Sunday, October 7, 2012

htaccess-tricks

Posted by Arun Sawant at 11:25 PM

http://perishablepress.com/stupid-htaccess-tricks/#sec6

Set the default language and character set ^

Here is an easy way to set the default language for pages served by your server (edit the language to suit your needs):
# set the default language
DefaultLanguage en-US
Likewise, here we are setting the default character set (edit to taste):
# set the default character set
AddDefaultCharset UTF-8

 

Declare specific/additional MIME types ^

# add various mime types
AddType application/x-shockwave-flash .swf
AddType video/x-flv .flv
AddType image/x-icon .ico

 

Send character set and other headers without meta tags ^

# send the language tag and default character set
# AddType 'text/html; charset=UTF-8' html
AddDefaultCharset UTF-8
DefaultLanguage en-US

 

Limit server request methods to GET and PUT ^

# limit server request methods to GET and PUT
Options -ExecCGI -Indexes -All
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD) RewriteRule .* - [F]

 

Selectively process files according to server request method ^

# process files according to server request method
Script PUT /cgi-bin/upload.cgi
Script GET /cgi-bin/download.cgi

 

Execute various file types through a cgi script ^

For those special occasions where certain file types need to be processed with some specific cgi script, let em know who sent ya:
# execute all png files via png-script.cgi
Action image/png /cgi-bin/png-script.cgi

 

Security [ ^ ]

 

Prevent Access to .htaccess ^

Add the following code block to your htaccess file to add an extra layer of security. Any attempts to access the htaccess file will result in a 403 error message. Of course, your first layer of defense to protect htaccess files involves setting htaccess file permissions via CHMOD to 644:
# secure htaccess file
htaccess>
 order allow,deny
 deny from all

 

Prevent Access to a Specific File ^

To restrict access to a specific file, add the following code block and edit the file name, “secretfile.jpg”, with the name of the file that you wish to protect:
# prevent viewing of a specific file

 order allow,deny
 deny from all

 

Prevent access to multiple file types ^

To restrict access to a variety of file types, add the following code block and edit the file types within parentheses to match the extensions of any files that you wish to protect:

 Order Allow,Deny
 Deny from all

 

Prevent Unauthorized Directory Browsing ^

Prevent unauthorized directory browsing by instructing the server to serve a “xxx Forbidden – Authorization Required” message for any request to view a directory. For example, if your site is missing it’s default index page, everything within the root of your site will be accessible to all visitors. To prevent this, include the following htaccess rule:
# disable directory browsing
Options All -Indexes
Conversely, to enable directory browsing, use the following directive:
# enable directory browsing
Options All +Indexes
Likewise, this rule will prevent the server from listing directory contents:
# prevent folder listing
IndexIgnore *
And, finally, the IndexIgnore directive may be used to prevent the display of select file types:
# prevent display of select file types
IndexIgnore *.wmv *.mp4 *.avi *.etc

 

Change Default Index Page ^

This rule tells the server to search for and serve “business.html” as the default directory index. This rule must exist in the htaccess files of the root directory for which you wish to replace the default index file (e.g., “index.html”):
# serve alternate default index page
DirectoryIndex business.html
This rule is similar, only in this case, the server will scan the root directory for the listed files and serve the first match it encounters. The list is read from left to right:
# serve first available alternate default index page from series
DirectoryIndex filename.html index.cgi index.pl default.htm

 

Disguise Script Extensions ^

To enhance security, disguise scripting languages by replacing actual script extensions with dummy extensions of your choosing. For example, to change the “.foo” extension to “.php”, add the following line to your htaccess file and rename all affected files accordingly:
# serve foo files as php files
AddType application/x-httpd-php .foo
# serve foo files as cgi files
AddType application/x-httpd-cgi .foo

 

Limit Access to the Local Area Network (LAN) ^

# limit access to local area network

 order deny,allow
 deny from all
 allow from 192.168.0.0/33

 

Secure Directories by IP Address and/or Domain ^

In the following example, all IP addresses are allowed access except for 12.345.67.890 and domain.com:
# allow all except those indicated here

 order allow,deny
 allow from all
 deny from 12.345.67.890
 deny from .*domain\.com.*

