Use the RewriteEngine to direct away from a denied directory - apache

The setup
root/
.htaccess :
Deny from All
RewriteEngine On
RewriteRule secret.txt /root/public/welcome.txt
secret.txt
public/
.htaccess :
Allow from All
welcome.txt
The problem
A request to /root/secret.txt results in a 403 (Forbidden) response that tells me I have no access to /root/secret.txt. (A direct request to /root/public/welcome.txt is permitted.)
Thus, it seems to me that the RewriteEngine does nothing to a request that would be denied by a Deny from All directive.
The question
It would be nice if someone knows a way to get the expected /root/public/welcome.txt served. However, it would be nicer if someone could help me reach my eventual goal.
The goal
I decided to write down my eventual goal, because maybe I'm just looking in the wrong direction.
I would like to Deny from All in the root, and have subdirectories decide when to override that with an Allow. Then I would also like Apache to rewrite all requests that would result in a 403 or 404 to a single specific file. As of yet, I'm planning to do this with a !-U flag, but I can't get past my initial problem.

Yo may try this in the .htaccess file at root directory:
Deny from All
ErrorDocument 404 /Error403_404.php
ErrorDocument 403 /Error403_404.php
"Error403_404.php" is an example. Replace with the 403 and 404 error handler script.

Related

Redirect based on rules and error type htaccess

I have been trying to piece together my .htaccess file, I have not found a lot of information about what I am trying to accomplish or if I am over thinking it.
I am using the following to disable directory browsing it works but I would like to redirect it to a custom 404 error page I have created.
# Disable Directory Browsing
Options All -Indexes
Deny access to directories or files I am using the following
####
# Deny access to certain directories that SHOULD NOT be exposed.
####
RewriteRule ^error/ - [L,R=403]
RewriteRule ^assets/ - [L,R=403]
RewriteRule ^plugins/ - [L,R=403]
RewriteRule ^libraries/ - [L,R=403]
RewriteRule ^includes/ - [L,R=403]
RewriteRule ^bootstrap.php - [L,R=404]
all of these work as it should but I want to redirect to a custom error page in my script folder
example.com/errors/
All i have found is this
ErrorDocument 404 /errors/error-404.html
but have been unsuccessful in getting any of the errors redirected to the one I created.
Without seeing the actual response you are seeing or your full .htaccess file, my guess would be that you are blocking access to the /errors directory that contains your custom error documents. The error documents themselves need to be publicly accessible (although there are tricks you can employ to block access and serve an appropriate HTTP status code).
If you block access to the error document then Apache will fallback to the default Apache response with an additional message along the lines of:
Additionally, a "4xx/5xx error" error was encountered while trying to use an ErrorDocument to handle the request.

403 forbidden response still sends body

I set up my .htaccess file so that only certain IP ranges can access the /admin portion of my site, as asked in this question: Deny access to URI
That works... in testing. When I tried this on my live, https enabled, site something strange happened:
When I GET the /admin page, I receive a 403 Forbidden status code but I also get the body as if nothing happened.
How is that possible, and how do I fix it?
Here's the eventual .htaccess:
SetEnvIf Request_URI ^(?!/admin) not_admin_uri
Order deny,allow
Deny from all
Allow from 127.0.0.1
allow from 366.241.93.
allow from env=not_admin_uri
Also: if I remove the last allow rule it actually does block the request (though it then, of course, blocks all reguest)
The document for the 403 status code (which was 403.shtml) did not exist, in which case Apache apparently just executes the request.

Apache not processing encoded URLs with %3F

The problem url links to my website are of the form
/fullpage.php%3F%20cp3_Hex%3D0F0200%26cp2_Hex%3D000000%26cp1_Hex%3DFC2024
The un-encoded url is
/fullpadge.php?cp3_Hex=0F0200&cp2_Hex=000000&cp1_Hex=FC2024
Apache returns a:
403: You don't have permission to access /fullpage.php? cp3_Hex=0F0200&cp2_Hex=000000
I have tried the following rewrite rule
RewriteRule ^/fullpage.php%3F(.*)$ /fullpage.php?$1
to no avail
Any ideas
You are almost certainly getting a 403 error.
The error is caused because ? is a banned file/directory name character on Windows and Linux. This means when Apache attempts to find a file or directory named "/document/root/index.php?blah" (after decoding) and it causes a 403 error. This is before the .htaccess files are read so you cannot use mod_rewrite in the .htaccess file to override this 403 error or an ErrorDocument defined in the .htaccess file to catch this error.
The only way to catch %3f is to use mod_rewrite or an ErrorDocument in a "VirtualHost" e.g. in httpd-vhosts.conf (or the main server configuration if there aren't any "Virtualhost"s e.g. in httpd.conf).

