.htaccess
O arquivo .htaccess ou "arquivo de configurração distribuído" oferece uma forma de alterar configurações sendo um arquivo por diretório. Um arquivo, contendo uma ou mais diretivas de configuração, é adicionado em um diretório particular e as diretivas se aplicam ao diretório e recursivamente a todos os seus subdiretórios.
Diretivas
É uma terminologia que o Apache usa para os comandos nos arquivos de configuração do Apache. São geralmente relativamente comanndos curtos, tipicamente um par chave valor que modificam o comportamento do Apache.
Os programadores podem executaar algumas dessas diretivas sem precisar mexer no core das configurações do Apache, httpd.conf.
Habilitando o .htaccess no Apache
httpd.conf:
AllowOverride All
Testar se .htaccess está habilitado:
-Criar dois arquivos em um diretório: index_bom.html e index.php
-Criar um arquivo .htaccess no diretório com o conteúdo:
# Esta diretiva faz com que o Apache primeiro procure index_good.html para abrir e somente não existindo abre index.php.
DirectoryIndex index_good.html index.html
Se ele abrir index_good.html então o .htaccess está habilitado.
index_good.html:
Suporte ao .htaccess habilitado.
index.php
Suporte ao .htaccess não habilitado.
Outra forma de testar é entrar algum erro de sintaxe no .htaccess.
Caso ele acuse um erro Internal Server Error, então está habilitado.
Caso simplesmente mostre a index, então está desabilitado.
.htaccess
ESTÁ HABILITADO
index.php
Não está habilitado o .htaccess
Diretivas diretamente no httpd.conf:
<Directory /www/supercool/test>
# Entre as Directivas aqui
</Directory>
O .htaccess é um arquivo oculto no Linux e muito útil para melhorar a segurança de sites entre outras funções.
Negar acesso a determinado diretório via web:
Crie um arquivo chamado .htaccess com estas duas linhas:
order deny,allow
deny from all
Impedindo a Listagem de diretórios
Por padrão a listagem dos diretórios está habilitada.
Para ocultar a listagem de um diretório para os visitantes e para os instrumentos de busca basta criar um .htaccess com a seguinte linha:
Options -Indexes
Alterando diretivas do php.ini via .htaccess
php_value memory_limit 64M
php_value max_execution_time 120
php_value max_input_time 120
php_value output_buffering off
php_flag display_errors off
php_flag session.auto_start off
php_flag register_globals off
php_flag magic_quotes_runtime off
.htaccess do Joomla personalizado para reforçar a segurança
# Revisão 10
# Versão atualizada http://forum.joomla.org/index.php/topic,124708.msg613819.html#msg613819
# Legenda: [1] - Exlusivo para PHP como módulo / [2] - Exlusivo para PHP como CGI
# Otimizado para usar com OpenSEF e joomla na raiz do site.com.br
# ALTERE para suas necessidades - para descomentar retire APENAS um #
##1. Comente se causar erros
Options +FollowSymLinks
##2. mod_rewrite em uso ( preferencialmente deve estar ativo para SEO funcionar)
RewriteEngine On
##3. se o joomla estiver em um subidiretorio, altere para ' RewriteBase /subdiretorio '
RewriteBase /
##4. Nega acesso público a arquivos terminados com '~' - ótimos para esconder backups
#RewriteRule ~$ - [F]
##5. Adiciona 'www' no link caso acessem direto *** site.com.br ***
##5. ( Melhora a ***SEO*** e evita problemas com javascripts )
##5. MODIFIQUE *6* e *7* para o seu site antes de usar
#RewriteCond %{REQUEST_FILENAME} !-s
#RewriteCond %{HTTP_HOST} !^www\.site\.com\.br
#RewriteRule (.*) http://www.site.com.br/$1 [R=301,L]
##***************** Início - Descomente qual SEF vai usar
##### Inicio - CASO USE O SEF DO CORE DO JOOMLA =P
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
##RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes#
#RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
#RewriteRule ^(content/|component/) index.php
##### Fim - - CASO USE O SEF DO CORE DO JOOMLA =P
#### Incício - CASO USE O SEF DE COMPONENTES DE TERCEIROS [OpenSEF =]
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php
