I am working with htaccess and I want to secure my website from attacks/injections of scripts in the url and I want to deny access to my site and record their ip address and deny them if they run their script it will stop it and close their browser .is it possible because from experience I have been using htaccess to hide the extension name of the pages that I have made help with this one would really be great.
and also this code which redirects
Redirect 301 / http://www.newdomain.com
Sure, there's a way to use a .htaccess file to detect whether <script> is in the URL and redirect them if so, but hopefully that's not your only line of defense. If you start blocking <script>, then maybe they'll start using <script > or <img onload=""> or, or, or… oh dear. The point is that filtering attacks is insufficient; instead, let them submit whatever data they want (even if it appears malicious), but prevent it from doing any harm by escaping appropriately.
That said, a RewriteRule like this might do it:
RewriteRule <script> http://www.example.com/ [L,R]
To log it, you could have not .htaccess do the redirect but rather route the request to some server-side script which logged it and then redirected. Alternatively you could just filter the access log yourself.
Related
I have a page at example.com/themizer.php, but I want it to appear that it's actually located at example.com/themizer/ (or example.com/themizer/index.php) for all practical purposes. I know how to basically make an alias for it with mod_rewrite, but how do I make it appear that users are being redirected to that alias? Example: a user requests example.com/themizer.php and the address in their browser turns into example.com/themizer/ without actually redirecting. Is this possible?
With server-sided configuration, you can only accomplish this with a redirect. This does not necessarily need to be a problem. Just make sure that the urls on your site point to the fancy url and not to the internal url. Otherwise you generate a lot of requests that have to be redirected, instead of just redirecting the odd request that came in in an other way (e.g. through an external old url or old bookmark). You do it like this:
#External redirect
RewriteCond %{THE_REQUEST} ^GET\ /themizer\.php\ HTTP
RewriteRule ^themizer\.php$ /themizer/ [R,L]
#Internal rewrite
RewriteRule ^themizer/?$ themizer.php [L]
If you really must, you can use javascript to 'push' a new window state into the history, updating the address bar. This causes the "go to previous page" button in your browser to contain bogus though. In other words: Going to the previous page does not work as expected, which I would not recommend since there is a better option available. You can do it with the following javascript statement in browsers that support it:
window.history.pushState( null, document.title, "/themizer" );
We have created a bunch of landing pages on a Joomla CMS system, such that the URL for each landing page is www.domain.com/page1.html and www.domain.com/page2.html, and so on. Of course the page1.html isn't really an HTML file it is a dynamic CMS page, just rewritten with htaccess.
The goal is to have one of our other domains, something like www.uniquedomain1.com show the content of www.domain.com/page1.html. Or, another domain like www.uniquedomain2.html show the content of www.domain.com/page2.html.
This needs to be search engine friendly so we can't use URL masking. Also we can't use HTACCESS redirects as this actually changes the URL in the browser bar. Need to keep the www.uniquedomain1.com URL in the browser bar.
Tried Apache VirtualHost options without any luck. You can park in a directory but not from a URL.
Ended up parking the domains on one folder, and then creating a PHP script to detect the domain host and then use CURL to query the correct url and deliver content. This whole thing seems ridiculously over complicated, and of course CURL isn't the best option, but it is all we could get to work.
Any thoughts on how to do this, or a better solution?
You can use HTACCESS redirect rules to do it without performing a redirect.
Change the html file names to be the domain name of the desired domain like domain.tld and do something like this in an .htaccess file
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(?:www\.)?([a-z0-9\.-]+\.[a-z]+) [NC]
RewriteRule ^$ /%1.html [L]
A quick test of this worked for two of my test (sub)domains test.domain.tld and test2.domain.tld. Both properly redirected to files with the names test.domain.tld.html and test2.domain.tld.html without modifying the URL.
You could also just use your PHP wrapper script to grab the content of each of the miscellaneous html files and output them.
If you renamed all of your HTML files (as in my previous suggested answer) to be domain.tld.html you could do it fairly easily. Something might look like:
<?php
require($_SERVER['SERVER_NAME'] .'.html');
ok I previously had some issues setting up a wild card redirect to strip parameters from an old url format that were non-seo friendly to our root. With the help of stackoverflow we've got it corrected and working but now I am experiencing issues with index.php?
