How to make files only accessible to scripts? / Innacessable Directly? - apache

I've spent all day looking for a solution on how to make files inaccessible directly, but still accessible to scripts.
All answers I've found lead me in round about loops.
This may be useful to someone.
If anyone has a better solution,
Please Post.
Here is the one I have found.
How to make files only accessible to scripts ( Including Client Side Scripts? ) / Innacessable Directly (IE: Through URL)?
Turn on mod_rewrite
in .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !http://*************
RewriteCond %{HTTP_REFERER} !http://*************
RewriteRule ^ - [L,F]
Type in your domain in the ******
Use Https if needed.

If by "direct" you mean file access from a browser, then you can require that an HTTP client presents a custom header, e.g. X-Access: authorized_script so it can't be easily sent from a browser.
This answer discusses how it's done with Apache.

Related

htaccess deny from http

I know how to use the apache rewrite engine to redirect http requests to https
However, for the task at hand (an app exchanging data with the server via https) what we actually want is for http requests to simply be denied. I have tried the following but it does not work
​Deny from %{HTTPS}=off
Is there a way to do this?
You cannot simply take parts of directives and scrumble them together somehow. You need to obey the syntax of those directives, otherwise the engine cannot make sense of them. And will throw an internal syntax error.
Two things you need to do:
You need to start monitoring your http server's error log file. That is where you can see those errors. You cannot implement web logic without monitoring that file in your development environment . And you definitely should look into it in your production environment too from time to time.
You should start to read the documentation of the tools you are using. The apache http server project is a good example for the high quality of open your products: it offers an excellent documentation that is precise and comes with lots of great examples. Start with the documentation of the rewriting module: https://httpd.apache.org/docs/current/mod/mod_rewrite.html
This would be a suggestion to implement the logic you have in mind:
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ - [F]
Other variants are possible, for example:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^ - [F]

Exception for rewriting every php file

RewriteCond %{REQUEST_FILENAME} !\.(png|jpg|jpeg|gif|svg|zip|xml|json|html|txt)$
RewriteRule ^(.*)$ index.php [L,QSA]
This works perfectly, but I want to except the one file I use as a GET endpoint.
I tried:
RewriteRule /assets/get_endpoint\.php - [L,QSA]
But that didn't work... I'm still getting rerouted to the "index.php".
AND the php file will definitely consist of GET parameters as well.
e.g.
www.example.com/assets/get_endpoint.php?date=2019-12-21&location=Paris
The .htaccess only consists of those two lines ( and the third ).
This should be really easy but I can't figure it out. Thanks so much for your help!
This probably is what you are looking for:
RewriteEngine on
RewriteRule ^/?assets/get_endpoint\.php$ - [END]
RewriteCond %{REQUEST_URI} !\.(png|jpg|jpeg|gif|svg|zip|xml|json|html|txt)$
RewriteRule ^/?(.*)$ /index.php [END]
I also made a few other optimizations once on it :-)
In case you receive an internal server error (http status 500) using the rule above then chances are that you operate a very old version of the apache http server. You will see a definite hint to an unsupported [END] flag in your http servers error log file in that case. You can either try to upgrade or use the older [L] flag, it probably will work the same in this situation, though that depends a bit on your setup.
This implementation will work likewise in the http servers host configuration or inside a dynamic configuration file (".htaccess" file). Obviously the rewriting module needs to be loaded inside the http server and enabled in the http host. In case you use a dynamic configuration file you need to take care that it's interpretation is enabled at all in the host configuration and that it is located in the host's DOCUMENT_ROOT folder.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).

.htaccess redirects if the condition doe not match/ negative condition

I am modifying the .htaccess file of a legacy PHP web application. I am not familiar with apache .htaccess syntax. I found this tutorial. What I am trying to do is that I am trying to redirect all the requests to a URL/ path if the request URL is not a specific URL/ path. For example, all the requests to the website will be redirected to localhost/my-custom-page unless the request URL is localhost/my-custom-page.
I know how to redirect mapping 1 to 1 as follows:
RewriteEngine on
RewriteRule ^my-old-url.html$ /my-new-url.html [R=301,L]
But, what I am trying to do is that redirecting all the requests to the specific page unless the request is to that page. Even the home page will be redirected to that page. How can I do that?
When I tried the following solution
RewriteEngine on
RewriteCond %{REQUEST_URI} !/my-new-url\.html
RewriteRule ^ /my-new-url.html [R=301]
I get the error
I want to check using OR condition as well. For example, if the path is not path-one or path-two, redirect all the requests to path-one.
Your question is a bit vague, due to your wording. But I assume this is what you are actually looking for:
RewriteEngine on
RewriteCond %{REQUEST_URI} !/my-new-url\.html
RewriteRule ^ /my-new-url.html [R=301]
In case you receive an internal server error (http status 500) using the rule above then chances are that you operate a very old version of the apache http server. You will see a definite hint to an unsupported [END] flag in your http servers error log file in that case. You can either try to upgrade or use the older [L] flag, it probably will work the same in this situation, though that depends a bit on your setup.
It is a good idea to start out with a 302 temporary redirection and only change that to a 301 permanent redirection later, once you are certain everything is correctly set up. That prevents caching issues while trying things out...
This rule will work likewise in the http servers host configuration or inside a dynamic configuration file (".htaccess" file). Obviously the rewriting module needs to be loaded inside the http server and enabled in the http host. In case you use a dynamic configuration file you need to take care that it's interpretation is enabled at all in the host configuration and that it is located in the host's DOCUMENT_ROOT folder.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).
RewriteCond %{REQUEST_URI} !/my-new-url\.html
RewriteRule ^ /my-new-url.html [R=301]
There are a few potential issues with this, particularly since you hint in a comment that you are perhaps using a front-controller to "route" the URL.
This redirect satisfies the conditions outlined in the question, but does assume that you have no other rewrites, have an essentially "static site" and are not linking to any static resources.
You are missing an L (last) flag, so processing will continue through the file and possibly be rewritten if you have later rewrites.
If you are rewriting the URL to a front-controller in order to route the URL (as you suggest in comments) then this redirect will break, as it will redirect away from the front-controller. You need to only redirect direct requests, ie. when the REDIRECT_STATUS environment variable is empty.
If you are linking to any static resources in the same file space then these will also be redirected. You need to create an exception for any static resources you are using, either by file extension (eg. (css|js|jpg|png)) or by location (eg. /static).
So, try the following instead:
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{REQUEST_URI} !\.(js|css|jpg|png)$
RewriteRule !^my-custom-url$ /my-custom-url [R=302,L]
You don't need a separate condition to implement the exception for the URL you are redirecting to. It is more efficient to do this directly in the RewriteRule pattern.
The first condition ensures we are only redirecting direct requests and not rewritten requests to your front-controller.
The second condition avoids any static resources also being redirected. You could alternatively check the filesystem path if all your resources are stored under a common root. Or, as a last resort, implement filesystem checks (ie. RewriteCond %{REQUEST_FILENAME} !-f) if your static resources are too varied - but note that this is less efficient.
You will need to clear your browser cache before testing, since any earlier (erroneous) 301s are cached persistently by the browser.