#### Fim - CASO USE O SEF DE COMPONENTES DE TERCEIROS [OpenSEF =]
##***************** Fim - Descomente qual SEF vai usar
##***************** Início - Questões puramente de segurança
####### Usar .htaccess para alterar configurações do PHP caso não sejam padrões
## Previne ataques de variáveis globais
## Altere no arquivo /globals.php o '1' para '0' no ' define( 'RG_EMULATION', 0 ); '
##8. [1]Forçar Register globals = off
#php_flag register_globals off
##9. [1]Forçar Register globals = off
#php_value register_globals 0
## Previne ataques de injeção de código
##10. Forçar Magic Quotes = on
#php_flag magic_quotes_gpc on
## Previne Cross Site Scripting (XSS)
##11. Forçar Allow URL Fopen = off
#php_flag allow_url_fopen off
## Mudar para PHP5 com htaccess, vide: http://forum.joomla.org/index.php/topic,100045.0.html
########## Inicio - REWRITE RULES PARA EVITAR ATAQUES DE EXPLOIDS COMUNS
## Se tiver problemas no seu site, comente as linhas abaixo
## estas linhas evitam alguns dos ataques mais comuns ao joomla.
## Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
## Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
## Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
## Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
## Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
## Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
######### Inicio - BOAS PRÁTICAS DE SEGURANÇA
## 1º Autere o nome do Superadministrador para outro diferente de 'admin' - Vai dificultar quebras de senha
## Área administrativa > Site > Administrar usuários > Administrator > Detalhes do Usuário > Nome de Usuário: > **mude**
## 2º Não crie nem permaneça com senhas ***fracas*** para usuários, ftp e banco de dados.
## 4º Use senhas diferentes para sites diferentes.em especial se você exibe publicamente lista com todos os seus sites
######### Inicio - BOAS PRÁTICAS DE SEGURANÇA
########## Fim - REWRITE RULES PARA EVITAR ATAQUES DE EXPLOIDS COMUNS
##***************** Fim - Questões puramente de segurança
##***************** Fim - Em caso de erro
#### SE HOUVER ERRO DO TIPO "500 - Internal Error"
## 1º Rewrite pode não estar habilitado em seu servidor
## 2º Você descomentou algo errado ou adiciou alguma diretiva que o servidor não permite
## por exemplo a *Options +FollowSymLinks* ou *RewriteBase*##
#### SE HOUVER ERRO DO TIPO " 404 - File or directory not found"
## 1º Você trocou de servidor, ou fez alterações diverças e deletou arquivos ou artigos
## 2º O rewrite está habilitado no servidor ( por isso não da erro 500 ) mas ainda assim não funciona direito e da erro 404##
##### CHECAR SE REWRITE ESTÁ HABILITADO
## PHP CGI: Administrador >Sistema > Info do sistema > Php Info > standard >Directive > **url_rewriter.tags** aparece habilitado?
## PHP Módulo: Administrador >Sistema > Info do sistema > Php Info > apache2handler > mod_rewrite > Loaded Modules > **mod_rewrite** aparece habilitado?
#### TESTAR NA ***PRÁTICA*** SE REWRITE ESTÁ HABILITADO NO SERVIDOR##
## 1° Vá em administrator> SEO > enable > save
## 2° Coloque um .htaccess na raiz do sei site ***SOMENTE*** com as seguintes linhas##
# Options +FollowSymLinks
# Redirect /joomla.html http://www.joomla.org##
## 3° Vá na página www.seusite.com/joomla.html, e, se foi redirecionado para 'http://www.joomla.org'
## o mod_rewrite está ativado. Caso não esteja, as URLs amigáveis normalmente não funcionam##
##### SOLUÇÕES PARA REWRITE DESABILITADO ("500") OU COM ERROS ("404")
## 1º Solicite a habilitação da diretiva pelo host, ou troque de host =]
## 2º Descomente a próxima linha ( vai fazer com que a index do joomla adminisstre a URL, em vez do servidor )
#ErrorDocument 404 /index.php # caso joomla esteja em subdiretório /subdiretorio/index.php
## e, se necessário, comente *Options +FollowSymLinks* ou *RewriteEngine On*
########################## EM CASO DE ERRO #########################
##***************** Fim - Em caso de erro
##Também dá para adicionar as linhas abaixo.
