I have a KISSMVC php based site with the following .htaccess to allow only authenticated users to see the site
RewriteEngine On
RewriteBase /myphpsite/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?/$1 [L]
# Protect app files
RewriteRule ^((app|system|scripts).*)$ index.php/$1 [L]
AuthName "Please enter your username and password"
AuthType Basic
<Limit GET>
require user THEUSERNAME
</Limit>
This works with no problem.
The problem is that I want to allow clients to retrieve a value from the site with no authentication. This value is obtained through the index.php function because it is calculated per client, plus there is no folder structure where these values are stored.
as an example this URL should not prompt:
http://fancywebsite.com/myphpsite/index.php/inventory/hash/variable
but this one should still be prompting:
http://fancywebsite.com/myphpsite
If I could somehow specify in the .htaccess file to bypass or satisfy the authentication when the requested URL contains "index.php/inventory/hash" that would be perfect.
Related
I have a site that is being attacked all the time and it is using joomla extensions
So I am trying to figure out what exploit are they using and I have decided to block those
I am using the below code:
RewriteEngine On
RewriteCond %{QUERY_STRING} (^|&)xqgu=(.*)
RewriteRule ^(.*)$ - [F]
RewriteCond %{QUERY_STRING} (^|&)fck=(.*)
RewriteRule ^(.*)$ - [F]
but its not working as I can still access the site on
site.com/index.php?fck=you
Can I block all get request that have paramer after index.php?=
that are not coming form my IP?
like
site.com/index.php?fck=uxsw
site.com/index.php?xqgu=otzd
site.com/index.php?some=thing
buy allow get on
site.com/index.php
order deny,allow
deny from all
allow from <your ip>
or
<RequireAll>
Require ip xx.xx.xx.xx yy.yy.yy.yy
</RequireAll>
I have one page on my root folder called export.php. Now I don't want to give access to this page to all the users.
What I am trying to achieve, If any user tries to access export.php page then one alert will display and it will ask for the username and password. Once login details are correct then the page will be accessible. I tried some code on htaccess.
Now I have two issues,
1) I am getting alert on all the pages. How do I set only for the export.php page?
2) After entering the username and password I am getting a server error.
htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
AuthType Basic
AuthName "Access to the Hidden Files"
AuthUserFile 'http://localhost:8080/example/.htpassword'
Require valid-user
Solution.
First I found the path using
<?php echo $_SERVER['DOCUMENT_ROOT']; ?>
Output: /opt/lampp/htdocs/example/
then I added path in htaccess file
SetEnvIfNoCase Request_URI /export SECURED
AuthName "Access to the Hidden Files"
AuthType Basic
AuthUserFile "/opt/lampp/htdocs/example/.htpasswd"
AuthGroupFile /
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
Rewrite all to router.php and then rewrite from php (small mvc for example https://github.com/breakermind/Tronix).
Better solution, check if the user has permissions in php file:
<?php
// User field from users table (add to session when logging)
if($_SESSION['user']['allow_export'] == 9 && isIpAddressAllowedFunc($_SERVER['REMOTE_ADDR'])){
// show content
}else{
// Redirect or log out user
header('Location: index.php');
exit;
}
?>
I want to add a htaccess to allow visits from a specific ip.
The tree goes like this
domain
/abc/
/def/
I want to restrict the folder /abc/ but whitelist the folder /def/
Also, on the /abc/ there is a specific file called ghi.php. Can I allow access to that specific file ?
How can I do this?
This is what i have in /abc/ that redirects everyone who is not into the specified ip. However, I want to allow access to the ghi.php inside that dir.
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^125\.17\.119\.16$
RewriteRule ^ http://www.domain.com/ [R]
I would not use mod_rewrite for content protection, use the modules that are created for this:
# Default: deny all
Order Allow,Deny
# Allow the IP for everything
Allow from 125.17.119.16
# Allow access to this one PHP file
<Files /abc/ghi.php>
Allow from all
</Files>
# Allow access to everything inside that folder
<FilesMatch "^/def/">
Allow from all
</FilesMatch>
Try :
RewriteEngine on
#Allow access to the file
RewriteRule ^abc/ghi\.php$ - [L]
#forbid the request for /abc/* if ip not=1.2.3.4.5
RewriteCond %{REMOTE_ADDR} !^1\.2\.3\.4\.5$
RewriteRule ^abc - [F,L]
If you want to redirect the request to homepage, just change the line
RewriteRule ^abc - [F,L]
to
RewriteRule ^abc http://example.com/ [L,R]
I have a wordpress site. recently under a serious ddos attack in wp-login.php. I have renamed wp-login.php to a new mysitename-login.php. and creat a new empty file with name wp-login.php. I have joined cloudflare, still received attack log in access_log. I have tried mod_evasive, but it will kill googlebot
Now I am manully add them into my .htaccess like
<Limit GET POST>
order allow,deny
deny from 108.162.253.180
deny from 173.245.48.134
deny from 173.245.49.187
deny from 173.245.51.180
deny from 173.245.54.66
deny from 108.162.219.
