GO Software Pty Limited Map: 27 Tacoma Blvd, Pasadena SA 5042 ABN: ACN:

Transcription

1 GO Software Pty Limited Map: 27 Tacoma Blvd, Pasadena SA 5042 Phn: Fax: none ABN: ACN: Eml: Web:

2 order allow,deny allow from all deny from.microsoft.com deny from.evil-hackers.org Protecting Content With.htaccess Files.htaccess Files on Web Sites Some of this info came from Options All Indexes <IfModule mod_autoindex.c> IndexOptions FancyIndexing IconHeight=16 IconWidth=16 </ifmodule> # To enable password protection remove the # symbols from the code below # #AuthName "Westech Downloads" #AuthUserFile "/home/gos50046/.htpasswds/public_html/westech/passwd" #require valid-user # //Preventing Directory Listing any filename of the specified extension IndexIgnore *.zip *.Zip *.zip *.ZIp *.zip *.ZIP *.RAR *.Rar *.rar *.rar *.RAr *.rar *.pdf *.Pdf *.pdf *.PDf *.pdf *.PDF.htaccess files are very versatile, and can easily become very complex. This document contains enough information to set simple access restrictions/limits on a directory in your web space. Remember to upload.htaccess files, and.htpasswd files using ASCII mode. This is an option is available in most FTP clients. Username/Password Protection This schema will prompt web users to enter a CASE SENSITIVE username/password pair before serving any content within the directory containing the.htaccess file. In the simplest of cases there are two files involved, the.htaccess file, and the password file. The password file is a text file containing a username and an encrypted password, seperated by a colon. You can use one password file for many.htaccess files. The entries can be generated here. The.htaccess file would be placed in the directory that needs password protection, and would look something like this: Option Details This description will appear in the login screen. Multiple words require quotes. Just a line that is required. Start of the limit tag. This will set limits on GET's and POST's. require valid-user Sets area restrictions such that the user must have a valid login. End of the limit tag. If you are using one password file for multiple.htaccess files, and would like certain users to have access to some areas, but not others, you may want to try one of the following: a. specify the users by using require user userid: require user cisco require user bob require user tim b. setup a group file. This requires you to specify AuthGroupFile. You can now require group whatever. eg AuthUserFile /usr/ppp/l/lee/htpasswd AuthGroupFile /usr/ppp/l/lee/htgroup require group managers AuthGroupFile example: managers: cisco bob tim jeff kari systems: lee joe cisco sales: kari tonja Restricting by IP Address This only requires the.htaccess file. There are two approaches to restricting by IP address: a. Deny everyone access, then allow certain hosts/ip addresses order deny,allow allow from allow from.golden.net allow from proxy.aol.com allow from fish.wiretap.net b. Allow everyone except for certain hosts/ip addresses

3 deny from deny from morphine.wiretap.net More Examples Try crunching the above together into one: a. Only managers can view this page from a.golden.net IP address:.htaccess example: AuthUserFile /usr/ppp/l/lee/htpasswd AuthGroupFile /usr/ppp/l/lee/htgroup order deny,allow allow from.golden.net require group managers AuthGroupFile Example: managers: cisco bob tim jeff kari systems: lee joe cisco sales: kari tonja b. Managers can view this page from anywhere, everyone else must be from a golden.net IP address:.htaccess: AuthUserFile /usr/ppp/l/lee/htpasswd AuthGroupFile /usr/ppp/l/lee/htgroup Satisfy Any Default is Satisfy ALL order deny,allow allow from.golden.net require group managers AuthGroupFile: managers: cisco bob tim jeff kari systems: lee joe cisco sales: kari tonja Error Documents This seems to be what people think.htaccess was meant for, but it is only part of the general use. We'll be getting into progressively more advanced stuff after this. Successful Client Requests 200 OK 201 Created 202 Accepted 203 Non-Authorative Information 204 No Content 205 Reset Content 206 Partial Content Client Request Redirected 300 Multiple Choices 301 Moved Permanently 302 Moved Temporarily 303 See Other 304 Not Modified 305 Use Proxy Server Errors 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported Client Request Errors 400 Bad Request 401 Authorization Required 402 Payment Required (not used yet) 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable (encoding) 407 Proxy Authentication Required 408 Request Timed Out 409 Conflicting Request 410 Gone 411 Content Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request URI Too Long 415 Unsupported Media Type In order to specify your own ErrorDocuments, you need to be slightly familiar with the server returned error codes. You do not need to specify error pages for all of these, in fact you shouldn't as an ErrorDocument for code 200 would cause an infinite loop, whenever a page was found (not good). You will probably want to create an error document for codes 404 and 500, at the least 404 since this would give you a chance to handle requests for pages not found and 500 would help you out with internal server errors in any scripts you have running. You may also want to consider ErrorDocuments for Authorization Required (as in when somebody tries to enter a protected area of your site without the proper credentials), Forbidden (as in when a file with permissions not allowing it to be accessed by the user is requested) and Bad Request, which is one of those generic kind of errors that people get to by doing some weird stuff with your URL or scripts. In order to specify your own customized error documents, you simply need to add the following command, on one line, within your.htaccess file: ErrorDocument code /directory/filename.ext

