My htaccess look like this:
# Prevent directory listings
Options -Indexes
redirect 301 /old.html http://blablabla.pl/new
redirect 301 /other-page.html http://blablabla.pl/new-page
redirect 301 /xxx.html http://blablabla.pl/zzz
# Prevent visitors from viewing files directly
<FilesMatch "\.(sdb|md|html|txt)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</FilesMatch>
# URL rewrites
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(inc/|themes/|tmp/).*\.(php|html)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]
</IfModule>
I'm using CMS that use html files as templates (there are variables, php code etc.). In htaccess of this CMS there are rules to prevent visitors from viewing html files directly. I moved one page to this CMS and wanted to do 301 redirect from old pages but it's not working - i'm getting 403 forbidden error. Is there a way to execute 301 redirect before other rules?
Working solution:
(...)
# Prevent visitors from viewing files directly
<FilesMatch "\.(sdb|md|html|txt)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</FilesMatch>
<FilesMatch "(old\.html)|(other-page\.html)|(xxx\.html)">
Allow from all
Satisfy any
</FilesMatch>
(...)
I have 2 projects, one is a PHP web API with the following .htaccess:
Header add Access-Control-Allow-Origin "http://app.domain.com"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Header always set Access-Control-Allow-Credentials true
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-l
RewriteRule ^(.*)$ index.php/$1
Note the Access-Control-Allow-Origin header which contains the base URL of the second project (an angularjs application).
This does work, however I'd like to change the origin to * if both projects are being run on localhost, so that every developer within this project can simply test changes without deploying first.
How can I achieve this?
We do not want to use a separate .htaccess for local tests. We prefer to use a single one.
Are you searching for this ?
replace "Error Document" with "Acces control"
https://www.html-seminar.de/forum/thread/4027-if-abfrage-in-htaccess-unterscheiden-zwischen-localhost-xampp-und-webserver/
# Localhost / XAMPP
<IfModule mod_win32.c>
ErrorDocument 403 http://localhost/phip/www/404.html
ErrorDocument 404 http://localhost/phip/www/404.html
</IfModule>
# Webserver
<IfModule !mod_win32.c>
ErrorDocument 403 http://***/404.html
ErrorDocument 404 http://***/404.html
</IfModule>
My shared host offers shared SSl certificate like the following:
https://host###.HostMonster.com/~username
Where host### is the hosting server for my account there.
I use CakePHP app on the root of public_html where I have public_html/webroot path and I use the following .htaccess settings on public_html:
# Turn off the ETags
Header unset ETag
FileETag None
# Turn off the Last Modified header except for html docs
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|mp3)$">
Header unset Last-Modified
</FilesMatch>
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|mp3)$">
Header set Expires "Thu, 15 Jan 2015 20:00:00 GMT"
</FilesMatch>
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|mp3)$">
Header set Cache-Control "max-age=31449600"
</FilesMatch>
# Use PHP5.3 as default
AddHandler application/x-httpd-php54 .php
Redirect /Hosting/Q/ http://sub.mydomain.net/
<IfModule mod_rewrite.c>
RewriteEngine on
#RewriteCond %{HTTPS} =on
#RewriteBase /~twoindex/
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
</IfModule>
AddType audio/mpeg mp3
AddType text/xml xml
When I try to access https://host15.HostMonster.com/~myuser where host15 is my host server, I got 404 error.
I tried the following:
Creating a simple html file and placing it on public_html and then accessing it using https://host15.HostMonster.com/~myuser/simple.html. It also returns 404 error.
I tried to comment out the two lines after RewriteEngine on but no success too.
Removing the contents of the .htaccess file i.e making it empty, allowed me to access simple.html via https successfully.
The last try, is not a real option for me because it will destroy my CakePHP application. However, it approved that it is a problem related with rewriting rules in the .htaccess. So, I need to know how to modify the .htaccess to allow accessing my CakePHP application while allowing accessing the simple.html or better a sub directory on public_html
Update
I tried the following rule, but it ended with the error This webpage has a redirect loop when I try to access https://host15.HostMonster.com/~myuser/folder and it keeps everything fine for the CakePHP application.:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^host15\.HostMonster\.com [NC]
RewriteRule ^(.*)$ /~myuser/$1 [R,L]
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
</IfModule>
i have encountered on a very weird situations in magento. I uploaded my magento website to a shared hosting(Folder name => abc/balaji/). Everything was working fine but when i added it with a domain then after i logged into my admin panel and saving anything whether it is a product,category,static blocks or deleting anything then nothing has been changing at all and When i checked the website through firebug and it shown me that the request first implemented through post(Contains index.php in the requested url) and then it moved permanently 302 to get request(without index.php). I have used several others htaccess in my website but still it is of no use. Sometimes i am getting 404 errors when using others htaccess. Below is my htacess file.
