So I am able to block specific subdomains like this:
SetEnvIfNoCase Referer knownsub\.sorryspammer\.com sorryspammer
<Location />
Order Allow,Deny
Allow from all
Deny from env=sorryspammer
</Location>
which does successfully block visits to any site on my server that come from the referrer, knownsub.sorryspammer.com
So now, I am getting visits from referrers like 1.sorryspammer.com, 2.sorryspammer.com, 8.sorryspammer.com, 22.sorryspammer.com, etc., and I need to set an environment variable to block any subdomain coming from the referrer domain sorryspammer.com.
I know I need to set the same basic rule for the environment variable but with a wildcard for the subdomain part. I've tried a couple of things, most recently this:
SetEnvIfNoCase Referer (.*)\.sorryspammer\.com sorryspammer
but I am still getting visits from referrers from subdomains on sorryspammer.com. I know I'm missing something real simple. Any help is appreciated. Not sure if it matters, but keep in mind that this is not going in an .htaccess file but is going in the httpd.conf file to apply the rules server wide.
Related
I have an Apache 2.2 set up with LDAP Authorization, which is working fantastically as expected, and have also made it so that I can bypass Authentication when accessing it locally.
Allow from localIP hostnameA hostnameB, etc...
If I curl from the server, I don't get any Auth Required. So all good and working as expected.
What I need now is to make one particular URL to also bypass authorisation.
I have tried all the usual solution of using SetEnvIf;
SetEnvIf Request_URI "^/calendar/export" bypassauth=true`
Allow from env=bypassauth IP_ADDRESS HOSTNAME_A HOSTNAME_B
But this is just not working!!
Local access is still unrestricted, but remotely it is not (no change there)
If I dump out my server environment variables on that URL's script, I can see my bypassauth variable is being passed.
I just cannot for the life of me figure out why the Allow from env=bypassauth part is not working, while it still obeys the additional directive parameters.
I also tried another suggestion, using the Location directive;
<Location /calendar/export>
Satisfy Any
Allow from all
AuthType None
SetEnv WTF 123
</Location>
Again, I can see my new environmental variable (WTF) appear on this URL (when I dumped the server envs in the script), so I know that the SetEnv and SetEnvIf directives are working.
Is there anything I'm missing (any Apache2.2 quirks?), as all the solutions I've seen so far just are not working. It's as if my Allow from changes are having no effect after restarting Apache. I'm starting to feel my sanity slip.
Is there also a particular order when writing the directives for Satisfy Any, Order allow, deny and the Auth* directives, which might be effecting this?
Finally managed to figure it out!! :)
Seems my url was being processed by mod_rewrite (my environmental variable being prefixed by REWRITE_ should have rung alarm bells), which according to this post https://stackoverflow.com/a/23094842/4800587, the mod_rewrite is performed AFTER our SetEnvIf and Allow directives.
Anyway, long story short; I used the rewritten/final URL and the Location section to bypass authentication using the Allow any directive. So I changed...
<Location "/calendar/export">
Allow from all
</Location>
to..
<Location "/calendar/index.php/export">
Allow from all
</Location>
which is the final URL (after rewrite), and now works.
On a Codeigniter application I want to limit http post request size (in bytes) with limitRequestBody htaccess directive. Since all requests are written to index.php this setting affects to all form submissions. That is problematic. What I really want is limit post size to certain urls. For example, if I have two urls, like below
mysite.com/member/login
mysite.com/contact
I only want to apply this setting only to the mysite.com/member/login. Not for mysite.com/contact
I tried with apache's LocationMatch and IF Directives to specifically target the url but unfortunately none of it worked. Instead server went into a redirect loop.
<LocationMatch "^/member/login">
limitRequestBody 128
</LocationMatch>
<If "%{REQUEST_URI} ^/member/login">
limitRequestBody 128
</If>
Is there anything wrong with the above approach? Syntax? or any other way to get this done?
I want exampleapp.com/clientapp/ to execute the index.php in /usr/local/apache/htdocs/clientapp.
