To keep it simple, I'm trying to find the nginx alternative to the following apache htaccess directives:
<Files track>
SetHandler application/x-httpd-php
</Files>
<Files ttrack>
SetHandler application/x-httpd-php
</Files>
<Files qtrack>
SetHandler application/x-httpd-php
</Files>
I have several of these directives, and it is not possible to rename the files with a php extension so that's out of the question. I just need to know how I can get these extensionless files to be run as php scripts.
If I'm not wrong (it's several years I don't use Apache), you can try:
location /(track|ttrack|qtrack) {
// the stuff to use php-cgi like:
fastcgi_pass upstreamServerPool;
// ...
}
This will match all requests for url like /track or /ttrack or /qtrack.
Related
Drupal html files under sites/default/files/* is downloading but executing.
Note: .htaccess file under sites/default/files/ is with default setting as below:
Turn off all options we don't need.
Options None
Options +FollowSymLinks
Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
Fixed after adding a .htaccess file with below
ForceType text/html
Header set Content-Disposition inline
I've searched all over stackoverflow and seen various posts but no luck thus far.
Let me paint the picture: Im hosting a game server for me and some buddies and im symlinking the directory with maps and mod to apache2. I only want the outside world to be able to download the so called "pk3" files but not the "cfg","log" or any other file type.
That part i got working. I also want autoindex to work but no luck thus far. I get a 403 error.
Current state:
<Directory /var/www/redirect/*>
allow from all
Options +Indexes
IndexIgnore .. *cfg* *dat *dll *txt URL *log *backup* database
IndexOptions FancyIndexing FoldersFirst
AllowOverride None
Require all granted
</Directory>
<Files *>
Order deny,allow
deny from all
</Files>
<Files *.pk3>
Order deny,allow
allow from all
</Files>
<FilesMatch "^(index\.*)?$">
Order allow,deny
allow from all
</FilesMatch>
The FilesMatch doesnt seem to work properly (hence the [access_compat:error] in my logs and 403 in my browser).
Hopefully someone can help me with this, ive been searching for hours.
See here:
https://serverfault.com/questions/634996/apache2-allow-directory-indexing-but-restrict-file-access-by-type
You need also to allow index files:
<FilesMatch "index\.">
Order allow,deny
allow from all
</FilesMatch>
because Apache will search for them (like index.html, index.cgi,...) but they are all forbidden. I'm not sure why, but I suppose Apache cannot even check for existence of those files, and then sends a 403.
If Apache can check the inexistence of those index files, he will create the directory index, and that needs the <FilesMatch ""> Directive, as the index file name is "".
You can find the information in the error logfile, some lines like:
client denied by server configuration: /var/www/index.html
And because you want that forbidden files are listed too, you need to add
IndexOptions ShowForbidden
for example after Options Indexes FollowSymLinks.
There are plenty of options for directory indexes you can find them in the apache doc.
Hope this helps.
Update: The FilesMatch needs to hit every possible entry from the DirectoryIndex directive and the empty string. If you have this:
DirectoryIndex index.html index.html.var index.php
then this is your match:
<Files ~ ^index\.(html|php|html.var)$|^$>
It might be easiest to set DirectoryIndex and then match:
DirectoryIndex index.html
<Files ~ ^index\.html$|^$>
<Limit GET HEAD>
Order Allow,Deny
Allow from all
</Limit>
</Files>
My server doesn't render any images under the cgi directory, I know that this is because apache is told to run every file under that directory as a cgi program.
I would like to adjust the settings to tell apache to run all the .cgi and .pl as cgi programs but run the rest of files as they should be.
For instance, if I go to example.com/x.gif from a browser I can see the image, but if I go to example.com/cgi-bin/x.gif I can't. (being the image in both dirs, of course, and with 775)
The problem is that I don't know how to tell that to apache, this is the httpd.include
<Directory /var/www/vhosts/example.com/httpdocs>
<IfModule mod_perl.c>
<Files ~ (\.pl$)>
SetHandler perl-script
PerlHandler ModPerl::Registry
Options ExecCGI
allow from all
PerlSendHeader On
</Files> </IfModule> <IfModule mod_python.c>
<Files ~ (\.py$)>
SetHandler python-program
PythonHandler mod_python.cgihandler
</Files> </IfModule> <IfModule mod_fcgid.c>
<Files ~ (\.fcgi)>
SetHandler fcgid-script
Options +FollowSymLinks +ExecCGI
</Files> </IfModule> <IfModule mod_fcgid.c>
<Files ~ (\.php)>
SetHandler fcgid-script
FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
Options +ExecCGI
allow from all
</Files> </IfModule>
SSLRequireSSL
Options -Includes +ExecCGI
</Directory>
I found a solution.
As I said, apache is told to run every file under that directory as a cgi program. So are needed new rules to tell apache to use a default handler for those filetypes different from .php , .pl or .cgi:
<Directory /var/www/vhosts/example.com/httpdocs/cgi-bin>
<FilesMatch "^(?!.*\.(cgi|php|pl)$).*$">
SetHandler default-handler
</FilesMatch>
</Directory>
If you can't access the httpd.conf for any reason you still can do the trick with .htaccess adding this three lines to the .htaccess file of the cgi-bin folder:
<FilesMatch "^(?!.*\.(cgi|php|pl)$).*$">
SetHandler default-handler
</FilesMatch>
I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Put this in your .htaccess:
<Files *>
# #mivk mentionned in the comments that this may break
# directory indexes generated by Options +Indexes.
SetHandler default-handler
</Files>
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.
AFAICT, you should be pretty safe with that.
My Godaddy setup wont allow me to edit the httpd.conf files, and the php_flag command doesn't work due to how they've implemented php for me.
I was able to use this in my .htaccess file:
SetHandler default-handler
AddType text/plain php
I put this in the directory above where my FTP user is allowed to access, which forces all PHP files in that directory, as well as all sub-directories to show php as plain text.
This will work for other file types as well. All you need to do is add another line with whatever extension of file you want to be forced to display in plain text. AddType text/plain cgi for example
I want to compile PHP code in specific .htm file, if file located at root directory of domain I can add
<Files file.htm>
AddType application/x-httpd-php5 .htm
</Files>
to .htaccess, but what should I do if file located at another directory(/sub/file.htm, for example)?
Maybe it could be done if your are using httpd 2.4 which has <if> supports
<If "%{PATH_INFO} =~ /.*\/sub\/(file|anotherfile|andanother)\.htm/">
AddType application/x-httpd-php5 .htm
</If>
Maybe you want to use the httpd.conf instead of .htaccess file. You could then use <Location>-directive in this case:
<Location /sub/file.htm>
AddType application/x-httpd-php5 .htm
</Location>
Note that if you want to use a regexp to match the location you need to write a ~ before the location or use the <LocationMatch>-directive.
E.g.:
<Location ~ "/sub/(file|anotherfile|andanother).htm">
AddType application/x-httpd-php5 .htm
</Location>
EDIT:
Another possible solution (also only in virtualhost-config) should be a combined <Directory> and <Files>-directive:
<Directory /sub>
<Files file.htm>
AddType application/x-httpd-php5 .htm
</Files>
</Directory>
Try FilesMatch:
<FilesMatch "file.htm$">
AddType ...
</Files>
It applies a regex to the filename, so this'll match any file path which has "file.htm" at the end. It'd apply to any file in any directory that ends with "file.html". Note that this would also match on "somefile.htm" and "/subdir/somefile.htm". If you've got other files in your site tree that could trigger this, you'll have to mod the regex to exclude them.