Im seeing tons of duplicate urls in the engines using this url format index.php?cPath=# and Google is stressing me because they think its duplicate index pages.
I tried setting up this redirect in our htaccess but no go. It won't strip out the parameters or redirect it just duplicates the page with a valid 200 response.
RewriteRule ^index.php/.*$ /? [R=301,NE,NC,L]
I want to redirect anything with index.php?cPath=# to our root domain. Any ideas on how i can tackle this 301 redirect using a mod_rewrite on apache?
I've also just noticed that our site has another issue with this url format:
domain.com/?cPath=#...
so now I also need to write a rewrite for domain.com/?cPath=# I don't know where this one popped up from but I can see its going to cause issues hence the valid 200 response code it gives. The engines are really going to love me for this one.
I'd like to understand the difference between redirecting and rewriting a URL using .htaccess.
So here's an example: Say I have a link like www.abc.com/ index.php?page=product_types&cat=88 (call this the "original" url)
But when the user types in abc.com/shoes (let's call this the "desired" url), they need to see the contents of the above link. To accomplish this, I would do this:
Options +FollowSymLinks
RewriteEngine on
RewriteBase /
RewriteRule ^(.*)shoes(.*)$ index.php?page=product_types&cat=88
Nothing wrong with this code and it does the trick. However, if I type in the original url in the address bar, the content comes up, but the url does not change. So it remains as www.abc.com/index.php?page=product_types&cat=88
But what if I wanted the desired url (/shoes) to show up in the address bar if I typed in www.abc.com/ index.php?page=product_types&cat=88? How would this be accomplished using .htaccess? Am I running into a potential loop?
Some of the explanation can be found here: https://stackoverflow.com/a/11711948/851273
The gist is that a rewrite happens solely on the server, the client (browser) is blind to it. The browser sends a request and gets content, it is none the wiser to what happened on the server in order to serve the request.
A redirect is a server response to a request, that tells the client (browser) to submit a new request. The browser asks for a url, this url is what's in the location bar, the server gets that request and responds with a redirect, the browser gets the response and loads the URL in the server's response. The URL in the location bar is now the new URL and the browser sends a request for the new URL.
Simply rewriting internally on the server does absolutely nothing to URLs in the wild. If google or reddit or whatever site has a link to www.abc.com/index.php?page=product_types&cat=88, your internal server rewrite rule does absolutely nothing to that, nor to anyone who clicks on that link, or any client that happens to request that URL for any reason whatsoever. All the rewrite rule does is internally change something that contains shoes to /index.php?page=product_types&cat=88 within the server.
If you want make it so a request is made for the index.php page with all of the query strings, you can tell the client (browser) to redirect to the nicer looking URL. You need to be careful because rewrite rules loop and your redirect will be internally rewritten which will cause a redirect which will be internally rewritten, etc.. causing a loop and will throw a 500 Server Error. So you can match specifically to the request itself:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\?page=product_types&cat=88
RewriteRule ^/?index.php$ /shoes [L,R=301]
This should only be used to make it so links in the wild get pointed to the right place. You must ensure that your content is generating the correct links. That means everything on your site is using the /shoes link instead of the /index.php?page=product_types&cat=88 link.
May be a noob question but I'm just starting playing around with apache and have not found a precise answer yet.
I am setting up a web app using url-rewriting massively, to show nice urls like [mywebsite.com/product/x] instead of [mywebsite.com/app/controllers/product.php?id=x].
However, I can still access the required page by typing the url [mywebsite.com/app/controllers/product.php?id=x]. I'd like to make it not possible, ie. redirect people to an error page if they do so, and allow them to access this page with the "rewritten" syntax only.
What would be the easiest way to do that? And do you think it is a necessary measure to secure an app?
In your PHP file, examine the $_SERVER['REQUEST_URI'] and ensure it is being accessed the way you want it to be.
There is no reason why this should be a security issue.
RewriteCond %{REDIRECT_URL} ! ^/app/controllers/product.php$
RewriteRule ^app/controllers/product.php$ /product/x [R,L]
RewriteRule ^product/(.*)$ /app/controllers/product.php?id=$1 [L]
The first rule will redirect any request to /app/controllers/product.php with no REDIRECT_URL variable set to the clean url. The Rewrite (last rule) will set this variable when calling the real page and won't be redirected.