I'm trying to filter requests for certain web assets (png, gif, jpg, jpeg and mp4 files) based on a specific x-header/value, and fail if not present in the request.
RewriteCond %{HTTP:X-Pull} !secretkey
RewriteRule \.(png|gif|jpg|jpeg|mp4)$ - [F]
It is expected to throw a 403/forbidden error for these file types, if a request does not contain the x-header/secretkey pair, regardless the full path to the file on the website.
I have tried several variations in my .htaccess file, but for *.png, *.gif, *.jpg and *.jpeg files it only works if the files reside in the website's root. However, the same rule works for *.mp4 files, regardless of where they are located (which is how it should work for all the file types in the list).
The site uses mod_pagespeed.
Since Pagespeed is deployed on this server, the .htaccess directives for rewriting the same asset types doesn't work. Here is one way I tried to handle the issue (by updating virtual host configuration file):
<IfModule pagespeed_module>
<If "req('X-Pull') != 'secretkey'">
ModPagespeed off
</If>
<Else>
ModPagespeed on
</Else>
...
</IfModule>
I also moved the rewrites to the virtual host configuration file due to the "significant per-request overhead from processing .htaccess files", as noted in the Pagespeed documentation.
Related
I am trying to write an .htaccess file to only allow access to pdf files in a subdirectory. I'm going to deploy the file on a host that I don't control, so I can't make changes to the apache configuration.
I want to only allow access to .pdf files in the Foo directory. I have attempted:
Deny From All
<FilesMatch ".+\/Foo\/.+\.pdf$">
Allow From All
</FilesMatch>
However, when I attempt to access example.com/bar/Foo/baz.pdf, I am given an HTTP 403 Forbidden response.
How can I deny access to everything, except for pdf files in one particular directory?
Thanks
Create a this inside root .htaccess as your very first rule:
RewriteEngine On
# prohibit everything except .pdf files
RewriteRule ^foo/(?!.*\.pdf$) - [F,NC]
I have a domain which contains within it multiple sites with multiple .htaccess files (it's for clients to check their own projects out before they go live to their own servers, so each .htaccess file controls its own site).
If I have a .htaccess file in the root, it will control the domain. If mydomain.com/doesntexist is entered and it doesn't exist, the root's 404 page will come up. If mydomain.com/doesexist/doesntexist is entered, the .htaccess file in the "doesexist" directory would take priority, as opposed to the root's .htaccess file ... correct?
You are correct.
I suggest you to read Apache HTTP Server Tutorial: .htaccess files
The configuration directives found in a .htaccess file are applied to
the directory in which the .htaccess file is found, and to all
subdirectories thereof. However, it is important to also remember that
there may have been .htaccess files in directories higher up.
Directives are applied in the order that they are found. Therefore, a
.htaccess file in a particular directory may override directives found
in .htaccess files found higher up in the directory tree. And those,
in turn, may have overridden directives found yet higher up, or in the
main server configuration file itself.
ROOT htaccess
ErrorDocument 404 /index.php
subfolder htaccess
ErrorDocument 404 /subfolder/index.php
http://domain.com/does_not_exist --> (404 error) /index.php
http://domain.com/subfolder/does_not_exist --> (404 error) /subfolder/index.php
I have a website that has a folder for images.
I have two problems:
I want to disable all script execution in that directory (i.e. no PHP/Perl/Python
anything.)
There are two php files in my images folder called gradient.php and rgba.php – I do what those to run as per usual.
How do I set up my .htaccess file to do that. Also, rather than placing a new .htaccess in the images directory, is it possible to incorporate these directives in the one in the site root?
You can add these rules to the htaccess file in your site root:
# check if the request is for the images folder
RewriteCond %{REQUEST_URI} ^/images/
# check that it isn't a request for an image
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif|bmp)$ [NC]
# check that it isn't a request for the 2 ok php files
RewriteCond %{REQUEST_URI} !^/images/(gradient|rgba)\.php$
# forbid access
RewriteRule ^ - [L,F]
This should make it so any request for /images/ that doesn't end with jpg/jpeg/png/gif/bmp (or whatever other extension you want to add to the regular expression) or isn't gradient.php or rgba.php, will result in a 403 forbidden.
EDIT:
I don't want them to be forbidden, I just want them to not execute – it's an upload folder, so I basically want it that if someone uploads a JPG that is secretly PHP code that I haven't detected, that it won't run
as long as jpg and other images are mapped to the correct mime/type (via AddType image/jpeg .jpg) then it won't get handed to the php handler and whatever code is there won't get executed. If you want to serve all files using the default handler, you need to set AddHandler default-handler php in the htaccess file in your images directory. You'll then need to move the gradient and rgba files out to some other directory. You can't selectively set handlers from an htaccess file, though you may be able to use <Location> blocks to set handlers in your vhost config.