##Porém, isso vai consumir um pouco mais de recurso de processamento do servidor. Por isso, é bom estar atento.
##***************** Início - Bloquear acesso a Bots de email e de bots que BAIXAM o site todo
## Se você quer evitar que certos sites que capturam emails na sua página ou que fazem o download completo de seu site
## pode tentar usar as linhas abaixo para negar acesso e dar-lhes erro 403. Se não quiser delete todas as linhas.
## Há VÁRIOS links na internet falando disso. Porém, veja o link http://forum.joomla.org/index.php/topic,79398.0.html##
## *** AINDA não testei mas farei em BREVE **##
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto: craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
##***************** Fim - Bloquear acesso a Bots de email e de bots que BAIXAM o site todo
Autenticação Básica
-Criar um arquivo com login e senha encriptados
-Adicionar algumas linhas ao .htaccess para usar este arquivo
Criar um arquivo .htpasswd para o usuário jose com senha senhajose
.htpasswd
jose:7fd0af4aa9342b6afdb2ca7573555cc3
.htaccess
# Enable Basic Authentication
AuthType Basic
# This is what will be displayed to the user on the login dialog.
AuthName "Access to the Hidden Files"
# This you must edit. It is the absolute path to the .htpasswd file.
AuthUserFile /path/to/.htpasswd
# This allows any user from inside the .htpasswd file to access the
# content if they provide the proper username and password.
Require valid-user
Agora execute o comando:
htpasswd -nbm jose josesenha
Veja o help do htpasswd para detalhes
htpasswd --help
jose:$apr1$nX9Dg9r/$37gNIEnEt1ahv/IWfugBh0
Header
Podemos usar o Apache para sobrescrever ou adicionar um novo header para a página.
Header add X-HeaderName "Header Value"
Redirect Everyone Except IP address to alternate page
ErrorDocument 403 http://www.yahoo.com/ Order deny,allow Deny from all Allow from 208.113.134.190
Para sitesThis lets google crawl the page, lets me access without a password, and lets my client access the page WITH a password. It also allows for XHTML and CSS validation! (w3.org)AuthName "Under Development" AuthUserFile /home/sitename.com/.htpasswd AuthType basic Require valid-user Order deny,allow Deny from all Allow from 208.113.134.190 w3.org htmlhelp.com googlebot.com Satisfy Any
Set Timezone of the Server (GMT)
SetEnv TZ America/Indianapolis
Administrator Email for ErrorDocument
SetEnv SERVER_ADMIN webmaster@google.com
ServerSignature for ErrorDocument
ServerSignature off | on | email
Charset and Language headers
AddDefaultCharset UTF-8 DefaultLanguage en-US
Disallow Script Execution
Options -ExecCGI AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Deny Request Methods
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|OPTIONS|POST|PUT)
RewriteRule .* - [F]Force “File Save As” Prompt
AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4
Show CGI Source Code
RemoveHandler cgi-script .pl .py .cgi AddType text/plain .pl .py .cgi
Serve all .pdf files on your site using .htaccess and mod_rewrite with the php script.