Apache 301 redirect with get parameters

I am trying to do a 301 redirect with lightspeed webserver htaccess with no luck.
I need to do a url to url redirect without any related parameters.
for example:
from: http://www.example.com/?cat=123
to: http://www.example.com/some_url
I have tried:
RewriteRule http://www.example.com/?cat=123 http://www.example.com/some_url/ [R=301,L,NC]
Any help will be appreciated.
Thanks for adding your code to your question. Once more we see how important that is:
your issue is that a RewriteRule does not operate on URLs, but on paths. So you need something like that instead:
RewriteEngine on
RewriteRule ^/?$ /some_url/ [R=301,L,NC,QSD]
From your question it is not clear if you want to ignore any GET parameters or if you only want to redirect if certain parameters are set. So here is a variant that will only get applied if some parameter is actually set in the request:
RewriteEngine on
RewriteCond %{QUERY_STRING} (?:^|&)cat=123(?:&|$)
RewriteRule ^/?$ /some_url/ [R=301,L,NC,QSD]
Another thing that does not really get clear is if you want all URLs below http://www.example.com/ (so below the path /) to be rewritten, or only that exact URL. If you want to keep any potential further path component of a request and still rewrite (for example http://www.example.com/foo => http://www.example.com/some_url/foo), then you need to add a capture in your regular expression and reuse the captured path components:
RewriteEngine on
RewriteRule ^/?(.*)$ /some_url/$1 [R=301,L,NC,QSD]
For either of this to work you need to have the interpretation of .htaccess style files enabled by means of the AllowOverride command. See the official documentation of the rewriting module for details. And you have to take care that that -htaccess style file is actually readable by the http server process and that it is located right inside the http hosts DOCUMENT_ROOT folder in the local file system.
And a general hint: you should always prefer to place such rules inside the http servers host configuration instead of using .htaccess style files. Those files are notoriously error prone, hard to debug and they really slow down the server. They are only provided as a last option for situations where you do not have control over the host configuration (read: really cheap hosting service providers) or if you have an application that relies on writing its own rewrite rules (which is an obvious security nightmare).

.htaccess rewrite root to folder, yet block direct urls to same folder

I've been researching and trying for a week to accomplish this, but I haven't been able to find my solution. I'm sure it's possible, but I'm just not an expert in the depths of voodoo magic.
The setup:
An installation of MantisBT located in
mysite.com/mantisbt/currentver/mantis-1.3.19
When I perform an upgrade, I want to archive all old versions and old
database dumps to /mantisbt/oldversions/ to keep things tidy.
I also have other utilities and pages in various subdirectories, for
instance "mysite.com/utils"
The goal:
I want users to type in mysite.com/ (root) and have the URL rewritten
(transparently) to /mantisbt/currentver/mantis-1.3.19/ so that they
don't see my directory structure and it looks like the mantisbt app is
located in the root directory.
I also want protection from anyone trying to directly access a
subdirectory beginning with "/mantis". For instance, if
someone directly types mysite.com/mantisbt/currentver/mantis-1.3.19/
into their browser, I want them redirected back to the root directory
so they access the site from root just like everyone else.
I also need to allow my other subdirectories like mysite.com/utils to
be accessible if I type in the full path to them.
The biggest problem I've encountered is that Apache loops through your .htaccess file again every time the URL changes. So I get stuck in these rewrite loops. I've tried looking at every possible tool that Apache offers, but I'm seriously outgunned here. I could provide examples of what I've tried, they're obviously not correct, but ask me and I can post them.
You'd be far better off altering the DocumentRoot in your httpd.conf, and mapping in the utils directory, via a Location directive. It will be far cleaner, and Apache won't have to do some trickery with every request.
Anyway something along the following lines should work.
# Stop direct access
RewriteCond %{HTTP_REFERER} !mysite.com [NC]
RewriteRule /?mantisbt/currentver/mantis-1.3.19 / [NC,L,R=301]
# Internally Rewrite everything apart from /utils to /mantisbt/mantis-1.3.19/
RewriteCond %{HTTP_REFERER} !mysite.com [NC]
RewriteCond %{REQUEST_URI} !/utils [NC]
RewriteRule .* /mantisbt/currentver/mantis-1.3.19%{REQUEST_URI} [L]