On a subdomain I want to use only a .htaccess file for redirects. No PHP, no database or something else will be used. Can a .htaccess file still be hacked? What should I do to protect it?
The apache2.conf file has following lines by default which prevent viewing of htaccess files:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
It will not be visible under standard Apache setup which blocks all files starting with.ht from being served. So nobody will be able to view the contents or get at it through the Apache front-end. Take the usual precaution of having it be 644 permissions and not owned by the user that Apache runs as. No extra security needed outside of protecting your server generally.
Check that the standard protection is in place, so it can't be viewed. Easiest way is just to try visiting it in a web browser. You should get a 403 forbidden.
If you're worried you could put the rules in the main server config instead. I wouldn't worry as long as the above is in place.
Related
I'm using Joomla 2.5 and Apache and I have followed this steps:
1- mod_rewrite module is eneabled? YES
2- htaccess.txt renamed to .htaccess
3- set "Use URL Rewriting" to YES.
And this is what I get:
Not Found
The requested URL /about-us was not found on this server.
The web is located in /var/www/
The .htaccess is located in /var/www/
And this is my .htaccess: http://pastebin.com/dq1TYs1t
Thanks for the help.
Since you said allowoverride was set to none, your .htaccess file will be ignored. You need to set allowoverride to all the other option is leave allowoverride at none, and take the contents of the .htaccess file and incorporate it into your apache configuration file. This has the benefit of being slightly faster as apache doesn't need to look in directory tree for .htaccess files (they are really good to allow users that don't have access to the configs the ability to override the base settings, but if you have access to /var/www you should also have access to make changes to the config files.
There is no need to enable any mod_rewrite module.
Need to enable URL rewriting option in global configuration. Also need to rename htaccess.txt file to .htaccess.
please check there is no any third party component of security like admin tools are enable or installed which is blocking this mod rewrite option.
I am a beginner to Zend framework and I want to know more about the .htaccess file and its uses. Can somebody help me?
I found an example like this:
.htacess file
AuthName "Member's Area Name"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user
ErrorDocument 401 /error_pages/401.html
AddHandler server-parsed .html
It's not part of PHP; it's part of Apache.
http://httpd.apache.org/docs/2.2/howto/htaccess.html
.htaccess files provide a way to make configuration changes on a per-directory basis.
Essentially, it allows you to take directives that would normally be put in Apache's main configuration files, and put them in a directory-specific configuration file instead. They're mostly used in cases where you don't have access to the main configuration files (e.g. a shared host).
.htaccess is a configuration file for use on web servers running the
Apache Web Server software.
When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software.
These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.
These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.
Whenever any request is sent to the server it always passes through .htaccess file. There are some rules are defined to instruct the working.
Below are some usage of htaccess files in server:
1) AUTHORIZATION, AUTHENTICATION: .htaccess files are often used to specify the security restrictions for the particular directory, hence the filename "access". The .htaccess file is often accompanied by an .htpasswd file which stores valid usernames and their passwords.
2) CUSTOMIZED ERROR RESPONSES: Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found.
Example : ErrorDocument 404 /notfound.html
3) REWRITING URLS: Servers often use .htaccess to rewrite "ugly" URLs to shorter and prettier ones.
4) CACHE CONTROL: .htaccess files allow a server to control User agent caching used by web browsers to reduce bandwidth usage, server load, and perceived lag.
More info : http://en.wikipedia.org/wiki/Htaccess
You are allow to use php_value to change php setting in .htaccess file. Same like how php.ini did.
Example:
php_value date.timezone Asia/Kuala_Lumpur
For other php setting, please read http://www.php.net/manual/en/ini.list.php
Htaccess is a configuration file of apache which is used to make changes in the configuration on a directory basis.
Htaccess file is used to do changes in functions and features of the apache server.
Htaccess is used to rewrite the URL.
It is used to make site address protected.
Also to restrict IP addresses so on particular IP address site will not be opened
You can think it like php.ini files sub files.. php.ini file stores most of the configuration about php like curl enable disable. Where .htaccess makes this setting only for perticular directory and php.ini file store settings for its server' all directory...
It is not so easy to give out specific addresses to people say for a conference or a specific project or product.
It could be more secure to prevent hacking such as SQL injection attacks etc.
.htaccess file create in directory /var/www/html/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
</IfModule>
What
A settings file for the server
Cannot be accessed by end-user
There is no need to reboot the server, changes work immediately
It might serve as a bridge between your code and server
We can do
URL rewriting
Custom error pages
Caching
Redirections
Blocking ip's
I have created an axtra ftp account for someone else, so he can upload files.(tournament results, about 20/30 htm files and images)
I am also very paranoid, so in case he upload "possible dangerous" files, i do not want those files to be accessible via an http request. With the help of PHP I want to grab the content of those files. (I do not expect troubles with that yet)
Problem:
My hoster does not allow extra ftp accounts have access outside the public_html.
