Modifying apache to prevent public accessibility of .git folder - apache

I read here that the ".git folder is at the root level of the web site, and is probably publicly accessible. To protect the folder and prevent unwanted clones of the repository, add the following to your top-level .htaccess file to forbid web access:"
# deny access to the top-level git repository:
RewriteEngine On
RewriteRule \.git - [F,L]
First of all, THANKS Joe Maller!
In my virtual host file i have the RewriteEngine On command with the following specs:
<VirtualHost *:80>
...
RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://www.mydomain.com/ [R]
</VirtualHost>
Could i just add the git rewrite rule following the rewrite rule for ssl like so:
<VirtualHost *:80>
...
RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://www.mydomain.com/ [R]
RewriteRule \.git - [F,L]
</VirtualHost>
Thanks!

That should work. It's easy to test to make sure, though. Just try to browse to http://www.mydomain.com/.git and see if it works.

Related

Force to SSL maintaining the URL

I don't have much experience with VHOST and SSL, I tried lot of possibilities but none of them is working.
I have a website with 2 folders:
www.example.com/userpage
www.example.com/adminpage
If I go to www.example.com, my loginsystem automatically redirect to www.example.com/userpage.
If I want to go to the admin section, I have to write manually www.example.com/adminpage.
Now I switched to SSL, and everything is working if I type https://....
But I cannot understand how to force the redirect from http to https.
I wrote this in my apache vhost file:
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName example.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com
RewriteCond ${HTTPS} !=on
RewriteRule (.*) https://example.com/$1 [R=301,L]
</VirtualHost>
But it's not working.
How can I manage it?
If I write www.example.com/adminpage it have to redirect me to https://www.example.com/adminpage.
Actually it should work for every subfolder, if for example I send an email to a user saying "hey user, please check your account www.example.com/user/check_account.php?userid=14125114
it have to then redirect it to automatically:
https://www.example.com/user/check_account.php?userid=14125114
so it should work for every page and every subfolder.
Thank you for your suggestions
Should be quite simple. Replace this block:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com
RewriteCond ${HTTPS} !=on
RewriteRule (.*) https://example.com/$1 [R=301,L]
With this:
Redirect permanent "/" "https://example.com/"

Stop virtualhost rewrite rules executing if a rule was matched in the global config

I have the following setup.
Apache running with a separate VirtualHost file for each site.
Each of these has their own set of rewrite rules, for http to https for example which is all running fine.
What we would like to happen is this, from the global config we need to be able to check if a request is for a particular subdirectory. If it is then we should allow this request to process as it should but at that point we do not want the individual virtual host file rewrite rules to kick in. Therefore allowing this directory to be served on non https connections and not be redirected to https.
I have set up the rewrite rules and can match on the directories and redirect to an external url if it matches from the global which shows its inheriting but if I try to just allow it through the virtual hosts rewrites kick in and it redirects.
I have tried using L and END but this did not work either.
Is there any way of achieving this without editing the virtual host files that are already configured?
Main httpd config entry
<Directory "/www">
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride All
allow from all
Order allow,deny
Require all granted
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/sub_directory/$ [NC]
RewriteRule ^(.*) $1 [L,END]
#RewriteRule ^(.*) - [L,END]
#RewriteRule ^(.*) http://www.google.com [L,END] # This does get triggered
</Directory>
sample virtual host file.
<VirtualHost *:80>
ServerName urlone.com
ServerAlias urltwo.com
DocumentRoot /www/
RewriteEngine On
# redirect to https
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://urlone.com$1 [R=301,L]
</VirtualHost>
so if I visit urlone.com it should redirect to https://urlone.com but if I visit urlone.com/sub_directory it needs to not allow the redirect to https.
I hope this makes sense to someone and thanks in advance for any help.
In global httpd.conf:
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/sub_directory$ [NC]
RewriteRule ^ - [E=PATH_MATCHED:true]
(if needed, you can add additional rules, or additional flags to the above rule)
In virtual_host.conf
RewriteCond %{ENV:PATH_MATCHED} !=true
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://urlone.com%{REQUEST_URI} [R=301,L]

Apache causes 403 forbidden even when using DocumentRoot that is working with other domain

wget http://maydomain.example
--2017-04-06 18:21:12-- https://mydomain.example
Resolving mydomain.example (mydomain.example)... IP
Connecting to mydomain.example (mydomain.example)|IP|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-04-06 18:21:12 ERROR 403: Forbidden.
But other domain (at http://OTHER.example) is working, so I changed DocumentRoot to OTHER and (after restart apache2) the error was the same!
<VirtualHost *:80>
ServerAdmin suporte#mydomain.example
ServerName mydomain.example
ServerAlias www.mydomain.example
DocumentRoot /var/www/html/OTHER.example
# DocumentRoot /var/www/html/mydomain.example
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#?? Require all granted
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.oficial.news [OR]
RewriteCond %{SERVER_NAME} =oficial.news
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
The files /etc/apache2/sites-available/mydomain.example.conf and /etc/apache2/sites-available/OTHER.example.conf diffs only by filenames and the domain names into its confs.
Notes
May be... rewrite or .access at parent folder?
more /var/www/html/.htaccess
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
It was the configuration of the virtual host... See the Rewrite* lines, I removed all,
# REMOVED THIS:
# RewriteEngine on
# RewriteCond %{SERVER_NAME} =www.oficial.news [OR]
# RewriteCond %{SERVER_NAME} =oficial.news
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
now is working (!).
Thanks #Nomad and #MatíasNavarroCarter for clues and checklists.
I notice that you're using some Debian derivative (maybe Ubuntu 16.04) to work for your dev enviroment. I've done this many times.
What causes your error is probably that the var/www/html folder is "rooted". That means, root owns it, and Apache (www-data user) doesn't have the enough permissions to access that content. There are several solutions to this. You can choose what fits your needs the most. I'm going to post my preferred one first:
Work with Virtual Hosts: Working in localhost may be good for some. I prefer to use virtualhosts ended in .dev. Then, I point the document root to a folders project I have, more accessible than the localhost. I created a script to easily do all that.
Change the permissions of /var/www/html: Chown that folder to be of the www-data user and www-group, and chmod it 777. Warning: make sure when you upload it to your production server that permissions are ok.
Change Apache user to root: Of all these, this is my least recommended, but it works.

