod_userdir) to translate the URL path to the file system path. The file system path will end up pointing to the the file to be served or a cgi script to run.
So, if apache translates the URL:
http://host/_CONTEXT_PREFIX/path/file
to the file system path:
/_CONTEXT_DOCUMENT_ROOT/path/file
it implies there is an Alias (or ScriptAlias or similar mechanism such as mod_userdir) like the following:
Alias /_CONTEXT_PREFIX /_CONTEXT_DOCUMENT_ROOT
The Alias directive saves /_CONTENT_PREFIX in ${CONTEXT_PREFIX} and /_CONTEXT_DOCUMENT_ROOT is saved in ${CONTEXT_DOCUMENT_ROOT}.
Here is one example of using it. In a <Directory> context RewriteRule translates a path name relative to the directory to a absolute URL path, or an absolute file name (which must exist). So if you wanted to translate URL's that ended in .htm to .php, you would have to write it like this:
<Directory "/_CONTEXT_DOCMENT_ROOT">
<FilesMatch "*.htm">
RewriteEngine On
RewriteRule (.*)[.]html$ /_CONTEXT_DOCUMENT_ROOT/$1.php
</FilesMatch>
</Directory>
Now you can write it without repeating /_CONTEXT_DOCUMENT_ROOT, but perhaps more importantly the file does not have to exist because we are rewriting it to a URL path:
<Directory "/_CONTEXT_DOCMENT_ROOT">
<FilesMatch *.htm>
RewriteEngine On
RewriteRule (.*)[.].* ${CONTEXT_PREFIX}/$1.php
</FilesMatch>
</Directory>
I have a directory protected by htaccess. Here is the code I use now:
AuthName "Test Area"
Require valid-user
AuthUserFile "/***/.htpasswd"
AuthType basic
This is working fine. However, I now have a directory inside of this folder that I would like to allow anyone to access, but am not sure how to do it.
I know that it is possible to just move the files outside of the protected directory, but to make a long story short the folder needs to stay inside the protected folder, but be accessible to all.
How can I restrict access to the folder, but allow access to the subfolder?
Just create an .htaccess file in the subdirectory with the content:
Satisfy any
According to this article you can accomplish this by using SetEnvIf. You match each of the folders and files you want to grand access to and define an environment variable 'allow' for them. Then you add a condition that allows access if this environment variable is present.
You need to add the following directives to your .htaccess.
SetEnvIf Request_URI "(path/to/directory/)$" allow
SetEnvIf Request_URI "(path/to/file\.php)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
The accepted answer does not seem to run well with new Apache Versions, since it stopped working as soon as Apache Updates were rolled out on some of my customers servers.
I recommend the following approach:
AuthType Basic
AuthName "NO PUBLIC ACCESS"
AuthUserFile /xxx/.htpasswd
SetEnvIf REQUEST_URI "(path/to/directory/)$" ALLOW
<RequireAny>
Require env ALLOW
Require valid-user
</RequireAny>
I don't have enough reputation to add a comment, but two of these answers use the pattern:
SetEnvIf Request_URI "(path/to/directory/)$" allow
to set an environment variable and then check to see if it exists. The part in the quotes is a regular expression. This statement is saying that any path that ENDS with "path/to/directory/" matches and should set the variable, such as "administrationpath/to/directory/", but not "path/to/directory/index.html". The "$" matches the end of the string.
A better match would be:
SetEnvIf Request_URI "^/path/to/directory/" allow
This means the URI path must begin with "/path/to/directory/" (the caret matches the start of the string) but can have additional content after the trailing slash. Note that this requires the trailing slash. To make it optional you could add two rules:
SetEnvIf Request_URI "^/path/to/directory$" allow
SetEnvIf Request_URI "^/path/to/directory/" allow
or, with more pattern matching:
SetEnvIf Request_URI "^/path/to/directory(/.*)?$" allow
The parenthesis and question mark make an optional group and ".*" means zero or more characters.
Personally, I'd either use require all granted 1 in the subfolder's .htaccess or:
require expr "%{REQUEST_URI} =~ m|^/path/to/directory(/.*)?$|" 2 in the parent's.
For Apache 2.4, create a .htaccess file with the following content:
Require all granted
Place it in the subdirectory you want to allow access to.
There is no need to create a .htaccess in the subdirectory.
Just create as many variables as you need with SetEnvIf directive, and be sure the file or path name you want to allw/deny is part of the URI regex you pass to SetEnvIf, exactly like #Sumurai8 said, but set the regex to fit your needs, for the URI should start/end/contain a set of characters............