Deny from all folders except /index.php and two folders - apache

This is an odd configuration, I'll give you that, but I'm looking to deny access to all folders in our system but it must be able to access,
/index.php (Wordpress bootloader)
/wp-*/* (e.g. wp-content, wp-admin, etc.)
/templates/* (some of our templates and custom content)
Everything else is denied (and there are hundreds of folders).
The problem I have is allowing index.php and 2 folders and then denying everything else inside /.
I should be able to accept,
http://example.com/
http://example.com/index.php
http://example.com/wp-content/...
http://example.com/wp-admin/...
http://example.com/wp-includes/...
http://example.com/templates/template.css
http://example.com/templates/subfolder/js/file.js
and reject,
http://example.com/thisIsAFolder
http://example.com/thisIsAnotherFolder
This is what I have,
<VirtualHost *:80>
ServerName example.com
DirectoryIndex index.php
DocumentRoot /var/www/
<Directory />
Order deny,allow
Deny from all
</Directory>
<Files index.php>
Allow from all
</Files>
<Directory "/var/www(/|/wp*/|/templates/)">
Allow from all
Options FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) wp/$2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ wp/$2 [L]
RewriteRule . index.php [L]
</Directory>
</VirtualHost>
But I continually receive Red Hat Enterprise Linux Test Page (using CentOS) and it allows for sub-directories because I allow /.
EDIT
This is the Apache config that ended up working for me. Big thanks to Jon Lin for the help.
<VirtualHost *:80>
ServerName example.com
DirectoryIndex index.php
DocumentRoot /var/www/
# first, deny all access
<Directory />
Order deny,allow
Deny from all
</Directory>
# then start to allow access where required
<Files index.php>
Allow from all
</Files>
<Directory "/var/www/">
Allow from all
Options FollowSymLinks
RewriteEngine On
RewriteBase /
# go directly to index.php if it is accessed
RewriteRule ^index\.php$ - [L]
# re-write URL for wp-admin access
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
# re-write wp-* access to route through wp/
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) wp/$2 [L]
# re-write all .php files to route through wp/
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ wp/$2 [L]
# go directly to real files and directories
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
# respond to all other URLs by passing them through index.php
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
# deny access if URL doesn't start with these
RewriteCond %{REQUEST_URI} !^/(index\.php)?$
RewriteCond %{REQUEST_URI} !^/wp-[^/]+/
RewriteCond %{REQUEST_URI} !^/templates/
RewriteRule ^ - [L,F]
</Directory>
</VirtualHost>

You could try adding:
RewriteCond %{REQUEST_URI} !^/(index\.php)?$
RewriteCond %{REQUEST_URI} !^/wp-[^/]+/
RewriteCond %{REQUEST_URI} !^/templates/
RewriteRule ^ - [L,F]
right before:
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
The problem here though, is that permalinks will probably break, because a request like: /posts/post-title/ will not match an of the "allowed" URI's. If that's a problem, then move it to right before this line:
RewriteRule . index.php [L]

Related

Subfolder .htacess not overriding parent .htacess options

I have an .htacess on the root of my domain to redirect all traffic to index.php
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
#redirect http to https, remove www
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#remove index.php from link
RewriteRule ^index.php$ - [L]
#redirect to index
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
#remove direct access to all *.php except index.php
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
Everything works as expected, traffic is redirect, when files exists show file.
now i have an admin folder /admin/ with and index.php and api.php
i can open the /admin/ and /admin/index.php but the /admin/api.php redirects to /index.php
i tried to put an .htaccess inside the /admin/ like this:
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine Off
RewriteEngine On
#redirect http to https, remove www
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
but getting the same results. /admin/ opens, but /admin/api.php redirects to index
found the problem/solution.
needed to add to the .htaccess inside the /admin/
<Files *>
Order Allow,Deny
Allow from all
</Files>