This stackoverflow question outlines something similar to what I want to do: https://stackoverflow.com/a/8454/173630
I'm having some trouble getting this working. Here's the start of my VirtualHost setup:
<VirtualHost exampleapp.com:80>
DocumentRoot /home/platform/src/serverapp/public
RewriteEngine On
Alias /clientapp/ "/usr/local/apache/htdocs/clientapp"
<Directory "/usr/local/apache/htdocs/clientapp">
FallbackResource index.php
<IfModule mod_suphp.c>
suPHP_UserGroup nobody nobody
</IfModule>
</Directory>
RewriteRule ^/clientapp/(.*)$ /clientapp/$1 [PT]
I'm using Apache 2.2.22. I know this is kind of a confusing setup -- the reason I'm doing this is to avoid cross-domain AJAX requests from clientapp to serverapp.
With this configuration I'm not getting any errors, it's just falling through to the server app.
Update
The problem was that I had a BasicAuth set up on /usr/local/apache/htdocs/clientapp, and the password wasn't being prompted for when visiting exampleapp.com/clientapp/ and it was just silently failing. I took off the BasicAuth for now, which gets it to work.
After trying a few things out, it looks like this is just mod_alias being retarded and either blindly mashing together file-path and URI-path or mistaking the file-path (/usr/local/apache/htdocs/clientapp) for a URI-path (not sure how). Either way, you can do one of two things, it looks like.
Add a trailing slash to your file-path:
Alias /clientapp/ "/usr/local/apache/htdocs/clientapp/"
Remove the trailing slash from your URI-path:
Alias /clientapp "/usr/local/apache/htdocs/clientapp"
Both seems to do the trick, but I would suggest doing the second option, as it would match requests for exampleapp.com/clientapp (no trailing slash), and mod_dir will properly recognize it as a directory and redirect you to exampleapp.com/clientapp/. Whereas if you go with first option, going to exampleapp.com/clientapp would just give you a 404 (or something in the document root ends up handling it).
Change <Directory ...>...</Directory> to <Location /clientapp>...</Location> and keep everything inside it.
basically i have a web server set up where all sites are in /var/www but i want to be able to do development in ~/public_html/sitename so i set userdir's up in apache but the links still goto the /var/www directories pages.
I know i could go in and change all the links, but i think an htaccess would be easier.
So my question is, is it possible to say:
We have a folder in my public_html on home which is accessed via example.com/~jackyyll/project
I want all requests from that project to be redirected to ~/jackyyll/project/request_here
I've tried some things in the .htaccess but nothing is working.
Thanks
If you don't want to use mod_userdir, a simple AliasMatch can do the trick. Here is what I use to map www.kylheku.com/~kaz/ to /home/kaz/public-www/, et cetera, straight from my httpd.conf:
# /~user/blah goes to /home/user/public-www/blah
AliasMatch ^/~([a-z]+)/(.*) /home/$1/public-www/$2
# /~user and goes to /home/user/public-www/
AliasMatch ^/~([a-z]+)$ /home/$1/public-www/
AliasMatch has some capabilities resembling mod_rewrite, except, just like Alias what it does is it takes URL's coming into the server and maps them to paths. The output is not re-injected into the request processing chain. Any URL mapped by Alias or AliasMatch bypasses the VirtualHost-s and their docroots. It's like a special exception mechanism.
The .htaccess in the user's public-www directory works just fine. I have RewriteRules there and other cruft.
Of course, this is a lot simpler than mod_userdir. It maps all possible usernames to all possible userdir directories, whether or not they exist. mod_userdir has more bells and whistles, like restricting which users have a userdir, and alternative userdirs certain users.
I'd like to restrict access to some URIs, but they do not physically match a clearly identified resource.
I explain : if you ask http://domainname/admin, you do not strictly go to the admin dir, you go to a script, with some params; and this script can also be used in other contexts.
So, i'd like to make something like folder access restriction, but based on the URI asked for, not on the actuel resource (cause the /admin folder exists, of course :D).
How could i do that ?
TIA
In .htaccess Add the rewrite rule:
RewriteRule ^admin - [F,L]
This will deny access to paths starting with admin.
Use <Location>/</Location> tags in your httpd.conf (or whatever it's called this week), insert any access restrictions between the tags. For instance
<Location /admin>
Order deny,allow
Deny from all
Allow from localhost, admins-workstation.example.com
</Location>