I have a website hosted in /var/www/thesite (apache server), it's a Symfony2 website so inside this folder I have a web folder to which my virtual host is pointing.
So my virtualhost is www.mysite.com -> /var/www/thesite/web
In this web folder I have a .htaccess to format URL nicely.
Now, I've added an API in /var/www/thesite/api, the API is implemented using Silex.
I want to redirect all request http://www.mysite.com/api to this new framework.
So I've added in /var/www/thesite/web/.htaccess
RewriteCond %{REQUEST_URI} ^/api
RewriteRule ^api(.*)$ ../api/web/index.php [NC,QSA,L]
But I get:
Bad Request
Your browser sent a request that this server could not understand.
I'm not sure if I can access parent folder in the .htaccess. I don't want to change my virtualhost target directory to avoid security breach.
How can I solve this issue?
You can't route a request to outside of the site's document root, which is /var/www/thesite/web. So you can't access /var/www/thesite/ or /var/www/thesite/api from inside the /var/www/thesite/web directory. The 400 Bad request is because of the ../api/ bit of your rule's target.
Something you can try doing is just using php to include/require the api's index.php:
RewriteRule ^api/(.*)$ /index_api.php [L]
And in the index_api.php you can include or require the "../api/web/index.php" file.
Related
I have a website(angular) hosted on a apache server and i want to deny access to some path for security purposes
The website is currently organized like this
index.html
polyfills.js
scripts.js
main.js
package.json
styles.css
assets
configuration
configuration.json
styles
images
I want to rescrict url access to configuration.json , package.json
I tried to add a rule in my .htaccess for testing
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /myapp/
RewriteRule ^index.html$ -[L]
RewriteRule ^refresh.html$ -[L]
# added rule
RewriteRule (^|/)configuration.json(/|$) - [F]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.html [L]
</IfModule>
It correctly forbids the usage of path /myapp/assets/configuration/configuration.json but it prevents also other resources (like main.js and polyfills.js) to use the configuration file which i dont' want because i can't access to the website anymore due to errors in browser console
I want only forbid direct url access
Browser console log
polyfilles.js : GET http://xxxx/myapp/assets/configuration/configuration.json 403 (Forbidden)
main.js : ERROR () => new Error('Error retrieving configuration file. ' + error)
How can i avoid this ?
Thank you very much
You can't block a resource from client access if it needs to be accessed from the client (using JavaScript). So, what you are asking is not really possible without restricting all client access (eg. user/password authentication), but then any authenticated users can still access these files.
You could prevent "casual" direct access by customising the client-side request with a custom HTTP request header and check for this header in .htaccess and block otherwise. However, this depends on how these files are currently being called as it will require an update to your JS code.
For example, when requesting package.json or configuration.json you also send an HTTP request header like X-Custom-Header: some-value.
In .htaccess you can block requests that don't have this header (or it is not the correct value). For example:
RewriteCond %{HTTP:X-Custom-Header} !^some-value$
RewriteRule (^|/)(package|configuration)\.json$ - [F]
This only prevents casual direct access, ie. someone types the URL directly into the browser address bar. Since the file is still downloaded to the browser, the user can still read the file in the browser (dev tools). The header can also be easily faked if someone is so inclined. So, this doesn't provide any real security.
Instead of sending a custom HTTP request header, you could perhaps check the Referer header (if this is being set for such requests). However, this is less reliable as the browser can be configured not to send the Referer header. And again, this is easily faked.
I have a React application hosted on my server and I need to always load index.html file for every request users make.
Let's say that I have a website that has the address xyz.com, and the root directory contains the React build files, including this index.html file. There are many routes that users can specify to access to certain parts of the website, for example to register on the website they can access xyz.com/register. So, what I want to accomplish is instruct server to always serve this index.html every time users access my site, even though they are visiting different routes of the website.
So I'm assuming that this is something that I can set up in the .conf file for the website, and if it is, can you please let me know how I can achieve it?
You can use the below rewrite rule.