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.+)\.pdf$ /cgi-bin/pdf.php?file=$1 [L,NC,QSA]Rewrite to www
RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
RewriteRule ^(.*)$ http://www.askapache.com/$1 [R=301,L]Rewrite to www dynamically
RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC]
RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]
RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC]
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]301 Redirect Old File
Redirect 301 /old/file.html http://www.askapache.com/new/file.html
301 Redirect Entire Directory
RedirectMatch 301 /blog(.*) http://www.askapache.com/$1
Protecting your php.cgi
<FilesMatch "^php5?\.(ini|cgi)$"> Order Deny,Allow Deny from All Allow from env=REDIRECT_STATUS </FilesMatch>
Set Cookie based on Request
This code sends the
Set-Cookie header to create a cookie on the client with the value of a matching item in 2nd parantheses.RewriteEngine On RewriteBase / RewriteRule ^(.*)(de|es|fr|it|ja|ru|en)/$ - [co=lang:$2:.askapache.com:7200:/]
Set Cookie with env variable
Header set Set-Cookie "language=%{lang}e; path=/;" env=langCustom ErrorDocuments
ErrorDocument 100 /100_CONTINUE ErrorDocument 101 /101_SWITCHING_PROTOCOLS ErrorDocument 102 /102_PROCESSING ErrorDocument 200 /200_OK ErrorDocument 201 /201_CREATED ErrorDocument 202 /202_ACCEPTED ErrorDocument 203 /203_NON_AUTHORITATIVE ErrorDocument 204 /204_NO_CONTENT ErrorDocument 205 /205_RESET_CONTENT ErrorDocument 206 /206_PARTIAL_CONTENT ErrorDocument 207 /207_MULTI_STATUS ErrorDocument 300 /300_MULTIPLE_CHOICES ErrorDocument 301 /301_MOVED_PERMANENTLY ErrorDocument 302 /302_MOVED_TEMPORARILY ErrorDocument 303 /303_SEE_OTHER ErrorDocument 304 /304_NOT_MODIFIED ErrorDocument 305 /305_USE_PROXY ErrorDocument 307 /307_TEMPORARY_REDIRECT ErrorDocument 400 /400_BAD_REQUEST ErrorDocument 401 /401_UNAUTHORIZED ErrorDocument 402 /402_PAYMENT_REQUIRED ErrorDocument 403 /403_FORBIDDEN ErrorDocument 404 /404_NOT_FOUND ErrorDocument 405 /405_METHOD_NOT_ALLOWED ErrorDocument 406 /406_NOT_ACCEPTABLE ErrorDocument 407 /407_PROXY_AUTHENTICATION_REQUIRED ErrorDocument 408 /408_REQUEST_TIME_OUT ErrorDocument 409 /409_CONFLICT ErrorDocument 410 /410_GONE ErrorDocument 411 /411_LENGTH_REQUIRED ErrorDocument 412 /412_PRECONDITION_FAILED ErrorDocument 413 /413_REQUEST_ENTITY_TOO_LARGE ErrorDocument 414 /414_REQUEST_URI_TOO_LARGE ErrorDocument 415 /415_UNSUPPORTED_MEDIA_TYPE ErrorDocument 416 /416_RANGE_NOT_SATISFIABLE ErrorDocument 417 /417_EXPECTATION_FAILED ErrorDocument 422 /422_UNPROCESSABLE_ENTITY ErrorDocument 423 /423_LOCKED ErrorDocument 424 /424_FAILED_DEPENDENCY ErrorDocument 426 /426_UPGRADE_REQUIRED ErrorDocument 500 /500_INTERNAL_SERVER_ERROR ErrorDocument 501 /501_NOT_IMPLEMENTED ErrorDocument 502 /502_BAD_GATEWAY ErrorDocument 503 /503_SERVICE_UNAVAILABLE ErrorDocument 504 /504_GATEWAY_TIME_OUT ErrorDocument 505 /505_VERSION_NOT_SUPPORTED ErrorDocument 506 /506_VARIANT_ALSO_VARIES ErrorDocument 507 /507_INSUFFICIENT_STORAGE ErrorDocument 510 /510_NOT_EXTENDED
Implementing a Caching Scheme with .htaccess
# year <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4)$"> Header set Cache-Control "public" Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT" Header unset Last-Modified </FilesMatch> #2 hours <FilesMatch "\.(html|htm|xml|txt|xsl)$"> Header set Cache-Control "max-age=7200, must-revalidate" </FilesMatch> <FilesMatch "\.(js|css)$"> SetOutputFilter DEFLATE Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT" </FilesMatch>
Password Protect single file
<Files login.php> AuthName "Prompt" AuthType Basic AuthUserFile /home/askapache.com/.htpasswd Require valid-user </Files>
Password Protect multiple files
<FilesMatch "^(private|phpinfo)\.*$"> AuthName "Development" AuthUserFile /.htpasswd AuthType basic Require valid-user </FilesMatch>
Send Custom Headers
Header set P3P "policyref=\"http://www.askapache.com/w3c/p3p.xml\"" Header set X-Pingback "http://www.askapache.com/xmlrpc.php" Header set Content-Language "en-US" Header set Vary "Accept-Encoding"
Blocking based on User-Agent Header
SetEnvIfNoCase ^User-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures) HTTP_SAFE_BADBOT SetEnvIfNoCase ^User-Agent$ .*(libwww-perl|aesop_com_spiderman) HTTP_SAFE_BADBOT Deny from env=HTTP_SAFE_BADBOT
Blocking with RewriteCond
RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
RewriteRule . - [F,L].htaccess for mod_php
SetEnv PHPRC /location/todir/containing/phpinifile
.htaccess for php as cgi
AddHandler php-cgi .php .htm Action php-cgi /cgi-bin/php5.cgi
Shell wrapper for custom php.ini
#!/bin/sh export PHP_FCGI_CHILDREN=3 exec php5.cgi -c /abs/php5/php.ini
Add values from HTTP Headers
SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1 SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1 SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1 SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1 SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1 SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
Stop hotlinking
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?askapache.com/.*$ [NC]
RewriteRule \.(gif|jpg|swf|flv|png)$ http://www.askapache.com/feed.gif [R=302,L]Turn logging off for IP
SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "nolog,noauditlog,pass"