4 eg ErrorDocument 404 /errors/notfound.html would cause any error code resulting in 404 to be forward to yoursite.com/errors/notfound.html Likewise with: ErrorDocument 500 /errors/internalerror.html You can name the pages anything you want (I'd recommend something that would prevent you from forgetting what the page is being used for). You can place the error pages anywhere you want within your site, so long as they are web-accessible (through a URL). The initial slash in the directory location represents the root directory of your site, that being where your default page for your first-level domain is located. I typically prefer to keep them in a separate directory for maintenance purposes and in order to better control spiders indexing them through a ROBOTS.TXT file, but it is entirely up to you. If you were to use an error document handler for each of the error codes I mentioned, the.htaccess file would look like the following (note each command is on its own line): ErrorDocument 400 /errors/badrequest.html ErrorDocument 401 /errors/authreqd.html ErrorDocument 403 /errors/forbid.html ErrorDocument 404 /errors/notfound.html ErrorDocument 500 /errors/serverr.html You can specify a full URL rather than a virtual URL in the ErrorDocument string ( vs. /errors/notfound.html) but this is not the preferred method by the server's happiness standards. You can also specify HTML, believe it or not! ErrorDocument 401 "<body bgcolor=#ffffff><h1>you have to actually <b>be</b> a <a href="#">member</a> to view this page, Colonel! The only time I use that HTML option is if I am feeling particularly saucy, since you can have so much more control over the error pages when used in conjunction with xssi or CGI or both. Also note that the ErrorDocument starts with a " just before the HTML starts, but does not end with one...it shouldn't end with one and if you do use that option, keep it that way. And again, that should all be on one line, no naughty word wrapping! Next, we are moving on to password protection, that last frontier before I dunk you into the true capabilities of.htaccess. If you are familiar with setting up your own password protected directories via.htaccess, you may feel like skipping ahead. Password protection Ever wanted a specific directory in your site to be available only to people who you want it to be available to? Ever got frustrated with the seeming holes in client-side options for this that allowed virtually anyone with enough skill to mess around in your source to get in?.htaccess is the answer! There are numerous methods to password protecting areas of your site, some server language based (such as ASP, PHP or PERL) and client side based, such as JavaScript. JavaScript is not as secure or foolproof as a server-side option, a server side challenge/response is always more secure than a client dependant challenge/response..htaccess is about as secure as you can or need to get in everyday life, though there are ways above and beyond even that of.htaccess. If you aren't comfortable enough with.htaccess, you can password protect your pages any number of ways, and JavaScript Kit has plenty of password protection scripts for your use. The first thing you will need to do is create a file called.htpasswd. I know, you might have problems with the naming convention, but it is the same idea behind naming the.htaccess file itself, and you should be able to do that by this point. In the.htpasswd file, you place the username and password (which is encrypted) for those whom you want to have access. For example, a username and password of wsabstract (and I do not recommend having the username being the same as the password), the htpasswd file would look like this: wsabstract:y4e7ep8e7eyv Notice that it is UserName first, followed by the Password. There is a handy-dandy tool available for you to easily encrypt the password into the proper encoding for use in the httpasswd file. For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory. You'll be specifying the location to it later on, so be sure you know where you put it. Also, this file, as with.htaccess, should be uploaded as ASCII and not BINARY. Create a new.htaccess file and place the following code in it: AuthUserFile /usr/local/you/safedir/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword require user wsabstract The first line is the full server path to your htpasswd file. If you have installed scripts on your server, you should be familiar with this. Please note that this is not a URL, this is a server path. Also note that if you place this.htaccess file in your root directory, it will password protect your entire site, which probably isn't your exact goal. The second to last line require user is where you enter the username of those who you want to have access to that portion of your site. Note that using this will allow only that specific user to be able to access that directory. This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user. The AuthName is the name of the area you want to access. It could anything, such as "EnterPassword". You can change the name of this 'realm' to whatever you want, within reason. We are using because we are using basic HTTP authentication. Blocking users by IP Is there a pesky person perpetrating pain upon you? Stalking your site from the vastness of the electron void? Blockem! In your.htaccess file, add the following code--changing the IPs to suit your needs--each command on one line each: order allow,deny deny from

