I like to block all ".php" requests for my site except the "index.php" how can I achieve this with .htacess and the rewrite mod?
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*(.php) [NC]
RewriteRule ^(.*)$ - [F,L]
You can use a negated condition patter in RewriteRule:
RewriteEngine On
RewriteCond %{REQUEST_URI} \.php$ [NC]
RewriteRule !^index\.php$ - [F,NC,L]
I used this for years and it works perfectly. You can add multiple files to allow list separated by |
#PROTECT FILES
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
#ALLOW FILES
<FilesMatch index.php|captcha.php>
Allow from all
</FilesMatch>
Related
I need to make this .htaccess file work in Apache 2.4. It seems Apache 2.4 does not like
Order Allow,Deny
Deny from all
I changed that to
<FilesMatch "\.(htaccess|htpasswd|ini|psd|log|sh|crt|gitignore|md)$">
Require all denied
</FilesMatch>
Here are some errors I have seen so far implementing it:
AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
AH01797: client denied by server configuration: /var/www/html/
And here is the .htaccess file I am trying to make work in Apache 2.4. Can you spot anything else Apache 2.4 would not like ?
Options -Indexes
<FilesMatch "\.(htaccess|htpasswd|ini|psd|log|sh|crt|gitignore|md)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<Files 8fjfsuUhhhhh8/*>
deny from all
</Files>
<Files backups/*>
deny from all
</Files>
<Files stats/*>
deny from all
</Files>
<Files icons/*>
deny from all
</Files>
<Files error/*>
deny from all
</Files>
<Files logs/*>
deny from all
</Files>
<Files git/*>
deny from all
</Files>
<Files .git/*>
deny from all
</Files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^blog/(.*)$ https://blog.mysite.com/$1 [R=301,NC,L]
# Old Site Redirects
RewriteRule ^retailers($|/$) /merchants/ [R=301,NC,L]
RewriteRule ^faqs($|/) /FAQ/ [R=301,NC,L]
RewriteRule ^contact($|/) /contact-us/ [R=301,NC,L]
RewriteRule ^login($|/) /customer-login/ [R=301,NC,L]
RewriteRule ^bank-vision($|/) /FAQ/ [R=301,NC,L]
# New Website Proxying
# Handle Request to index
RewriteCond %{THE_REQUEST} ^GET\ /\ .*
RewriteRule . http://mysite.com.s3-website.eu-west-2.amazonaws.com/ [P]
# Handle all the named pages
RewriteRule ^(merchants|how-it-works|shop-directory|contact-us|terms-of-use|privacy-policy|complaints-policy|careers|FAQ|error)($|/) http://mysite.com.s3-website.eu-west-2.amazonaws.com/$1$2 [P]
# Handle the various static elements
RewriteRule ^static/(.*)$ http://mysite.com.s3-website.eu-west-2.amazonaws.com/static/$1 [P]
RewriteRule ^page-data/(.*)$ http://mysite.com.s3-website.eu-west-2.amazonaws.com/page-data/$1 [P]
RewriteRule ^([^\/]*).js$ http://mysite.com.s3-website.eu-west-2.amazonaws.com/$1.js [P]
RewriteRule ^icons-(.*)/(.*)\.(png|jpg)$ http://mysite.com.s3-website.eu-west-2.amazonaws.com/icons-$1/$2.$3 [P]
# Handle request to homepage with get parameters
RewriteCond %{THE_REQUEST} ^GET\ /\?utm_source=([^\s&]+)
RewriteRule . http://mysite.com.s3-website.eu-west-2.amazonaws.com/ [P]
RewriteCond %{THE_REQUEST} ^GET\ /\?ref=([^\s&]+)
RewriteRule . http://mysite.com.s3-website.eu-west-2.amazonaws.com/ [P]
# Legacy Platform stuff
RewriteRule ^(frontend/process/process/components|admin-lf7/ui/ajax|frontend/ajax|8fjfsuUFks988/cron)($|/) - [L]
RewriteRule ^rt8aglCo7XfQOxxQH2mTDZw45675675675567P27da4t1T1yJIB5Be58ih /admin.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .*\.php$ index.php [L]
</IfModule>
When I use this .htaccess file from AWS beanstalk examples I can see the site ok :
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
Order Allow,Deny Deny from all is backward compatible with Apache 2.4, so you should be fine with old config.
The error AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
is actually attempt to exploit your server and your apache correctly denyes that.
Do you test that FilesMatch properly ? like trying to access: yourpage.com/.htaccess ? As result you should see in log your second "error" AH01797: client denied by server configuration: /var/www/html/ which means your .htaccess and the FilesMatch within works as should
When users go to my sub domain, I want them to be redirected to a specific file I have in my subdomain. Or, to be exact, when someone goes here
http://app.example.com/
they should be redirected to here:
http://app.example.com/dashboard/
Everything I have tried doesn't seem to be working and the examples I have found online either don't work or don't do what I need them to do.
I'm also trying to get this to work from my root directory (from public_html). This is my file structue:
/ public_html
/ .htaccess
/ index.php
/ app.example.com
/ dashboard.php
You can see my htaccess file sitting on the top level. This is where I need to keep it.
