Is there a way to disable the server signature without access to the httpd.conf?
I can't access to the php.ini too...
I am allowed to edit only the .htaccess
In the .htaccess I tried to add:
1) this, but makes no effect:
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
2) this, but "ServerTokens Prod" gives me an error 500
ServerSignature Off
ServerTokens Prod
Adding only "ServerSignature Off", the signature disappears only from the document, but in the response headers it is still present...
How can I remove it?
ServerTokens is only for server config not .htaccess.
http://httpd.apache.org/docs/2.2/en/mod/core.html#servertokens
Have you tried to add these lines in .htacess file:
ServerSignature Off
Header unset Etag
FileETag none
Related
I was writing a .htaccess file for my PHP script.
This should only allow access to the index.php, cronjob.php and execute.php pages.
I wrote the .htaccess file as follows:
# Set default index file
DirectoryIndex index.php
# Disable indexing
Options -Indexes
# Set "403 Forbidden" as the default server behavior
Order Deny,Allow
Deny from all
# Allow requests to core PHP files
<FilesMatch "(index|execute|cronjob)\.php$">
Allow from all
</FilesMatch>
# If mod_rewrite module exists...
<IfModule mod_rewrite.c>
RewriteEngine On
# ...restrict access to PHP private directories
RewriteRule (^|/)logs(/|$) - [F]
RewriteRule (^|/)utils(/|$) - [F]
RewriteRule (^|/)modules(/|$) - [F]
</IfModule>
The main problem with this code is that https://example.com/ returns 403 Forbidden,
while https://example.com/index.php works.
You could put condition to check if a URI is NOT having either index.php OR cronjob.php or execute.php then forbid that page so else other pages will be forbid apart from these 3 php uris.
Please make sure you clear your browser cache before checking your URLs.
RewriteEngine ON
RewriteCond %{REQUEST_URI} !(index|cronjob|execute)\.php [NC]
RewriteRule ^ - [F]
In the end I managed to get it to work, I don't know if it's the best .htaccess possible, but this is what I ended up with:
# Set default index file
DirectoryIndex index.php
# Disable indexing
Options -Indexes
# Set "403 Forbidden" as the default server behavior
Order Deny,Allow
Deny from all
# Allow requests to core PHP files
<FilesMatch "^((index|execute|cronjob)\.php)?$"> # Basically, it accepts the three PHP files and the empty string.
Allow from all
</FilesMatch>
I have 2 domains pointing to the same folder,
I need to put up a .htaccess file to change cache behaviour on the first domain.
Please don't suggest to edit the server's vhost configuration, this question is specifically for .htaccess.
Something like:
<Match http://domain1.test.com>
Header unset ETag
</Match>
You can try this code in your DOCUMENT_ROOT/.htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^domain1\.test\.com$ [NC]
RewriteRule ^ [L,E=TESTDOMAIN:1]
# Do not use etags for cache validation.
Header unset ETag env=TESTDOMAIN
# for older Apache versions
Header unset ETag env=REDIRECT_TESTDOMAIN
People i got 'www.domain.com/home'. I want delete from name '/home'. Just on url should left 'www.domain.com'.
I tested .htaccess but this not works. I see server automatic delete 'index.html' from URL. Some rules works in my htaccess but the replacing a names in URL - not.
Somebody know how to delete '/home'? I just spent all morning to find solution, but nothing working...
Enable mod_rewrite and .htaccess through httpd.conf and then put this code in your .htaccess under DOCUMENT_ROOT directory:
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteRule ^home/?$ / [L,R=301,NC]
I have Apache 2.2.22 in suse Linux. I want to disable track & trace in Apache and use 1- TraceEnable Off and 2- RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F] .
but of 2 way don't work.
In Apache2 you can just add TraceEnable Off in httpd.conf (end of file)
TraceEnable Off
To check if Trace is On/Off you can use Curl:
curl -v -X TRACE http://www.yourserver.com
You need to put TraceEnable Off in httpd.conf
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
nessus said)))
For Apache HTTPD 2.4:
Require not method TRACE TRACK
see Require Directive
Unless a module is installed which supports TRACK, then TRACK is not supported by default by Apache, hence the only need to have the directive:
TraceEnable Off
However, for a belt-and-suspenders approach, also add:
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]
This will disable both TRACE and TRACK.
View Demo Trace Using SSH Command
TRACE is enabled by default in an apache installation. There are two ways to remediate. The first can be used if you are running Apache 1.3.34, 2.0.55, or anything in the 2.2 release. Simply add the TraceEnable directive into your httpd.conf and set the value to Off.
TraceEnable Off
add this line in httpd.conf
The first thing to do is make sure that mod_rewrite is loaded. If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:
LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"
Then add the following as well to your httpd.conf file:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Test With Curl Command
curl -v -X TRACE http://localhost
I know there's already a few answers here, but I thought I'd chime in and add some additional options.
