I set up my .htaccess file so that only certain IP ranges can access the /admin portion of my site, as asked in this question: Deny access to URI
That works... in testing. When I tried this on my live, https enabled, site something strange happened:
When I GET the /admin page, I receive a 403 Forbidden status code but I also get the body as if nothing happened.
How is that possible, and how do I fix it?
Here's the eventual .htaccess:
SetEnvIf Request_URI ^(?!/admin) not_admin_uri
Order deny,allow
Deny from all
Allow from 127.0.0.1
allow from 366.241.93.
allow from env=not_admin_uri
Also: if I remove the last allow rule it actually does block the request (though it then, of course, blocks all reguest)
The document for the 403 status code (which was 403.shtml) did not exist, in which case Apache apparently just executes the request.
Related
I have an Apache config that uses legacy access rules and CGI error documents.
ErrorDocument 403 /perl/dispay.pl?page=error403
SetEnvIf User-Agent "SomeOldUserAgent" badUA
Deny from env=badUA
The blocking of the user agent works fine, but unfortunately the Deny rule also covers the generating of the error page.
I would like to exclude the error page from the blocking to provide a dynamic error message.
I have tried to allow by REDIRECT_STATUS, but this doesn't work.
SetEnvIf REDIRECT_STATUS 403 errorPage
Allow from env=errorPage
Any ideas ?
I want to block direct access to PHP file, for example when someone enters it manually in the address bar (https://example.com/php/submit.php). I used this code:
<Files "submit.php">
Order Allow,Deny
Deny from all
</Files>
But if I block it this way, the form can't be submitted (it doesn't send mails).
Is there another way to block direct access but to be able to submit form?
<form id="form" action="php/submit.php" method="post">
Your form is making a POST request, whereas "when someone enters it manually in the address bar" they are making a GET request. So, you could block anything but POST requests..
Using <LimitExcept>
For example, surround your existing directives in a <LimitExcept> container:
<LimitExcept POST>
<Files "submit.php">
Require all denied
</Files>
</LimitExcept>
Note that this blocks non-POST requests to any submit.php file on your system.
NB: Order, Allow and Deny are Apache 2.2 directives and formerly deprecated on Apache 2.4 (which you are more likely to be using, unless you are on LiteSpeed). Require all denied is the Apache 2.4 equivalent. However, you should not mix authentication directives from both modules.
Using mod_rewrite
Alternatively, using mod_rewrite near the top of the root .htaccess file you can target the /php/submit.php URL-path directly. For example:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !=POST [NC]
RewriteRule ^php/submit\.php$ - [F]
The above will serve a 403 Forbidden for any request to /php/submit.php that is not a POST request (eg. when a user types the URL directly in the browser's address bar).
Alternatively, check that the request is a GET request. ie. =GET
HOWEVER, you should already be performing this check as part of your standard form validation in your PHP code, so this additional check in .htaccess should be redundant. (After all, how are you checking that the form has been (successfully) submitted?)
I am very new to apache configurations and am trying to learn more. I am getting a 403 - Forbidden when making a PUT request, however a GET to the same URL works fine.
Is there something I need to enable to allow PUT requests?
I am using Apache and PHP
If you are working with Apache 2.4.x, a faulty or missing "Require" directive could the cause of the 403.
In the <Directory> block of your virtualhost config, or your .htaccess file add the following line:
Require all granted
For details on the "Require" syntax see: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
The setup
root/
.htaccess :
Deny from All
RewriteEngine On
RewriteRule secret.txt /root/public/welcome.txt
secret.txt
public/
.htaccess :
Allow from All
welcome.txt
The problem
A request to /root/secret.txt results in a 403 (Forbidden) response that tells me I have no access to /root/secret.txt. (A direct request to /root/public/welcome.txt is permitted.)
Thus, it seems to me that the RewriteEngine does nothing to a request that would be denied by a Deny from All directive.
The question
It would be nice if someone knows a way to get the expected /root/public/welcome.txt served. However, it would be nicer if someone could help me reach my eventual goal.
The goal
I decided to write down my eventual goal, because maybe I'm just looking in the wrong direction.
I would like to Deny from All in the root, and have subdirectories decide when to override that with an Allow. Then I would also like Apache to rewrite all requests that would result in a 403 or 404 to a single specific file. As of yet, I'm planning to do this with a !-U flag, but I can't get past my initial problem.
Yo may try this in the .htaccess file at root directory:
Deny from All
ErrorDocument 404 /Error403_404.php
ErrorDocument 403 /Error403_404.php
"Error403_404.php" is an example. Replace with the 403 and 404 error handler script.
I want to restrict an entire site in such a way that just two IPs could enter the site. I have the following in my .htaccess (at the root of site):
ErrorDocument 403 http://www.example.com/views/error403.html
Order Deny,Allow
Deny from all
Allow from 311.311.311 322.322.322.322
ErrorDocument 404 /views/error404.html
ErrorDocument 500 views/error500.html
(Obviously, these are fake IPs, in my .htaccess they are the right IPs)
As you can see, I allow just 322.322.322.322 and all IPs from 311.311.311.0/24, and deny for the rest of people. What I want is that when anybody enter the site from another IP, he'll view the error403.html page.
The filter is working fine, but not the redirection. When I try to enter the site from a deny IP, I see an Apache message:
Found
The document has moved here
Where "here" is a link to error403.html.
I think I'm restricting even the error403.html page.
How can I do this restriction, but allowing the view of the error page? Should I move error403.html page to another directory (i.e., /views/error/ ) and put other .htaccess in it, allowing in that file all the IPs?
Thank you in advance!
Yes, you have answered your own question. :) Move all non-protected pages into another directory with its own .htaccess containing the proper Allow and Deny.