I am aware that blocking by host extension can cause unwanted server load but which is correct? For example...
deny from *.ru
or
deny from .ru
It's deny from .ru, according to the Apache 2.2 mod_authz documentation which say the host syntax is identical to Allow. They provide an example:
Allow from apache.org
Allow from .net example.edu
Related
I'm now working on installing certification of our website to https. I've tried for few days until I found one forum which to take note on deny from all which will block the access . So I comment out deny from all and now it works, but will there be any issue on security side? Below are the configuration used, are there any website that I can refer to for related command?
<Directory "${INSTALL_DIR}/www/abc">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 localhost ::1
</Directory>
The Deny from all directive does exactly what it says it does: it blocks all requests, regardless of their origin. Ironically, the next line permits access if and only if the request originated from the same IP address, so this might be the safest configuration you can have, provided you don't mind having the most useless server of all time.
You only want to use the Deny from all to prevent access to the filesystem, otherwise it blocks all incoming requests, as you noticed. Then you specifically allow access only to the directories where you plan on serving files from, like so:
# Make the server filesystem completely off-limits
<Directory "/">
# Do not permit .htaccess files to override this setting
AllowOverride None
# Deny all requests
Require all denied
</Directory>
<Directory "${INSTALL_DIR}/www/abc">
# If you want directories to be allowed to override settings
AllowOverride All
# Let people actually access the server content
Require all granted
</Directory>
<Files ".ht*">
# Make sure .htaccess file (which contain server configurations and
# settings) are completely off-limits to anyone accessing the server,
# even if they are in a directory that is otherwise accessible.
Require all denied
</Files>
As far as the security of the server is concerned, the best advice I would give you is just make sure sensitive files and passwords are not stored in a directory accessible by the server. Even passwords in php files are not safe, because if a malignant actor is able to disable the php engine somehow, the file will be served in plain-text, with all of the sensitive information right there.
The best method of circumventing this is to create a configuration file outside the server root directory and using a SetEnv directive to define the variable.
SetEnv DATABASE_USERNAME "KobeBryantIsBetterThanJordan24"
SetEnv DATABASE_PASSWORD "LebronJamesIsAlsoPrettyGood107"
Then you can use something like this to get the variables into your php scripts without every exposing the information in plaintext.
$username = filter_input(INPUT_SERVER, 'DATABASE_USERNAME', FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_SERVER, 'DATABASE_PASSWORD', FILTER_SANITIZE_STRING);
define('DATABASE_USERNAME', $username);
define('DATABASE_PASSWORD', $password);
Last but not least, make sure you add phpinfo to the disable_functions setting in your php.ini file, as that would immediately expose the password.
P.S.: Sorry me and please be lenient with my English.
I have the situation when some IP must blocked and better way for this on my mind - htaccess. It cause I have many entry points. It easy and works fine...
I do:
<Files *>
Order allow,deny
deny from aaa.aaa.aaa.aaa/aa
deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
BUT! There one more things. I have a few devices which should be allowed access even if they go through the denied IP.
I can't install some module for Apache. So I need some simply way for decide it.
Can someone give me some ways or some tricks for it?
You need some way of identifying those devices, then you can add an environment variable to set up an exception and use access control by environment variable. For example, if you can do it by user-agent:
SetEnvIf User-Agent SpecialUA UAException=1
<Files *>
Order allow,deny
Allow from UAException=1
Deny from aaa.aaa.aaa.aaa/aa
Deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
See also SetEnvIf. I am linking to Apache 2.2 docs since you are using the old syntax which has been updated in 2.4.
I need to block access to a particular route in my web application using a .htaccess file for everyone except a list of IP's. When I say block and whitelist IP's I want to use the following on particular route
order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2
I tried using the Location directive, but it is not allowed in .htaccess.
I do not have access to the server config file since it is a managed hosting provider
The route I want to block is for eg: http://www.example.com/route1
Is there a way?
Thanks for the help in advance
You can definitely achieve this using multiple methods.
.htaccess files:
<files route1>
order deny,allow
deny from all
allow from my.ip.address
</files>
If you are looking at whitelisting multiple ip's I would suggest the follow method:
<Files myfile.php>
order deny,allow
deny from all
allow from env=allowip
#Office 1
#132.11.32.222
SetEnvIf X-FORWARDED-FOR "^132\.11\.32\.222" allowip
#Office 2
#142.11.32.222
SetEnvIf X-FORWARDED-FOR "^142\.11\.32\.222" allowip
</Files>
A short explanation of what I'm doing is: I need to automatically create virtualhosts for each ip address on my machine, make it point to the vsftpd user directory (/home/xxx) and deny any kind of scripts from being executed.
I want to stop any kind of webpages and especially PHP scripts from being executed, because it would post a huge security risk(apache is sudo). The purpose of this virtualhost is purely to serve game resource files, extentions like .wav , .mdl , .tga , .spr and so on.
I searched around and found this
deny from all
<filesmatch "\.(avi¦wmv¦mpg¦mov)$">
Allow from all
</filesmatch>
But this is .htaccess content. How can I implement this functionality of only allowing certain extentions inside my httpd.conf file? It would be a pain to make it use .htaccess, and a risk because users might edit them.
Please refrain from any comments unrelated to my question, such as "sudo apache? you're a dumbass" and so on.
There is no such thing as .htaccess only content. The is a huge misconception. Most of time you do NOT want to use .htaccess and Apache recommends that you not use it unless necessary. Apache rules can always be put in the server config.
When not to use .htaccess
Now you can put that in your VirtualHost directive. The same location where your document root is defined.
The FilesMatch directive can be used in these context.
Context: server config, virtual host, directory, .htaccess
http://httpd.apache.org/docs/current/mod/core.html#filesmatch
So in your vhost file you can add a Directory directive like this example.
<Directory /path/to/documentroot/>
Deny from all
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Allow from all
</FilesMatch>
</Directory>
If you are using Apache 2.4 then you need to use Require.
<Directory /path/to/documentroot/>
Require all denied
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Require all granted
</FilesMatch>
</Directory>
One of my websites is being continuously attacked by spammers originating from a certain set of countries.
There are four culprit IPs that are proving to be a nuisance.
I have tried using the mod_access utility of Apache and have the following lines added to my .htaccess
<Limit GET POST>
order allow,deny
Allow from all
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
</Limit>
Howeverm for some reason, the spammers are still able to access my site and the spam continuous from the said IPs
Can anyone tell me as to where exactly it is that I am going wrong.
Just remove the limit
order allow,deny
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
allow from all