EDIT 2:
I was wrong, you can use the H flag to set a custom handler using a rule. So in the above rules, instead of [L,F], you can do [L,H=default-handler] so that anything that isn't an image or gradient.php or rgba.php will get sent to the default-handler (e.g. php files will get sent as-is, and not handled and executed by mod_php).
So you can just do:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/images/(gradient|rgba)\.php$
RewriteRule ^ - [L,H=default-handler]
I am a beginner to Zend framework and I want to know more about the .htaccess file and its uses. Can somebody help me?
I found an example like this:
.htacess file
AuthName "Member's Area Name"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user
ErrorDocument 401 /error_pages/401.html
AddHandler server-parsed .html
It's not part of PHP; it's part of Apache.
http://httpd.apache.org/docs/2.2/howto/htaccess.html
.htaccess files provide a way to make configuration changes on a per-directory basis.
Essentially, it allows you to take directives that would normally be put in Apache's main configuration files, and put them in a directory-specific configuration file instead. They're mostly used in cases where you don't have access to the main configuration files (e.g. a shared host).
.htaccess is a configuration file for use on web servers running the
Apache Web Server software.
When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software.
These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.
These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.
Whenever any request is sent to the server it always passes through .htaccess file. There are some rules are defined to instruct the working.
Below are some usage of htaccess files in server:
1) AUTHORIZATION, AUTHENTICATION: .htaccess files are often used to specify the security restrictions for the particular directory, hence the filename "access". The .htaccess file is often accompanied by an .htpasswd file which stores valid usernames and their passwords.
2) CUSTOMIZED ERROR RESPONSES: Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found.
Example : ErrorDocument 404 /notfound.html
3) REWRITING URLS: Servers often use .htaccess to rewrite "ugly" URLs to shorter and prettier ones.
4) CACHE CONTROL: .htaccess files allow a server to control User agent caching used by web browsers to reduce bandwidth usage, server load, and perceived lag.
More info : http://en.wikipedia.org/wiki/Htaccess
You are allow to use php_value to change php setting in .htaccess file. Same like how php.ini did.
Example:
php_value date.timezone Asia/Kuala_Lumpur
For other php setting, please read http://www.php.net/manual/en/ini.list.php
Htaccess is a configuration file of apache which is used to make changes in the configuration on a directory basis.
Htaccess file is used to do changes in functions and features of the apache server.
Htaccess is used to rewrite the URL.
It is used to make site address protected.
Also to restrict IP addresses so on particular IP address site will not be opened
You can think it like php.ini files sub files.. php.ini file stores most of the configuration about php like curl enable disable. Where .htaccess makes this setting only for perticular directory and php.ini file store settings for its server' all directory...
It is not so easy to give out specific addresses to people say for a conference or a specific project or product.
It could be more secure to prevent hacking such as SQL injection attacks etc.
.htaccess file create in directory /var/www/html/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
</IfModule>
What
A settings file for the server
Cannot be accessed by end-user
There is no need to reboot the server, changes work immediately
It might serve as a bridge between your code and server
We can do
URL rewriting
Custom error pages
Caching
Redirections
Blocking ip's
Excluding one or more directories from rewrite rules in .htaccess files seems to be a common question. However, my .htaccess does more than just set rewrite rules. I've also set some server changes (we don't have suPHP on this server) as well as set some prepending of some php files. For example these are a few examples:
# Make files ending in .php, .html and .xml files etc. parsed by php.
AddType application/x-httpd-php .php .html .xml .css .js .le .txt
<FilesMatch "\.html$">
php_value auto_prepend_file "/home/2427/spwebsites/www.spwebsites.co.uk/incs/phps/config.php"
</FilesMatch>
# Internal Server Error
ErrorDocument 500 /admin/errors.html?code=500
RewriteEngine On
RewriteRule ^([a-zA-Z0-9-]+)/$ $1.html [L]
I don't want any of these set for one directory (where my word press installation is), is there a way I can do this? Can I set a conditional statement for the whole .htaccess file?
Adding a blank .htaccess file in the word press directory won't work because this won't undo the settings in the parent directory.
I was just looking into your dilemma and it is a tricky one. It would be nice to be able to have the DirectoryMatch directive available in .htaccess ...
What you can try is to reset your values in the specific directory via another .htaccess file.
So in the case of the AddType perhaps, resetting it back to just ".php" might work (assuming it doesn't inherit the other values). Definitely not an ideal solution with out access to the main config file/ virtual host.
Here is a weird idea that you can try/test ... place the "wordpress" dir outside of the main root (or whereever you have the offending .htaccess file). Now route all requests to the wordpress (inner dir) to the outer dir. I wonder if Apache would not use the offending .htaccess considering the requests are being routed?