5 deny from allow from all You can deny access based upon IP address or an IP block. The above blocks access to the site from , and from any sub domain under the IP block ( , , , etc.) I have yet to find a useful application of this, maybe if there is a site scraping your content you can block them, who knows. You can also set an option for, which would of course deny everyone. You can also allow or deny by domain name rather than IP address (allow from.javascriptkit.com Change your default directory page Some of you may be wondering, just what in the world is a DirectoryIndex? Well, grasshopper, this is a command which allows you to specify a file that is to be loaded as your default page whenever a directory or url request comes in, that does not specify a specific page. Tired of having yoursite.com/index.html come up when you go to yoursite.com? Want to change it to be yoursite.com/ilikepizzasteve.html that comes up instead? No problem! DirectoryIndex filename.html This would cause filename.html to be treated as your default page, or default directory page. You can also append other filenames to it. You may want to have certain directories use a script as a default page. That's no problem too! DirectoryIndex filename.html index.cgi index.pl default.htm Placing the above command in your.htaccess file will cause this to happen: When a user types in yoursite.com, your site will look for filename.html in your root directory (or any directory if you specify this in the global.htaccess), and if it finds it, it will load that page as the default page. If it does not find filename.html, it will then look for index.cgi; if it finds that one, it will load it, if not, it will look for index.pl and the whole process repeats until it finds a file it can use. Basically, the list of files is read from left to right. Every once in a while, I use this method for the following needs: Say I keep all my include files in a directory called include, and that I keep all my image files in a directory called images, I don't want people to be able to directory browse through them (even though we can prevent that through another.htaccess trick, more later). I would specify a DirectoryIndex entry, in a specific.htaccess file for those two directories, for /redirect/index.pl that is a redirect page (as explained here) that redirects a request for those directories to be sent to the homepage. Or I could just specify a directory index of index.pl and upload an index.pl file to each of those directories. Or I could just stick in an.htaccess redirect page, which is our next subject! Redirects Ever go through the nightmare of changing significantly portions of your site, then having to deal with the problem of people finding their way from the old pages to the new? It can be nasty. There are different ways of redirecting pages, through http-equiv, javascript or any of the server-side languages. And then you can do it through.htaccess, which is probably the most effective, considering the minimal amount of work required to do it..htaccess uses redirect to look for any request for a specific page (or a non-specific location, though this can cause infinite loops) and if it finds that request, it forwards it to a new page you have specified: Redirect /olddirectory/oldfile.html Note that there are 3 parts to that, which should all be on one line : the Redirect command, the location of the file/directory you want redirected relative to the root of your site (/olddirectory/oldfile.html=yoursite.com/olddirectory/oldfile.html) and the full URL of the location you want that request sent to. Each of the 3 is separated by a single space, but all on one line. You can also redirect an entire directory by simple using Redirect /olddirectory Using this method, you can redirect any number of pages no matter what you do to your directory structure. It is the fastest method that is a global effect. Prevent viewing of.htaccess file If you use.htaccess for password protection, then the location containing all of your password information is plainly available through the.htaccess file. If you have set incorrect permissions or if your server is not as secure as it could be, a browser has the potential to view an.htaccess file through a standard web interface and thus compromise your site/server. This, of course, would be a bad thing. However, it is possible to prevent an.htaccess file from being viewed in this manner: <Files.htaccess> order allow,deny </Files> The first line specifies that the file named.htaccess is having this rule applied to it. You could use this for other purposes as well if you get creative enough. If you use this in your.htaccess file, a person trying to see that file would get returned (under most server configurations) a 403 error code. You can also set permissions for your.htaccess file via CHMOD, which would also prevent this from happening, as an added measure of security: 644 or RW-R--R-- Adding MIME Types What if your server wasn't set up to deliver certain file types properly? A common occurrence with MP3 or even SWF files. Simple enough to fix: AddType application/x-shockwave-flash swf AddType is specifying that you are adding a MIME type. The application string is the actual parameter of the MIME you are adding, and the final little bit is the default extension for the MIME type you just added, in our example this is swf for ShockWave File. By the way, here's a neat little trick that few know about, but you get to be part of the club since JavaScript Kit loves you: To force a file to be downloaded, via the Save As browser feature. You can simply set a MIME type to application/octet-stream and that immediately prompts you for the download. I have no idea how that would be useful, but that question has come up in our Forums from time to time, so there ya' go. Preventing hot linking of images and other file types Note: This portion of tutorial written by JavaScript Kit

