Troubles with apache - 403 while trying to protect everything but index.php - apache

What I want:
Protecting all files/folders but the index.php.
Apache:
Apache/2.4.2 (Win32) OpenSSL/1.0.1c PHP/5.4.4
Running as Service (xampp 1.8)
Not modified
My project structure
URL: "http://localhost/MyProject/"
PROJECT_DIRECTORY C:/xampp/htdocs/MyProject/
The project directory looks like:
config (folder)
ressources (folder)
sources (folder)
index.php
Problem:
I am having troubles with my .htaccess file as I do always receive a 403 or even a 500 Error.
I tried different settings to achieve the goal but none of these worked. I tried Directory, DirectoryMatch, Files, FilesMatch etc.
But I think it should be as easy as:
# Activate rewrite engine
RewriteEngine on
RewriteBase /
# Redirect all requests to index.php
RewriteRule ^(.*)$ index\.php?/$1 [QSA]
# Deny from all
Order deny,allow
Deny from all
# Allow only index.php
<Files "index.php">
Allow from all
</Files>
Or something like this:
...
# Deny from all
<Directory />
Order deny,allow
Deny from all
</Directory>
# Allow only root dir
<Directory "/MyProject" />
Allow from all
</Directory>
May someone can help me with this?
EDIT: I recently found out, that I cannot use the tag as the .htaccess is valid for the directory I put it in, so there is no need to define that directory inside .htaccess. This did not solve my problem but I know that the second example is wrong.

You can try this:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/(index\.php)$
RewriteRule ^ - [L,F]
This will let requests for / and /index.php pass through while responding with a 403 Forbidden for anything else.
However, you've got this rule already:
# Redirect all requests to index.php
RewriteRule ^(.*)$ index\.php?/$1 [QSA]
So you don't really need to deny anything if everything is already being routed through index.php

Related

htaccess restrict access to index.php only

I was writing a .htaccess file for my PHP script.
This should only allow access to the index.php, cronjob.php and execute.php pages.
I wrote the .htaccess file as follows:
# Set default index file
DirectoryIndex index.php
# Disable indexing
Options -Indexes
# Set "403 Forbidden" as the default server behavior
Order Deny,Allow
Deny from all
# Allow requests to core PHP files
<FilesMatch "(index|execute|cronjob)\.php$">
Allow from all
</FilesMatch>
# If mod_rewrite module exists...
<IfModule mod_rewrite.c>
RewriteEngine On
# ...restrict access to PHP private directories
RewriteRule (^|/)logs(/|$) - [F]
RewriteRule (^|/)utils(/|$) - [F]
RewriteRule (^|/)modules(/|$) - [F]
</IfModule>
The main problem with this code is that https://example.com/ returns 403 Forbidden,
while https://example.com/index.php works.
You could put condition to check if a URI is NOT having either index.php OR cronjob.php or execute.php then forbid that page so else other pages will be forbid apart from these 3 php uris.
Please make sure you clear your browser cache before checking your URLs.
RewriteEngine ON
RewriteCond %{REQUEST_URI} !(index|cronjob|execute)\.php [NC]
RewriteRule ^ - [F]
In the end I managed to get it to work, I don't know if it's the best .htaccess possible, but this is what I ended up with:
# Set default index file
DirectoryIndex index.php
# Disable indexing
Options -Indexes
# Set "403 Forbidden" as the default server behavior
Order Deny,Allow
Deny from all
# Allow requests to core PHP files
<FilesMatch "^((index|execute|cronjob)\.php)?$"> # Basically, it accepts the three PHP files and the empty string.
Allow from all
</FilesMatch>

How to use DAV and DirectoryIndex in Apache 2.4?