So i thought htacces should solve my problem. Just by deny from all rule.
But with ftp acces this htaccess file can be deleted or changed.
So i tried to add the following code in my main htacces file in the root of my site:
<Directory "/home/xxxx.nl/public_html/xxxxxxxx.nl/onzetoernooien/swissmaster_ftp">
deny from all
</Directory>
My site hung with an internal server error.
I have no access to the httpd file.
My idea was to use an htacces file above this directory.
If the absolute path was incorrect, i could use some kind of wildcard, like *swissmaster?
I have searched on the Apache website, but i get lost in the overwhelming amount of information.
Thanks in advance for any help!
Unfortunately you can't use a <Directory> section in .htaccess, only in the server configuration file. That causes the server error (check your error logs and you'll see the error message). We can't secure a subdirectory with a <Filesmatch "subdir/.*$"> either, as FilesMatch examines only the filename part of the requested URI.
You can, however, use mod_rewrite, along these lines:
RewriteEngine on
RewriteRule ^subdir.*$ - [NC,F]
If the requested URI matches the regex pattern subdir.* (so "subdir" followed by anything else; you may need to tweak the pattern, as it happily catches subdir_new/something.txt too -- I'm sure you get the idea), then mod_rewrite's F flag will return a 403 Forbidden status (the NC stands for No-Case, making the pattern case-insensitive).
I'm using OS X Lion's built-in Apache server. I placed a .htaccess file in my personal Sites directory, but Apache isn't reading it. My username is tophtucker, so the file is in /Users/tophtucker/Sites/. But whether I make .htaccess valid or gibberish or just test or whatever, it has no effect. If .htaccess contains just "test", I should get an error when I go to localhost/~tophtucker/, but I don't.
.htaccess works in other directories (like subdirectories of Sites). AllowOverride is set to All in httpd.conf, and AccessFileName is set to .htaccess. It's just something about the Sites directory. Does Apache give it weird special treatment or something?
OK, I figured it out:
When you're using personal sites with Apache, an additional configuration file is created in apache2/users/tophtucker.conf (or whatever your username is). AllowOverride in that configuration file was still set to None. I set it to All; problem solved!
I have a .htaccess file & I currently I am working on localhost. For a 404 page error, I have the following code in the .htaccess file:
ErrorDocument 404 /my_local_domain/404.php
But when I upload this file to my website online, the functionality of the file breaks. It no longer shows the 404.php page. It works if I modify the code in the .htaccess file of my online website to the following:
ErrorDocument 404 /404.php
Now all through the changes that I do in the .htaccess file, I would have to remember to remove the domain name before I upload it to the website or I risk breaking the functionality. So with this in mind, here are my questions:
1. How do I solve the above problem without needing to edit the .htaccess file each time (by stripping it off the my_local_domain) I make a change & upload it online?
2. How do I setup 404 page redirection for all the nested folders? (I don't want to setup a .htaccess file for each of the folders. A single .htaccess file that resides in the root folder of the website & controls all the redirection for all the sub-folders would be awesome)
All help is appreciated.
Thank you.
I believe you have two different issues here.
First of all, you should not need to have different paths in development and live site. It appears that you've configured your local Apache to host only one site and each actual sites goes in a subdirectory. It's not a good idea: you'll soon be mixing cookies and sessions between all your dev sites. Have a look at the name based virtual hosts feature: you can configure as many independent sites as you need. You don't even have to buy real domains in you set them in the hosts file.
Secondly, under certain circumstances it can be useful to have different Apache directives. I've been using the following trick.
Pick a keyword for the dev server, e.g. DEV_BOX.
Pass that keyword to Apache in the -D parameter. If you run it as service, you can run regedit and find the HKLM\SYSTEM\CurrentControlSet\Services\Apache2.2\Parameters key. Append -D DEV_BOX to the ConfigArgs value. Restart Apache.
Now, you can use the <IfDefine> directive to set local directives:
-
#
# Common stuff
#
AddDefaultCharset UTF-8
#
# Local-only stuff
#
<IfDefine DEV_BOX>
Options +Indexes
</IfDefine>
#
# Live-only stuff
#
<IfDefine !DEV_BOX>
Options -Indexes
</IfDefine>
First of all I suggest you setup local domains for development. For example if you are developing a website which will go under www.example.com, you can setup a local.example.com in your HOSTS file. You'll do a VirtualHost setup in your apache and the .htaccess will then be the same.
Also, you can setup a build process (e.g via Ant) which will allow you to prepare and generate a zip file with the files which go on the live server. This build will feature the correct configuration files (db configs, mail servers, htaccess etc).