How to rewirte url to visit file under another folder

How to rewrite if file after stylesheets then read file under specific folder
e.g
if user visit
domain1.com/stylesheets/index.css actually read > domain1.com/app/assets/stylesheets/index.css
or
if visit
domain1.com/stylesheets/bundle/index.css read > domain1.com/app/assets/bundle/stylesheets/index.css
I tried below code but not work...
RewriteCond %{HTTP_HOST} ^(www\.)?domain1\.com\.localhost\$ [NC]
RewriteRule ^/stylesheets/(.*)\.css$ app/assets/stylesheets/$1
#or this rule not work too
RewriteRule ^/stylesheets/$ app/assets/stylesheets/$1
<VirtualHost *:80>
DocumentRoot "/Users/username/Sites/domain1.com"
ServerName domain1.com
</VirtualHost>
First you need to check the HTTP_HOST against the host name (without any further stuff, that is):
RewriteCond %{HTTP_HOST} ^domain1\.com\$ [NC]
Second, in order to be able to process the query further, you will need to capture parts of it (in parentheses, that is).
You can use this rule in vhost config or in site root .htaccess:
RewriteEngine On
RewriteRule ^/?(stylesheets/.+?\.css)$ /app/assets/$1 [L,NC]
If using vhost config remember to restart Apache after making this change. This is assuming app/assets/ path exists as full filesystem path of /Users/username/Sites/domain1.com/app/assets/

Redirect wildcard subdomains to subdirectory, without changing URL in address bar

I've read a lot of questions and answers about this on here but none that seem to solve my specific problem.
I want to redirect any subdomain to the subdirectory to match.
So: x.domain.com would go to domain.com/x, and y.domain.com would go to domain.com/y - But I want to do this without the URL in the address bar changing.
Here's what I have so far:
Options +FollowSymLinks
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_HOST} !^(www)\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)\.domain\.com [NC]
RewriteRule ^ /%1 [P,L]
But this takes me to a website redirect loop, with an incorrect address in the URL bar where the subdomain still exists.
For example, x.domain.com takes me to x.domain.com/x and I get a redirect loop error.
I'd be grateful if anyone can point me in the right direction! Nothing I change seems to work...
First of all, make sure that the vhost in the apache configuration is properly configured and all subdomains of domain.com are in the same host configuration (wildcard):
<VirtualHost *:80>
ServerName domain.com
ServerAlias *.domain.com
...
You can get the redirect working with the following htaccess configuration:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(.*)\.domain\.com
RewriteRule ^(.*)$ http://domain.com/%1/$1 [L,NC,QSA]
Now, if you open asd.domain.com it should redirect you to domain.com/asd.
You will still have the problem, that the redirect is visible in the URL address bar. In order to prevent this, enable mod_proxy (and load the submodules) on your server and exchange the "L" flag with the "P" flag:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(.*)\.domain\.com
RewriteRule ^(.*)$ http://domain.com/%1/$1 [P,NC,QSA]
If this doesn't work, viewing the vhost configuration and the content of error.log on subdomain calling will be helpful!
References:
.htaccess rewrite subdomain to directory
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
http://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_p
This can be achieved in .htaccess without mod_proxy provided your server is configured to allow wildcard subdomains. (I achieved that in JustHost by creating a subomain manually named *). Add this to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.website\.com$
RewriteCond %{HTTP_HOST} ^(\w+)\.website\.com$
RewriteCond %{REQUEST_URI}:%1 !^/([^/]+)/([^:]*):\1
RewriteRule ^(.*)$ /%1/$1 [QSA]
I named the subdirectories under $_SERVER['DOCUMENT_ROOT'] match with my subdomains like so:
/
var/
www/
html/
.htaccess
subdomain1.domain.com/
subdomain2.domain.com/
subdomain3.domain.com/
Where /var/www/html stand as 'DOCUMENT_ROOT'. Then put following code in the .htaccess file:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/%{HTTP_HOST}/
RewriteRule (.*) /%{HTTP_HOST}/$1 [L]
It works as redirect wildcard subdomains to subdirectories, without changing URL in address bar.
Beside of vhost, you may also put the subdirectories outside root and access it using alias as described here. Then put the same .htaccess code in that location.