############################################
## These options are useful for development
#php_flag display_startup_errors on
#php_flag display_errors on
#php_flag html_errors on
#php_flag log_errors on
#php_flag log_errors_max_len 0
#php_value error_log /var/www/magento-lite/var/log/php_errors.log
############################################
############################################
## uncomment these lines for CGI mode
## make sure to specify the correct cgi php binary file name
## it might be /cgi-bin/php-cgi
# Action php5-cgi /cgi-bin/php5-cgi
# AddHandler php5-cgi .php
############################################
## GoDaddy specific options
Options -MultiViews
## you might also need to add this line to php.ini
## cgi.fix_pathinfo = 1
## if it still doesn't work, rename php.ini to php5.ini
############################################
## this line is specific for 1and1 hosting
#AddType x-mapp-php5 .php
#AddHandler x-mapp-php5 .php
############################################
## default index file
DirectoryIndex index.php
<IfModule mod_php5.c>
############################################
## adjust memory limit
php_value memory_limit 128M
php_value max_execution_time 18000
############################################
## disable magic quotes for php request vars
php_flag magic_quotes_gpc off
############################################
## disable automatic session start
## before autoload was initialized
php_flag session.auto_start off
############################################
## enable resulting html compression
#php_flag zlib.output_compression on
###########################################
# disable user agent verification to not break multiple image upload
php_flag suhosin.session.cryptua off
###########################################
# turn off compatibility with PHP4 when dealing with objects
php_flag zend.ze1_compatibility_mode Off
</IfModule>
<IfModule mod_security.c>
###########################################
# disable POST processing to not break multiple image upload
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
<IfModule mod_deflate.c>
############################################
## enable apache served files compression
## http://developer.yahoo.com/performance/rules.html#gzip
# Insert filter on all content
###SetOutputFilter DEFLATE
# Insert filter on selected content types only
#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
# Netscape 4.x has some problems...
#BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
#BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
#BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images
#SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
#Header append Vary User-Agent env=!dont-vary
</IfModule>
<IfModule mod_ssl.c>
############################################
## make HTTPS env vars available for CGI mode
SSLOptions StdEnvVars
</IfModule>
<IfModule mod_rewrite.c>
############################################
## enable rewrites
Options +FollowSymLinks
RewriteEngine on
############################################
## you can put here your magento root folder
## path relative to web root
RewriteBase /
############################################
## uncomment next line to enable light API calls processing
# RewriteRule ^api/([a-z][0-9a-z_]+)/?$ api.php?type=$1 [QSA,L]
############################################
## rewrite API2 calls to api.php (by now it is REST only)
RewriteRule ^api/rest api.php?type=rest [QSA,L]
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
############################################
## TRACE and TRACK HTTP methods disabled to prevent XSS attacks
RewriteCond %{REQUEST_METHOD} ^TRAC[EK]
RewriteRule .* - [L,R=405]
############################################
## redirect for mobile user agents
#RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
#RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
#RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]
############################################
## always send 404 on missing files in these folders
RewriteCond %{REQUEST_URI} !^/(media|skin|js)/
############################################
## never rewrite for existing files, directories and links
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
#RewriteRule ^admin/(.*)$ /index.php/admin/$1 [L]
#RewriteRule ^index.php/admin/(.*)$ /admin/$1 [L,R]
# These lines are needed to prevent Apache from serving
# up the /admin folders directory index when a request is
# made for "/admin" or "/admin/".
############################################
## rewrite everything else to index.php
RewriteRule .* index.php [L]
RewriteCond %{THE_REQUEST} ^.*/index.php
RewriteRule ^(.*)index.php$ http://www.http://balajisolarsystems.com/$1 [R=301,L]
RewriteCond %{http_host} ^.balajisolarsystems.com [NC]
RewriteRule ^(.*)$ http://www.balajisolarsystems.com/$1 [R=301,NC]
RewriteRule ^index.php/(.*) $1 [R=301,QSA,L]
</IfModule>
############################################
## Prevent character encoding issues from server overrides
## If you still have problems, use the second line instead
AddDefaultCharset Off
#AddDefaultCharset UTF-8
<IfModule mod_expires.c>
############################################
## Add default Expires header
## http://developer.yahoo.com/performance/rules.html#expires
ExpiresDefault "access plus 1 year"
</IfModule>
############################################
## By default allow all access
Order allow,deny
Allow from all
###########################################
## Deny access to release notes to prevent disclosure of the installed Magento version
<Files RELEASE_NOTES.txt>
order allow,deny
deny from all
</Files>
############################################
## If running in cluster environment, uncomment this
## http://developer.yahoo.com/performance/rules.html#etags
#FileETag none
I am stucked from 2 days and not able to find any kinds of solution till now. Please help me.
I have a subdomain called cdn.domain.com, from which I serve CSS, JS and some images.
When I run Google Chrome's audit, it says that I can imporve speed by serving those files from a cookieless domain.