htaccess <Directory> deny from all

I've been cleaning up my project lately. I have a main .htaccess in the root directory and 6 others. 5 of them ran Options -Indexes which i didn't see anypoint of allowing any Directory viewing so moved that to the main one. so now i only have 2 .htaccess files. the main and one in /system which holds
# Block External Access
deny from all
So i wanted to run that on /system only from within the main. So i deleted the one in /system and added
# Block External Access
<Directory "/system/">
deny from all
</Directory>
to my main .htaccess file leaving 1!
but now i get a
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
Please contact the server administrator, webmaster#localhost and
inform them of the time the error occurred, and anything you might
have done that may have caused the error.
More information about this error may be available in the server error
log.
Apache/2.2.17 (Ubuntu) Server at 10.0.1.5 Port 80
The goal is to block reading any files in /system and it's sub directory's but allow viewing of everything else all from one .htaccess file for the whole project. Any ideas on how i can fix this? I did some Google searches but couldn't really come out with anything.
You cannot use the Directory directive in .htaccess. However if you create a .htaccess file in the /system directory and place the following in it, you will get the same result
#place this in /system/.htaccess as you had before
deny from all
You can also use RedirectMatch directive to deny access to a folder.
To deny access to a folder, you can use the following RedirectMatch in htaccess :
RedirectMatch 403 ^/folder/?$
This will forbid an external access to /folder/ eg : http://example.com/folder/ will return a 403 forbidden error.
To deny access to everything inside the folder, You can use this :
RedirectMatch 403 ^/folder/.*$
This will block access to the entire folder eg : http://example.com/folder/anyURI will return a 403 error response to client.
You can use from root directory:
RewriteEngine On
RewriteRule ^(?:system)\b.* /403.html
Or:
RewriteRule ^(?:system)\b.* /403.php # with header('HTTP/1.0 403 Forbidden');

How do I force Apache to simply redirect the user and ignore the directory structure?

Ok, so this problem recently arose and I don't know why it is happening; it's actually two problems in one...
0. My .htaccess file, for reference. (EDITED)
Options -Indexes +FollowSymLinks
RewriteEngine On
RewriteBase /
ErrorDocument 400 /index.php?400
ErrorDocument 401 /index.php?401
ErrorDocument 403 /index.php?403
ErrorDocument 404 /index.php?404
ErrorDocument 410 /index.php?410
ErrorDocument 414 /index.php?414
ErrorDocument 500 /global/500.php
RewriteCond %{HTTP_HOST} !^$ [NC]
RewriteRule .* index.php [L]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(.*\.)?(animuson)\.(biz|com|info|me|net|org|us|ws)/.*$ [NC]
RewriteRule ^.*$ - [F]
1. My 'pictures' folder is following the hard path instead of the redirect.
I have no idea WHY it is doing this. It's really bugging me. The 'pictures' folder is a symbolic link to another place so that I can easily upload files to that folder without having to search through folders and such via my FTP account, but that's the only thing I use it for. However, when I visit http://example.com/pictures my htaccess sees it as accessing that other folder, which is restricted, and throws a 403 error rather than redirecting to index.php and displaying the page like normal.
I figured it has something to do with that specific folder being a symbolic link causing it to act oddly, but I have determined that my rules are not being applied to folders at all. If I visit folders such as 'css' and 'com' which are folders in the web root, it displays a 404 error page and adds the '/' to the end of the URL because it's treating it as a directory. It also does the same 403 error for my 'images' directory which is set up in the same fashion.
So, the question here is how do I modify my RewriteRule to apply to the directories as well? I want everything accessed via the web to be redirected back to index.php while maintaining the full access path in the address bar, why is it not working? (I'm pretty sure it was working fine before.)
Here's a small chart to show the paths they're following...
example.com/pictures -> pictures/ -> /home/animuson/animuson-pictures -> 403
example.com/com -> com/ -> 404
example.com/test -> index.php
example.com/ -> index.php
example.com/images -> images/ -> /home/animuson/animuson-images -> 403
example.com/css -> css/ -> 404
EDIT: Following information added.
Apache is processing the structure of the directory first. It's determining if the path exists based on what was typed into the address bar. If someone types in a folder name that happens to exist, it will redirect the user to the path with the "/" at the end of the URL signifying that it's a directory. For the 'pictures' directory explained above, the user does not have permission to access that folder so it is redirecting them to a 403 Access Denied page rather than simply showing the page that is supposed to be displayed there via the RewriteRule above. My biggest question is why is Apache processing the directory first and how do I make it stop doing that? I would really love an answer to this question.
2. Why is my compression not working? (EDIT: This part is fixed.)
When analyzing my site through a web optimizer, it keeps saying my page isn't using web compression, but I'm almost 100% positive that it was working fine before under the same settings. Can anyone suggest any reasons why it might not be working with this set up or suggest a better way of doing it?
Where is this .htaccess file situated? At the root or in the pictures directory?
1) You're using Options -Indexes which will deny access to directory listings. This is handled by /index.php?403 which in turn will redirect to /403. (I confirmed this by manually going to /index.php?403) I don't see any other rules in the posted .htaccess that are supposed to affect this. So this either happens because either index.php or some other .htaccess file or server rule makes that redirect.
You might also want to check the UNIX file permissions of the directory in question.
2) According to this aptimizer, http://www.websiteoptimization.com/services/analyze/, compression is indeed enabled for html, js and css files, as specified in the rules. My bet is that the optimizer is being stupid and does one of these three things:
1)) Complaining about images not being compressed. (It's generally a bad idea to compress images because they're typically already compressed and the extra CPU load typically isn't worth it since the net gain is so small. So your rules are OK in this regard.)
2)) It might think that DEFLATE doesn't count as compression, and wants you to use GZip.
3)) It might also react to the externally included StatCounter js file, which is not compressed. (And there's not much you can do about that.)
After a while of deliberating on Apache's IRC channel, I was finally able to figure out the real reasoning behind this on a fluke. I just happened to be looking at the directory structure using ls -l and noticed that all of the symbolic links had somehow has their permissions changed to animuson:animuson from the root:root original. I tried to run a simple chown root:root on them and it had no effect, so I deleted them all and recreated them and the problem has gone away. I don't really have any idea why the permissions made any different in this scenario but the solution worked and everything is okay now. I've also added a DirectorySlash Off to my .htaccess file to get rid of the slashes after folders that exist, just to make it look all that much nicer.