I am having a problem , I am a great supporter of .htaccess , but I have taken a yahoo small business hosting for one of my Project, which currently dont supports .htaccess rewrite, so I am looking for some best option to mimic the same functionality with php instead of .htaccess
So , I can redirect all request to index.php with the following code, Reference
if(basename($_SERVER['REQUEST_URI']) !== 'index.php'){
header("location:index.php");
exit();
}
Now I want to implement other functionality in php too, like denial of directory access, and allowing only css , jss , image file etc direct access.So please suggest me some optimised and feasilble way to achieve this. Here is .htaccess for reference
RewriteEngine on
RewriteBase /
SetEnv APPLICATION_ENV development
#SetEnv FACEBOOK_APP_ID 4343434343
#SetEnv FACEBOOK_APP_SECRET d00b24f1344334833c90f0795ebe
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?url=$1 [L,QSA]
# This denies all web access to your .ini file.
<Files ~ "\.(php|ini|log|htm)$">
Order allow,deny
Deny from all
</Files>
<FilesMatch "^(index\.php)?$">
Allow from All
</FilesMatch>
<files config.base.ini>
order deny,allow
deny from all
</files>
<files errorlogs.log>
order deny,allow
deny from all
</files>
PS :FB SECRET ID AND CREDENTIALS ARE DUMMY
Related
I need to create a .htaccess rewrite. All requests need to redirect to /public/index.php. except for assets. (public/images/, public/css/ etc...). My css and js files have version (style.20180523.css). So the numbers need to get remove from the file name.
Example link:
domain.com/users/123 -> to index.php
domain.com/public/images/logo.png -> All requests which start with public, will remain unchanged If css or js remove a number
Here is my htaccess:
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(?!\/public) public/index.php [L,QSA]
</IfModule>
You need to add a rewrite condition like
RewriteCond %{REQUEST_URI} !^/public/(css|js)/
before your RewriteRule.
This will rewrite everything that is not starting with /public/css or /public/js
I am working on securing my web server.
I do not want people to be able to execute files they shouldn't.
I was told that I should deny all and whitelist files that could be executed.
That works. Problem is when i access my domain.com it wont execute example.com/index.php . if i type example.com/index.php it works.
here is my htaccess file
Options -Indexes
Order deny,allow
Deny from all
<Files /index.php>
Allow from all
</Files>
<Files "index.php">
Allow from all
</Files>
<Files "teacher_login.php">
Allow from all
</Files>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You know what's a better way to prevent people from executing scripts they shouldn't?
Don't put them on the Web at all.
Put these scripts outside of public_html on your server, and suddenly nobody can access them! No need for .htaccess hacks like what you're trying. And better still, they're still accessible for the server itself - eg.
require($_SERVER['DOCUMENT_ROOT']."/../hidden-scripts/something.php");
Much better.
I want to block HTTP access to every file in my project directory except PHP scripts located in the root folder (not subfolders).
My current .htaccess file looks like this :
# Disable Directory Listings in this Directory and Subdirectories
# This will hide the files from the public unless they know direct URLs
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api.php/$1 [QSA,L]
</IfModule>
# Deny all files from being accessed with Apache
Order Deny,Allow
Deny from all
# Allow specific PHP files at root
<FilesMatch "/(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
This mostly works, except for the URL rewriting on the api.php script. I've tried changing the FilesMatch regexp to /(api|cron|status)(\.php)?$, but it keeps on throwing me a 403 response.
Anyone can explain to me what I did wrong here ? I'm usually OK with regexp, but this has got me thinking Apache doesn't process them like everyone else...
Deny from all
<FilesMatch "^(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
And I guess make sure your .htaccess is on the root level.
I'm new in SS and I need to moved one website from one web hosting into Godaddy.
Ir order to do that I have installed SS in my local environment in the root folder and everything works smoothly. Then I went to the subdomain and almost everything works well except the detail page. For example:
Home page: http://subdomain.domain.com.au/subdomain/index.php/ - IT WORKS
Product - Tools page: http://subdomain.domain.com.au/subdomain/index.php/products/tools/ - IT WORKS
Tools details page: http://subdomain.domain.com.au/tools/show/slp20xp IT DOESN'T WORK.
If I go to this URL : http://subdomain.domain.com.au/subdomain/index.php/products/tools//show/slp20xp The page is there and working fine. Somehow, on the detail page is trying to go one step backward to the root folder. If I moved this page to the root folder everything works fine.
Any idea what I might be missing? I tried different htacces configuration but none of them seems to work.
### SILVERSTRIPE START ###
<Files *.ss>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files web.config>
Order deny,allow
Deny from all
</Files>
# This denies access to all yml files, since developers might include sensitive
# information in them. See the docs for work-arounds to serve some yaml files
<Files *.yml>
Order allow,deny
Deny from all
</Files>
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
<IfModule mod_alias.c>
RedirectMatch 403 /silverstripe-cache(/|$)
RedirectMatch 403 /vendor(/|$)
RedirectMatch 403 /composer\.(json|lock)
</IfModule>
<IfModule mod_rewrite.c>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
RewriteBase '/'
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !\.php$
RewriteRule .* framework/main.php?url=%1&%{QUERY_STRING} [L]
</IfModule>
### SILVERSTRIPE END ###
In the htaccess of the subdomain, try changing RewriteBase '/' to RewriteBase '/subdomain'
I am trying to allow user to wordpress wp-admin index page if query string contains parameter. I am setting env variable to allow them access. This is how my htaccess file looks like
RewriteEngine on
RewriteCond %{QUERY_STRING} !^author=1
RewriteRule ^ - [E=NO_AUTH:1]
AuthName "Staff Authorization Required"
AuthType Basic
AuthUserFile /usr/bin/.htpasswd
<Files "index.php">
Order Deny,Allow
Deny from all
Require user newagenumber
Allow from env=NO_AUTH
</Files>
Options -Indexes
As of yet, authorization dialog box appears for everyone. Please help :|
This is not working because Apache executed mod_auth module before mod_rewrite hence NO_AUTH is not set when basic authentication directives run.
Unfortunately this behavior is not that simple to change.
Here is a workaround solution that combines mod_rewrite, mod_setenvif and mod_auth:
RewriteEngine On
RewriteBase /wp-admin/
RewriteCond %{QUERY_STRING} (?:^|&)(author=1)(?:&|$) [NC]
RewriteRule ^(index\.php)?$ index.php/%1 [NC]
# set SECURED var to 1 if URI is /index.php/200
SetEnvIfNoCase Request_URI "/index\.php/(author=1)" NO_AUTH
AuthType Basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require user newagenumber
Order Deny,Allow
Deny from all
Allow from env=NO_AUTH
Satisfy any