I've searched on the internet and found mostly this:
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
But when I add this to my .htaccess in my root, I see no change in my requests, when I add this to the .htaccess of the cdn.domain.com, nothing happens as well.
When I look into the request headers I always see this:
Cookie:__utma=124771992.1672641002.1393489852.1393489852.1393489852.1; __utmz=124771992.1393489852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cve=7%2BOFANPFY6bPsm9274j8hJIz%2BPvLQRT%2FJZG9ftr2o7c%3D; cvp=dNuYumBN%2F642JaRgONUeEq1upp2y%2F%2FtDjt%2BBbV87W%2BA%3D
The subdomain is a subfolder of the global domain.
Both the global and the subdomain have this .htaccess:
# http://www.askapache.com/htaccess/htaccess.html
## ERRORDOCUMENTS
# http://askapache.com/htaccess/apache-status-code-headers-errordocument.html
ErrorDocument 400 /include/html/errorPages/400.html
ErrorDocument 403 /include/html/errorPages/403.html
ErrorDocument 404 /include/html/errorPages/404.html
ErrorDocument 500 /include/html/errorPages/500.html
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(copperviper.com)$" AccessControlAllowOrigin=$0$1
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
order deny,allow
deny from all
allow from 62.132.244.73
# Possible values for the Options directive are "None", "All", or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
RewriteEngine On
RewriteBase /cdn/
# REWRITE TO WWW
RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC]
RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]
RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC]
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]
# REWRITE TO SEF URL'S
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3&d=$4 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*) index.php?a=$1&b=$2 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php?a=$1 [QSA,L]
# COMPRESSION
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/plain text/html text/x-php text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-httpd-php application/octet-stream image/svg+xml application/font-woff image/svg+xml
# REMOVE BROWSER BUGS
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
# enable PHP error logging
php_flag log_errors on
php_flag display_startup_errors on
php_flag display_errors on
php_flag html_errors on
php_value docref_root 3
php_value docref_ext 3
php_value upload_max_filesize 2000M
php_value post_max_size 2000M
php_value max_execution_time 200000
php_value max_input_time 200000
# CACHED FOREVER
# MOD_REWRITE TO RENAME EVERY CHANGE
ExpiresActive On
ExpiresDefault A29030400
Header set Cache-Control "public"
Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT"
Header unset Last-Modified
# PROTECT .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
# Commonly used filename extensions to character sets.
AddDefaultCharset UTF-8
DefaultLanguage en-US
# Set the Time Zone of your Server
SetEnv TZ Etc/GMT
# ServerAdmin: This address appears on some server-generated pages, such as error documents.
SetEnv SERVER_ADMIN bug#copper-viper.com
# SEND CUSTOM HEADERS
Header set P3P "policyref='http://www.askapache.com/w3c/p3p.xml'"
Header set X-Pingback "http://www.askapache.com/xmlrpc.php"
Header set Content-Language "en-US"
Header set Vary "Accept-Encoding"
# ADD VALUES FROM HTTP HEADERS
SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1
SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1
SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1
SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1
SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature On
## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK
#bytes, 0-2147483647(2GB)
LimitRequestBody 10240000
## MOST SECURE WAY TO REQUIRE SSL
# http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
#SSLOptions +StrictRequire
#SSLRequireSSL
#SSLRequire %{HTTP_HOST} eq "askapache.com"
#ErrorDocument 403 https://askapache.com
# Safe Request Methods
# Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]
# Forbid Proxies ^
# Denies any POST Request using a Proxy Server. Can still access site, but not comment. http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F,NS,L]
# HTTP PROTOCOL ^
# Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]
# SPECIFY CHARACTERS ^
# Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links.
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]
# BAD Content Length ^
# Denies any POST request that doesnt have a Content-Length Header
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteRule .* - [F,NS,L]
# BAD Content Type ^
# Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteRule .* - [F,NS,L]
# Missing HTTP_HOST ^
# Denies requests that dont contain a HTTP HOST Header.
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]
# Bogus Graphics Exploit ^
# Denies obvious exploit using bogus graphics
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]
# No UserAgent, Not POST ^
# Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING.
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F,NS,L]
What am I doing wrong here?
This is what the manual page for setcookie() explains about the $domain argument:
Setting the domain to 'www.example.com' will make the cookie available
in the www subdomain and higher subdomains. Cookies available to a
lower domain, such as 'example.com' will be available to higher
subdomains, such as 'www.example.com'. Older browsers still
implementing the deprecated ยป RFC 2109 may require a leading . to
match all subdomains.
This implies that in modern browsers (I suppose that means almost all in practice) any cookie set for domain.com will be sent back by the browser to cdn.domain.com as well. That's how the cookie spec works and I don't think there's a clean solution.
Ideally, your cookieless domain should use an entirely different top level domain; or your site should be hosted in a subdomain, such as www.domain.com, so you can fine-tune cookies. I guess none are reasonable options for you at this point so you'll probably have to live with it.