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/index.html$
RewriteRule .* /index.html [L,R=302]
I have a standard .htaccess RewriteRule that silently rewrites any request for webroot into a subfolder which contains a MantisBT installation. So the user types in "example.com" and my server secretly serves them files from "example.com/path/to/mantisbt".
The problem now is that MantisBT's index page immediately does some authentication based logic routing and sends a 302 redirect to the FULL "example.com/path/to/mantis/login", which subverts my rewriting. I'm trying to have everyone access my MantisBT installation as if it resided in the webroot.
Now, I'm aware that after MantisBT's 302 redirect to the full path, I could redirect them AGAIN back to webroot. But redirecting people twice every time MantisBT goes through some routing logic seems like a dirty hack. I also know that I could hack up the MantisBT code, but I hate re-hacking code every time a new version comes out.
So, is there a way to trick MantisBT (or any other app for that matter) into thinking it resides in root, and therefore crafts it's redirect paths based on a webroot-relative url? For example: "example.com/login" instead of "example.com/path/to/mantis/login".
I'd really prefer to resolve this using an Apache .htaccess method, or httpd.conf change. Perhaps DocumentRoot or RewriteBase?
Try adding this rule above the internal rewrite rule that you had before
RewriteCond %{THE_REQUEST} \ /+path/to/mantisbt/([^\?\ ]*)
RewriteRule ^ /%1 [L,R]
this redirects the browser when the browser directly requests anything in /path/to/mantisbt/. Then the rule that you already have to internally rewrite into the mantisbt directory would take effect.
I have disabled the browsing of content by using
Options -Indexes
Now I want to disable directly access of assets(images and videos) by hitting url directly for any project that is present in htdocs folder.
My webserver is Apache Tomcat.
I am accessing the content from a project in apache using a url.
The URL should serve the content in JSP/HTML files deployed in Apache Tomcat. But should be blocked if hacker finds the URL from page source and put the URL in browser.
Thanks in advance.
you have two solutions
1) create a .htacess file and set rules
2) store your protected file somewhere outside the web root folder and acess them using php or any other language.
2nd one is recommended. you can only access your files through server side codes(php,...). Crete a file handling script and check permissions when accessing.
To go with .htaccess file you need to have something like..
Try following:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]
Returns 403 if you access image directly, but allows them to be displayed on site.
Change localhost to the server/domain name of yours.
NOTE: it is possible that when you open some page with image and than copy that image's path into the address bar you can see that image, it is only because of the browser's cache, in fact that image has not been loaded from the server
I have a domain like example.com where root directory is web.
I have created a subdomain happy.example.com where directory is outside web folder called happy and connected it to happy.example.com.
My webpage tree looks like
happy
web/images
So all my images for root directory are stored in (web/images)
example.com/images
So a full path to an image can be
example.com/images/me.png
Now i have created a sudbdomain which i call:
happy.example.com
What i would like to do is if i type
happy.example.com/images/me.png
then i should be able to see the picture.
So somehow i need to link all images folder to a subdomain from root directory in web.
I hope you guys got my question.
I guess i shoud have an htaccess file with all funny stuff in happy folder?
Cheerz
Since the two document roots of your two domains aren't connect to each other (one inside the other, or the same), you'll need to either redirect or proxy, or, use a script.
To redirect is easiest, but it'll change the URL in the browser's location bar:
Redirect 301 /images http://example.com/images
or using mod_rewrite:
RewriteEngine On
RewriteRule ^images/(.*)$ http://example.com/images/$1 [L,R=301]
To proxy, you need to have mod_proxy loaded, which isn't always the case if you're using a webhost or hosting service. But you can use the P flag in mod_rewrite to do this:
RewriteEngine On
RewriteRule ^images/(.*)$ http://example.com/images/$1 [L,P]
The last option is to route all image request to a script, like a php script or something. And the script itself returns the image:
RewriteEngine On
RewriteRule ^images/(.*)$ /load_image.php?image=$1 [L]
then you'd have something like:
<?php
header("Content-type: image/jpeg");
readfile('../web/images/' . $_GET['image']);
?>
Obviously, you'd need to check the extension and return the correct content type depending on the image type.