In my apache configuration I have a virtual host configured like this:
Alias /mediamanager /storage/files/mediamanager
<Directory /storage/files/mediamanager>
DirectoryIndex /mediaManagerIndex.php
DAV On
# ... And some authentication directives ... #
</Directory>
The idea is that someone can access the files both by a WebDAV-Client and also a simple web browser in which case some pretty directory view is generated by a PHP script.
That worked great in Apache 2.2, but recently I upgraded to Apache 2.4 and now it is broken. I highly suspect I I suffer from this bug which is already 2 years old and no fix in sight. The proposed workaround to add:
<Limit PROPFIND>
DirectoryIndex never-encounterable-file-name.html
</Limit>
Does not work for me. Probably because I still want to have a directory index. If I remove my DirectoryIndex altogether WebDAV works again (no index.html or similar files exists in this directory) but of course I loose the ability to use my PHP file as directory index. I tried to specify my DirectoryIndex in a <Limit GET> but this had no effect.
Is there any way to get both DAV and DirectoryIndex to work simultaneously in Apache 2.4 on Debian (if anyhow possible without changing the source code and recompiling)?
In order to fix this, disable directory indexing for the WebDAV site.
In your sites-available/site.conf file add DirectoryIndex disabled to the <Directory> declaration, like so:
<Directory /path/to/my/webdav/dir>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require all granted
DirectoryIndex disabled
</Directory>
Then just reload Apache and you will no longer have that issue:
sudo service apache2 reload
For me, the following configuration solved both problems:
WebDAV works again
directory indexing, if the user uses a web browser to access the repository
It works by manually implementing the directory-indexing feature with simple rewrite rules, which are applied only for the GET request method.
The following code has to be placed inside the server config or virtual host context in the apache configuration file.
# Turn off (automatic) Directory-Indexing
DirectoryIndex disabled
RewriteEngine On
# Rewrite rules for the root directory
RewriteCond "%{REQUEST_METHOD}" "(GET)"
RewriteRule "^/$" "/index.php" [L]
# Rewrite rules for other sub-directories
RewriteCond "%{REQUEST_METHOD}" "(GET)"
# The following line checks, if the index.php file exists
RewriteCond "%{DOCUMENT_ROOT}/$1/index.php" "-f"
RewriteRule "^/(.*)/$" "/$1/index.php" [L]
Don't forget to reload Apache!
This is the solution I am currently using, located in a .htaccess file at the root of the directory tree used by the WebDav service. In this case I do not use PHP, only html files, but it can be easily adapted:
# Turn off automatic directory indexing
Options -Indexes
DirectoryIndex disabled
# Redirect directory requests to index.html, only for GET requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} "GET"
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)$ $1index.html [L]
In order to launch always the requested PHP file, just replace "index.html" on the last line by the PHP file name:
RewriteRule ^(.*)$ $1mediaManagerIndex.php [L]

Why is the RewriteBase not working?

Here is what I am trying to do:
domain is thinkingmonkey.me
domain has 127.0.0.1 as IP addr
mod_alias is installed.
I have a conf file called directories.conf. In which I have all the configuration pertaining to directories. directories.conf is included in httpd.conf
My directories.conf has
Alias /runs /xhprof/xhprof_html
<Directory /mysite/xhprof/xhprof_html>
Order allow,deny
Allow from all
AllowOverride All
</Directory>
In /mysite/xhprof/xhprof_html/.htaccess. I have the following:
RewriteEngine on
RewriteBase /runs
RewriteRule .* index.php
All I am trying to do is to direct any request under /mysite/xhprof/xhprof_html/ to index.php.
When I request for thinkingmonkey.me/runs with no trailing slashes I get 404 not found.
So, I infer that RewriteBase is not working.
What am I doing wrong?
Alias requires a tailing slash. Nothing to do with RewriteBase.
You could use a rewrite rule to add the slash when needed though. Something like:
RewriteRule ^run$ /run/ [R=301,L]
Put this rule in the htaccess in the root of your server (not in /xhprof/xhprof_html)

Making pretty permalinks work in WAMP

I am not able to switch to pretty permalinks in WAMP. Changing to any form other than default gives 404 error.
I have switched on the rewrite_module in Apache. I Googled the problem and found that following changes should be made to httpd.conf file. My httpd.conf file stands as
<Directory />
Options Indexes FollowSymLinks
AllowOverride All
Order deny,allow
Deny from all
</Directory>
I also checked that the .htaccess file is getting created. It reads as
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /vit%20web/events/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /vit%20web/events/index.php [L]
</IfModule>
# END WordPress
All you need to do is turn on the mod_rewrite in the wamp settings tab.
Click Wamp -> Apache -> Apache Modules -> rewrite_module
If you select that then turn on %postname% it should work
Did you reboot Apache after editing httpd.conf?
A bulletproof check for mod_rewrite is to remove the <IfModule>...</IfModule> tags and try running WordPress - if you get a 500 Server Error, mod_rewrite isn't installed.
Also I would recommend changing <Directory /> to <Directory "C:/path/to/server/root"> (note the forward slashes too, even on Windows).
And the deny order should be switched if you're only on a development server;
Order allow,deny
Allow from all
The problem may be:
Whenever you have permalinks in subfolder of your main www folder (i.e.
RewriteBase /subdirectory/
you may need to have a .htaccess file in your main c:\wamp\www folder too.

Redirect Using htaccess

I am trying to redirect /folder to / using .htaccess but all am I getting is the Apache HTTP Server Test Page.
My root directory looks like this:
/
.htaccess
-/folder
-/folder2
-/folder3
My .htaccess looks like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/folder/
RewriteRule ^(.*)$ folder/$1 [L]
What am I doing wrong? I checked my httpd.conf (I'm running Centos 5.3) and the mod_rewrite library is being loaded. As a side note, my server is not a www server, its simply a virtual machine so its hostname is centosvm.
Addition: I have found that the mod_rewrite module is loaded, but none of my .htaccess redirects seem to be working.
Addition: My httpd.conf directory directive looks like:
<Directory />
Options FollowSymLinks
#AllowOverride None
</Directory>
What does you AllowOverride say? (see: http://httpd.apache.org/docs/2.0/howto/htaccess.html)
And that would bring us to requiring this in (virtual)host/directory settings:
AllowOverride FileInfo