Turn logging on for IP
SecFilterSelective REMOTE_ADDR "!^208\.113\.183\.103" "nolog,noauditlog,pass" SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "log,auditlog,pass"
Advanced Mod_Rewrite Examples
Here are some specific examples taken mostly from my WordPress Password Protection plugin, that also does alot more than password protection as you can see from the following mod_rewrite examples. These are a few of the mod_rewrite uses that BlogSecurity declared pushed the boundaries of Mod_Rewrite! Some of these snippets are quite exotic and unlike anything you may have seen before, also only for those who understand them as they can kill a website pretty quick.
Directory Protection
Enable the DirectoryIndex Protection, preventing directory index listings and defaulting. [Disable]
Options -Indexes DirectoryIndex index.html index.php /index.php
Password Protect wp-login.php
Requires a valid user/pass to access the login page[401]
<Files wp-login.php> Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By AskApache" AuthUserFile /home/askapache.com/.htpasswda1 AuthType Basic Require valid-user </Files>
Password Protect wp-admin
Requires a valid user/pass to access any non-static (css, js, images) file in this directory.[401]
Options -ExecCGI -Indexes +FollowSymLinks -Includes DirectoryIndex index.php /index.php Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By AskApache" AuthUserFile /home/askapache.com/.htpasswda1 AuthType Basic Require valid-user <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$"> Allow from All </FilesMatch> <FilesMatch "(async-upload)\.php$"> <IfModule mod_security.c> SecFilterEngine Off </IfModule> Allow from All </FilesMatch>
Protect wp-content
Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [401]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .* - [F,NS,L]Protect wp-includes
Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [403]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F,NS,L]Common Exploits
Block common exploit requests with 403 Forbidden. These can help alot, may break some plugins. [403]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]Stop Hotlinking
Denies any request for static files (images, css, etc) if referrer is not local site or empty. [403]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.askapache.com.*$ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L]Safe Request Methods
Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]Forbid Proxies
Denies any POST Request using a Proxy Server. Can still access site, but not comment. See Perishable Press [403]
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]Real wp-comments-post.php
Denies any POST attempt made to a non-existing wp-comments-post.php[403]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]HTTP PROTOCOL
Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only[403]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]SPECIFY CHARACTERS
Denies any request for a url containing characters other than “a-zA-Z0-9.+/-?=&” – REALLY helps but may break your site depending on your links. [403]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]BAD Content Length
Denies any POST request that doesnt have a Content-Length Header[403]
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]BAD Content Type
Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data[403]
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]Missing HTTP_HOST
Denies requests that dont contain a HTTP HOST Header.[403]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]Bogus Graphics Exploit
Denies obvious exploit using bogus graphics[403]
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]No UserAgent, Not POST
Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING. [403]
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]No Referer, No Comment
Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. [403]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .* - [F,NS,L]Trackback Spam
Denies obvious trackback spam. See Holy Shmoly! [403]
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]Map all URIs except those corresponding to existing files to a handler
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteRule . /script.phpMap any request to a handler
In the case where all URIs should be sent to the same place (including potentially requests for static content) the method to use depends on the type of the handler. For php scripts, use:
For other handlers such as php scripts, use:
For other handlers such as php scripts, use:
RewriteEngine On
RewriteCond %{REQUEST_URI} !=/script.php
RewriteRule .* /script.phpAnd for CGI scripts:
ScriptAliasMatch .* /var/www/script.cgi
Map URIs corresponding to existing files to a handler instead
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f
RewriteCond %{REQUEST_URI} !=/script.php
RewriteRule .* /script.phpIf the existing files you wish to have handled by your script have a common set of file extensions distinct from that of the hander, you can bypass mod_rewrite and use instead mod_actions. Let’s say you want all .html and .tpl files to be dealt with by your script:
Action foo-action /script.php AddHandler foo-action html tpl
Deny access if var=val contains the string foo.