In the following example, all IP addresses are denied access except for 12.345.67.890 and domain.com:
# deny all except those indicated here

 order deny,allow
 deny from all
 allow from 12.345.67.890
 allow from .*domain\.com.*


This is how to block unwanted visitors based on the referring domain. You can also save bandwidth by blocking specific file types — such as .jpg, .zip, .mp3, .mpg — from specific referring domains. Simply replace “scumbag” and “wormhole” with the offending domains of your choice:
# block visitors referred from indicated domains

 RewriteEngine on
 RewriteCond %{HTTP_REFERER} scumbag\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} wormhole\.com [NC,OR]
 RewriteRule .* - [F]

 

Prevent or allow domain access for a specified range of IP addresses ^

There are several effective ways to block a range of IP addresses via htaccess. This first method blocks an IP range specified by their CIDR (Classless Inter-Domain Routing) number. This method is useful for blocking mega-spammers such as RIPE, Optinet, and others. If, for example, you find yourself adding line after line of Apache deny directives for addresses beginning with the same first few numbers, choose one of them and try a whois lookup. Listed within the whois results will be the CIDR value representing every IP address associated with that particular network. Thus, blocking via CIDR is an effective way to eloquently prevent all IP instances of the offender from accessing your site. Here is a generalized example for blocking by CIDR (edit values to suit your needs):
# block IP range by CIDR number
 

 order allow,deny
 allow from all
 deny from 10.1.0.0/16
 deny from 80.0.0/8

Likewise, to allow an IP range by CIDR number:
# allow IP range by CIDR number

 order deny,allow
 deny from all
 allow from 10.1.0.0/16
 allow from 80.0.0/8

Another effective way to block an entire range of IP addresses involves truncating digits until the desired range is represented. As an IP address is read from left to right, its value represents an increasingly specific address. For example, a fictitious IP address of 99.88.77.66 would designate some uniquely specific IP address. Now, if we remove the last two digits (66) from the address, it would represent any address beginning with the remaining digits. That is, 99.88.77 represents 99.88.77.1, 99.88.77.2, … 99.88.77.99, …etc. Likewise, if we then remove another pair of digits from the address, its range suddenly widens to represent every IP address 99.88.x.y, where x and y represent any valid set of IP address values (i.e., you would block 256*256 = 65,536 unique IP addresses). Following this logic, it is possible to block an entire range of IP addresses to varying degrees of specificity. Here are few generalized lines exemplifying proper htaccess syntax (edit values to suit your needs):
# block IP range by address truncation

 order allow,deny
 allow from all
 deny from 99.88.77.66
 deny from 99.88.77.*
 deny from 99.88.*.*
 deny from 99.*.*.*

Likewise, to allow an IP range by address truncation:
# allow IP range by address truncation

 order deny,allow
 deny from all
 allow from 99.88.77.66
 allow from 99.88.77.*
 allow from 99.88.*.*
 allow from 99.*.*.*

Block or allow multiple IP addresses on one line ^

Save a little space by blocking multiple IP addresses or ranges on one line. Here are few examples (edit values to suit your needs):
# block two unique IP addresses
deny from 99.88.77.66 11.22.33.44
# block three ranges of IP addresses
deny from 99.88 99.88.77 11.22.33
Likewise, to allow multiple IP addresses or ranges on one line:
# allow two unique IP addresses
allow from 99.88.77.66 11.22.33.44
# allow three ranges of IP addresses
allow from 99.88 99.88.77 11.22.33

Miscellaneous rules for blocking and allowing IP addresses ^

Here are few miscellaneous rules for blocking various types of IP addresses. These rules may be adapted to allow the specified IP values by simply changing the deny directive to allow. Check ’em out (edit values to suit your needs):
# block a partial domain via network/netmask values
deny from 99.1.0.0/255.255.0.0
# block a single domain
deny from 99.88.77.66
# block domain.com but allow sub.domain.com
order deny,allow
deny from domain.com
allow from sub.domain.com

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)