Slipstream's approach is certainly the simplest approach here, so if you're seeking a quick and easy fix, there's your pot of gold.
TraceEnable directive
As mentioned by a few people here, in Apache2, you can append the TraceEnable directive to the end your httpd.conf or apache2.conf file:
TraceEnable Off
Rewrite Module
You can also add a rewrite configuration to your VirtualHost to explicitly block TRACK and TRACE requests:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCondition %{REQUEST_METHOD} ^(TRACE|TRACE)
RewriteRule . * - [F]
</IfModule>
With this configuration, Apache catches all TRACK and TRACE requests, and replies with a 403 Forbidden error. None of the original request's content is echoed back.
Rewrite Module (More Restrictive)
But, what I haven't seen anyone else suggest is explicitly passing the methods you want to allow. This is a slighly tighter fix, and is required for PCI compliance:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [F]
</IfModule>
This will reject any request which is using a method not specified in the directive. Again, the original request content is not echoed back, and the server responds with a 403 Forbidden error.
Something to keep in mind is that for production systems is that RewriteEngine can be processor intensive. This is generally not much of an issue because the increase would be milliseconds (if not microseconds), but something to be mindful of if you have loads of rewrites.
Note: For the above rewrite configurations, you'll need to uncomment the LoadModule or AddModule (depending on your setup) directives in your Apache config for rewrite_module.
You can also use the mod_allowmethods found in apache 2.3+
<Location "/">
AllowMethods GET POST OPTIONS
</Location>
https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html
If i set DirectorySlash Off in my .htaccess file and call the directory without the trailing slash i get an 403-Forbidden from my server. If i call it with slash everything works fine.
Could anyone explain why? Here are my fully anonymized .htaccess:
# GLOBAL CONFIG
Options +FollowSymlinks
DirectorySlash Off
AddDefaultCharset utf-8
php_value post_max_size 256M
php_value upload_max_filesize 256M
# BEGIN WordPress
RewriteEngine On
RewriteBase /folder/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /folder/index.php [L]
# END WordPress
# REMOVE WWW
RewriteCond %{HTTP_HOST} ^([^.]+)\.domain\.com$ [NC]
RewriteRule ^(.*)$ http://domain.com$1 [R=301,L]
As you know per the documentation, when DirectorySlash is set to Off, requests to /folder do not have DirectoryIndex evaluated. This means that the request will not be automatically mapped to /folder/index.php.
mod_dir performs this check in the "fixup" phase of the request processing. mod_rewrite, which is responsible for your RewriteRule definitions, also performs its processing in this phase when you specify the rules in a .htaccess file.
However, it was programmed with an awareness of modules like mod_dir, and includes a check to make sure that the current directory was requested with a trailing slash. If not, it declines to handle the request, since doing so might lead to undefined behaviour.
The request then moves on to the content-generation phase, which, since the request was not mapped to a real file, is handled by mod_autoindex. Given that Indexes are disabled on your host by default, mod_autoindex returns 403 Forbidden which is what you see.
Note that since DirectoryIndex is not evaluated, even if mod_rewrite were to process the request, it would still fail, because no auto-resolution to index.php would occur, and your rule
RewriteRule . /folder/index.php [L]
wouldn't match, because the . requires a match on something (but the request would be blank).
Enabling DirectorySlash prevents this scenario by correcting the prevented actions in all of the previously mentioned scenarios except the last note, which is taken care of by the fact that DirectoryIndex maps the request to index.php anyway.
With Apache 2.4 you can allow rewrites in .htaccess files by setting RewriteOptions AllowNoSlash.
Changes with Apache 2.3.16
...
*) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
for RewriteRules to be placed in .htaccess files that match the directory
with no trailing slash. PR 48304.
[Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]
...
See Apache documentation of mod_rewrite
I think because when you turn DirectorySlash off, it disable the autocorrection of the url and it is trying to show the directory list but fortunately you have probably disabled this somewhere (or in file permissions) so it sends a 403-Forbidden. I guess that when you turn it on, it works normally.
From what I understand from the docs, it is not very good to use DirectorySlash off for security.
http://httpd.apache.org/docs/2.1/mod/mod_dir.html
As Tom already answered, there is special option for RewriteOptions, but only for Apache 2.3.16+, so if you, like me, have an apache of the older version, then you cannot rewrite url for same directory, because apache doesn't know about this directory.
Example:
"GET /somedir" will point to <Directory /var/www/html/public> in rewrite log, but(!) requested filename (%f) in access log will still /var/www/html/public/somedir/ - this is crazy apache logic. And apache will show you either 503 (without Options +Indexes) or directory listing (otherwise) with wrong urls such as /subdir/ instead of /somedir/subdir/
So, I've found only one worked solution for me - using aliases:
AliasMatch "/somedir$" "/var/www/html/public/somedir/index.html"
Hope this helps someone else in 2020+ :D