RewriteCond %{QUERY_STRING} foo
RewriteRule ^/url - [F]Removing the Query String
RewriteRule ^/url /url?
Adding to the Query String
Keep the existing query string using the Query String Append flag, but add var=val to the end.
RewriteRule ^/url /url?var=val [QSA]
Rewriting For Certain Query Strings
Rewrite URLs like http://askapache.com/url1?var=val to http://askapache.com/url2?var=val but don’t rewrite if val isn’t present.
RewriteCond %{QUERY_STRING} val
RewriteRule ^/url1 /url2Modifying the Query String
Change any single instance of val in the query string to other_val when accessing /path. Note that %1 and %2 are back-references to the matched part of the regular expression in the previous RewriteCond.
RewriteCond %{QUERY_STRING} ^(.*)val(.*)$
RewriteRule /path /path?%1other_val%2O arquivo .htaccess, que no linux é um arquivo oculto (inicia com ponto), é um arquivo muito útil para a administração de segurança e vários outros recursos em sites. Em especial quando não temos acesso direto às configurações do Apache.
Veja alguns dos seus vários e úteis usos. Alguém já disse: "Use e abuse do .htaccess, pois ele é seu amigo."
Se por exemplo você quer que o diretório onde você colocou o .htaccess liste os arquivos caso não haja um index.html da vida, você adiciona o seguinte no .htaccess:
Obs.: no caso acima somente permite acesso pelo cpanel, ftp ou outro, nunca pela web.
Arquivo http://www.site.com/antigo/teste.png será redirecionado para http://www.site.com/novo/teste.png
Muitos scripts de ataque são criados em Perl, portanto para bloquear perl e outros bots para que não acessem seu site, adicione o código abaixo em um .htaccess (no raiz do domínio):
Caso não esteja usando scripts em Perl em seu site adicione um "bogus handler" para estes scripts no .htaccess:
Adicione ao final do .htaccess
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
Criando um sistema de detecção de intrusão com o .htaccess
URL encoding attacks such as SQL injection, white space, javascript, etc and redirects the URL to log.php. Log.php will then alert you via email.
http://www.hackosis.com/simple-htaccess-intrusion-detection-system/
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\"|%22).*(\>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (javascript:).*(\;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (\;|\’|\"|\%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|’|`) /log.php [NC]
Criar o arquivo lop.php no raiz do site. Mudar o e-mail admin@site.com para receber a notificação:
<?php
$r= $_SERVER['REQUEST_URI'];
$q= $_SERVER['QUERY_STRING'];
$i= $_SERVER['REMOTE_ADDR'];
$u= $_SERVER['HTTP_USER_AGENT'];
$mess = $r . ' | ' . $q . ' | ' . $i . ' | ' .$u;
mail(" admin@site.com","bad request",$mess,"from: bot@site.com");
echo "Hot Damn!";
?>
Nenhum comentário:
Postar um comentário