Symfony 4 in subdirectory

I did install Symfony 4 on a subdirectory of my wamp localhost. My project is named "cardMaker".
I've a .htaccess file to redirect towards the public directory (index.php) :
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule "^$" public/ [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . srcAngular/index.html [L]
</IfModule>
That works. But, when I open http://localhost/cardMaker/, I have this:
How can I set the base url ?
Here at https://symfony.com/doc/current/setup/web_server_configuration.html they say:
# If you run your Symfony application on a subpath of your document root, the
# regular expression must be changed accordingly:
# ProxyPassMatch ^/path-to-app/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/project/public/$1
Add the symfony app as an alias. Configure your apache httpd.conf file:
Alias /cardMaker "C:/Csi\CsiWorkspace/cardMaker/public"
<Directory "C:/Csi\CsiWorkspace/cardMaker/public">
AllowOverride All
Options Indexes FollowSymLinks
Require all granted
DirectoryIndex index.php index.html
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule cache/ - [F]
RewriteBase /symfonytest
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ ./index.php [L]
</IfModule>
</Directory>
Notice the use of RewriteBase for the alias cardMaker
This config (with php-fpm) currently works for me:
Apache: 2.4
Symfony: 3.4.44
<Directory /var/www/example.local>
Options Indexes FollowSymLinks
Allow from all
AllowOverride None
Require all granted
Order deny,allow
Deny from all
</Directory>
Alias /cardMaker /var/www/example.local/cardMaker/public
<Directory /var/www/example.local/cardMaker/public>
DirectoryIndex index.php
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$
RewriteRule .* - [E=BASE:%1]
RewriteCond %{HTTP:Authorization} .+
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]
RewriteCond %{ENV:REDIRECT_STATUS} =""
RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ %{ENV:BASE}/index.php [L]
</IfModule>
<IfModule !mod_rewrite.c>
<IfModule mod_alias.c>
RedirectMatch 307 ^/$ /index.php/
</IfModule>
</IfModule>
</Directory>
ProxyPassMatch ^/cardMaker(.*\.php(/.*)?)$ fcgi://php:9000/var/www/example.local/cardMaker/public$1

how set mod_rewrite by ip all pages

i use friendly url names like myservice/controller/action/key/value/key/value etc. Everything is ok when i am running my server on remote hosting. But now i tried run server on my linux and i have a access by ip. My mod_rewrite rules doesn't work. Could someone tell me how can i change this ?
my old rules working on remote hosting with domain
rewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
Options +FollowSymLinks -Indexes -MultiViews
And this is my new rules not working
rewriteEngine On
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.104$
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
Ok i tried many times and this rules works fine
rewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
Options +FollowSymLinks -Indexes -MultiViews
But in vhost in apache2/available-sites i had to add
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
Thanx for help

htaccess mod rewrite and slash after index.php

I have following .htaccess file:
RewriteEngine on
RewriteBase /
RewriteCond $1 !^(index\.php|images|css|js|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ ./index.php/$1 [L,QSA]
but perhaps because of apache update to version 2.4.23 this one stopped working and browser returns message file not found.
I found out, that URL
example.com/auth/login
searches for index.php under {document_root}/auth/login directory and not directly in {document_root} and therefore it's not working. Putting directly %{DOCUMENT_ROOR} variable before index.php doesn't work, it looks like apache thinks, that document root is the one taken from URL.
How can I rewrite it to index.php with whole path put after index.php?
EDIT
I'm using fcgi and this is my vhost file:
<Directory "/Users/pogo/Development/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
<VirtualHost *:8080>
ServerName dh
ServerAlias *.dh
VirtualDocumentRoot "/Users/pogo/Development/www/%-2.0.%-1/%0/www"
DirectoryIndex index.html index.php
RewriteEngine On
<FilesMatch \.php$>
SetHandler "proxy:unix:/usr/local/var/run/php5/php5-fpm.sock|fcgi://localhost"
</FilesMatch>
</VirtualHost>
You can use this rule:
AcceptPathInfo On
Options +FollowSymLinks
RewriteEngine on
RewriteCond $1 !^(index\.php|images|css|js|robots\.txt|favicon\.ico) [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L,QSA]
Notice /index.php instead of ./index.php

rewritecond not working for existing files

I have a problem with mod rewrite apache seems to ignore the rewrite cond.
The rewrite rule is working as all my pages are working but the problem is with resources like css, imgs and js. In my html I use "href=assets/css/style.css" which is an existing file but i i am redirected on my index.php...
Is there something i did wrong ?
here is my vhost config
<VirtualHost *:*>
ServerAdmin me#local.loc
DocumentRoot "c:/wamp/www/Covoiturage"
ServerName covoiturage.loc
ErrorLog "logs/covoiturage-error.log"
CustomLog "logs/covoiturage-access.log" combined
<directory c:/wamp/www/covoiturage/>
Allow from all
AllowOverride all
</directory>
</VirtualHost>
here is my htaccess :
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ /$1 [R=301,L]
RewriteRule ^ index.php [L]
You are adding RewriteCond to wrong RewriteRule. RewriteCond only in effect to very next RewriteRule. Try this code:
RewriteEngine On
## Unless directory, remove trailing slash
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ $1 [R=302,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]