This is my current file (including my attempt at the redirect):
# --------------------------------------------------------------------------------------------------------------------------------------
# Stops people from being able to see htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
# --------------------------------------------------------------------------------------------------------------------------------------
# Options
Options All -Indexes +MultiViews
# --------------------------------------------------------------------------------------------------------------------------------------
# Redirect app.example.com to /dashboard
RewriteEngine On
RewriteCond %{HTTP_HOST} ^app.example.com
RewriteRule ^$ /dashboard [L,R=301]
# --------------------------------------------------------------------------------------------------------------------------------------
# Makes it so url can have slash at the end instead of .php extension
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}/$1.php -f
RewriteRule ^(.+?)/?$ $1.php [L]
# --------------------------------------------------------------------------------------------------------------------------------------
# Adds wwww to url if it doesnt already have it
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]
I have a sub-domain for my mobile app which is like http://m.traffic.domain.com
now I want that my users can access their page by visiting http://m.traffic.domain.com/username
which will internally point to http://m.traffic.domain.com/index.php?username=$1
for this I have following .htaccess rewrite code but its not working as expected rather its redirecting all pages to http://m.traffic.domain.com/index.php?username=$1 this
page
# Use PHP5 Single php.ini as default
AddHandler application/x-httpd-php5s .php
AddHandler application/x-httpd-php .aspx
RewriteEngine On
RewriteCond %{HTTP_HOST} ^m\.traffic\.domain\.com$ [NC]
RewriteCond %1 !^www$ [NC]
RewriteRule ^(.+)$ mobile/index.php?username=%1 [L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>
The subdomain http://m.traffic.domain.com points to a directory called mobile which can be accessed http://traffic.domain.com/mobile
Try this code instead:
# Use PHP5 Single php.ini as default
AddHandler application/x-httpd-php5s .php
AddHandler application/x-httpd-php .aspx
RewriteEngine On
RewriteCond %{HTTP_HOST} ^m\.traffic\.domain\.com$ [NC]
RewriteRule ^([^.]+)/?$ /index.php?username=$1 [L,QSA]
<Files 403.shtml>
order allow,deny
allow from all
</Files>
Matched groups from RewriteRule are $1, $2 instead of %1, %2 and you don't need /mobile since your request is for m.traffic.domain.com not traffic.domain.com
Here's my current situation:
I'm rewriting /api to api.php.
RewriteRule ^apidir/url/new?$ api.php [QSA,NC,L]
Now, I am whitelisting IP's for it. However, when I try and use the Files directive to block access, I can't because it is being rewritten.
<Files "\api.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
so, I tried just using it to block the rewritten directory
<Files "\apimashape2013/url/new">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
None of these have worked out.
If you have access to the virtualhost you can use this:
RewriteEngine on
RewriteMap hosts-deny txt:/home/youraccount/deny_list.txt
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteCond %{REQUEST_URI} ^/api [NC]
RewriteRule ^ - [F]
And have the deny_list.txt with the list of IP's or HOST you wish to blacklist:
193.102.180.41 -
bsdti1.sdm.de -
192.76.162.40 -
Read more here.
Alternatively if you don't have access to the virtualhost, you can change the name of your php file to something unique for example thisismyapi.php and use it like this:
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
<Files "thisismyapi.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !thisismyapi.php
RewriteRule ^api/?(.*)$ /api/thisismyapi.php [L]
Why do I change it to other name?
Because this way it will match it anywhere it is so it should work just fine for your needs and will not conflict with other files.
For example in this way it the file was named index.php it would conflict with index.php in other folders.
Not sure why the first <Files> container isn't working. The \ shouldn't have any effect. But the container needs to be in the directory or parent directory of where the api.php file is.
Alternatively, you can include this in your htaccess:
RewriteCond %{REMOTE_ADDR} ^24\.11\.95\.151$
RewriteRule ^/?api.php$ - [L,F]
I want to run a php script on my site from a newly created subdirectory.
However I am finding that my existing wordpress blog (running from doc root) is intercepting my url to the script in subdir and giving me a 404.
How can I get wordpress to ignore the subdirectory?
EDIT: based on comment, here is my .htaccess file contents:
# -FrontPage-
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName example.com
AuthUserFile /home/xxx/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/xxx/public_html/_vti_pvt/service.grp
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Based on pekka's comment, I fixed my own problem with following (where folder1 is the subdirectories i want wordpress to ignore):
=========[ start of .htaccess snippet]==========
<IfModule mod_rewrite.c>
RewriteEngine on
#
# stuff to let through (ignore)
RewriteCond %{REQUEST_URI} "/folder1/"
# other existing rules go here:
RewriteRule (.*) $1 [L]
#
====================[ end ]=====================
Pekka, if you put your comment as an answer, i will credit you.
Thanks
Another solution:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html).*$ [NC]
RewriteRule . - [L]
</IfModule>
This one worked perfectly for me.
Source: http://wiki.dreamhost.com/Making_stats_accessible_with_htaccess