deny from 109.239.235.
allow from all
</Limit>
And I have an idea to create the .htaccess dynamic.
in current wp-login.php
$ip=$_SERVER['REMOTE_ADDR'];
// INSERT INTO ip_table (ip) values ($ip);
// ip is unique index
$html='<Limit GET POST>/n/r'
$html.=//select * from ip_table loop all
$html.='allow from all/n/r</Limit>';
$html.=<<<TXT
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
TXT;
file_put_content($html,'/var/www/html/.htaccess');
But I am afraid, if there have some problem during the file_put_content, the .htaccess is broken, my site will be broken too...
Any better way, to create a blacklist by using the robot access wp_login.php and no risk to be broken site?
Thanks.
Instead of creating a Blacklist, why not make a Whitelist? This wouldn't work if you allow all users to login to Wordpress, for example if you're using a membership plugin, but if only you and a few select Admins login, then just get everyone's IP address and add those to your .htaccess file like this:
## Prevent anyone not on my ip whitelist from accessing wp admin
RewriteCond %{REQUEST_URI} ^(/wp-admin|/wp-login.php).*$
RewriteCond %{REMOTE_ADDR} !=111.111.111.111
RewriteCond %{REMOTE_ADDR} !=222.222.222.222
RewriteCond %{REMOTE_ADDR} !=333.333.333.333
RewriteRule ^.*$ / [R=301,L]
What about using mod_evasive for Apache? This way you can easily block all IPs that try to connect to the certain URL very often in a short period of time.
You could block all IPs that will try to connect to your fake login page as well.
I'm trying to setup my .htaccess file to enable basic authentication on our development website.
I want the authentication to work on all my site but for certain URL. We are using friendly URL on our site..
I would also like to bypass authentication for certain file types like png, css, etc...
What I have so far looks like this :
SetEnvIfNoCase Request_URI ^/upload/ NO_AUTH
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=NO_AUTH
<FilesMatch "\.(gif|jpe?g|png|css|js|swf)$">
Satisfy Any
</FilesMatch>
The authentication is working fine, but the SetEnvIfNoCase does not seem to work because I'm still asked for authentication when going to the friendly URL '/upload/'.
The FilesMatch part does not seem to work either ..
Anyone can help me with that ?
Thanks !
There's 2 things you need to address.
Your <FilesMatch> container is doing nothing. You already have a Satisfy Any. You should add those extensions to a separate SetEnvIfNoCase
When you are using rewrite rules that rewrite /upload/, you need to include both the "friendly" URI as well as the rewritten URI, because the auth module is applied at every step (obviously, since it's really really bad to allow bypassing of authentication by rewrite/alias). That means, for example, if you have this rule:
RewriteRule ^upload/(.*)$ /upload_script.php?file=$1 [L]
Then you need to have a NO_AUTH line for both /upload/ and /upload_script.php:
SetEnvIfNoCase Request_URI ^/upload/ NO_AUTH
SetEnvIfNoCase Request_URI ^/upload_script.php NO_AUTH
Then to address #1:
SetEnvIfNoCase Request_URI \.(gif|jpe?g|png|css|js|swf)$ NO_AUTH
So an example of the suggestion:
something that you can try is to add a rule (similar to the above RewriteRule example), to route the /upload/ to an intermediate script other than index.php, then from the intermediate script, call index.php.
So using the above example of /upload_script.php you'd add this before any of your rules:
RewriteRule ^upload/ /upload_script.php [L]
So that it looks something like:
RewriteEngine On
RewriteRule ^upload/ /upload_script.php [L]
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
Then, you create a script called upload_script.php which will have something like:
<?php
include_once "index.php";
?>
You may want to dump the $_SERVER[''] array first to see if everything's set to what Zend's index.php is expecting to see.