6 In the webmaster community, "hot linking" is a curse phrase. Also known as "bandwidth stealing" by the angry site owner, it refers to linking directly to non-html objects not on one own's server, such as images,.js files etc. The victim's server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site's images. Using.htaccess, you can disallow hot linking on your server, so those attempting to link to an image or CSS file on your site, for example, is either blocked (failed request, such as a broken image) or served a different content (ie: an image of an angry man). Note that mod_rewrite needs to be enabled on your server in order for this aspect of.htaccess to work. Inquire your web host regarding this. With all the pieces in place, here's how to disable hot linking of certain file types on your site, in the case below, images, JavaScript (js) and CSS (css) files on your site. Simply add the below code to your.htaccess file, and upload the file either to your root directory, or a particular subdirectory to localize the effect to just one section of your site: RewriteEngine on RewriteCond %{HTTP_REFERER}!^$ RewriteCond %{HTTP_REFERER}!^ [NC] RewriteRule \.(gif jpg js css)$ - [F] Be sure to replace "mydomain.com" with your own. The above code creates a failed request when hot linking of the specified file types occurs. In the case of images, a broken image is shown instead. Serving alternate content when hot linking is detected You can set up your.htaccess file to actually serve up different content when hot linking occurs. This is more commonly done with images, such as serving up an Angry Man image in place of the hot linked one. The code for this is: RewriteEngine on RewriteCond %{HTTP_REFERER}!^$ RewriteCond %{HTTP_REFERER}!^ [NC] RewriteRule \.(gif jpg)$ [R,L] Same deal- replace mydomain.com with your own, plus angryman.gif. Time to pour a bucket of cold water on hot linking! Preventing Directory Listing Do you have a directory full of images or zips that you do not want people to be able to browse through? Typically a server is setup to prevent directory listing, but sometimes they are not. If not, become self-sufficient and fix it yourself: IndexIgnore * The * is a wildcard that matches all files, so if you stick that line into an.htaccess file in your images directory, nothing in that directory will be allowed to be listed. On the other hand, what if you did want the directory contents to be listed, but only if they were HTML pages and not images? Simple says I: IndexIgnore *.gif *.jpg This would return a list of all files not ending in.jpg or.gif, but would still list.txt,.html, etc. And conversely, if your server is setup to prevent directory listing, but you want to list the directories by default, you could simply throw this into an.htaccess file the directory you want displayed: Options +Indexes If you do use this option, be very careful that you do not put any unintentional or compromising files in this directory. And if you guessed it by the plus sign before Indexes, you can throw in a minus sign (Options -Indexes) to prevent directory listing entirely. This is typical of most server setups and is usually configured elsewhere in the apache server, but can be overridden through.htaccess. If you really want to be tricky, using the +Indexes option, you can include a default description for the directory listing that is displayed when you use it by placing a file called HEADER in the same directory. The contents of this file will be printed out before the list of directory contents is listed. You can also specify a footer, though it is called README, by placing it in the same directory as the HEADER. The README file is printed out after the directory listing is printed. Copyright 2014 by GO Software Pty Limited