Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Creating .htaccess files

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734

    Creating .htaccess files

    .htaccess Files by Jethro
    -------------------------

    Index:

    o Introduction
    o Directory Browsing
    o Custom Error Messages
    o Redirection
    o User Authentification
    o Default Homepage
    o SSI Parsing
    o Blocking certain visitors.
    o The PHF Exploit
    o Example .htaccess file
    o Conclusion



    Introduction
    ------------

    The Apache web server has many environmental options that are available
    to edit by the admin however, in a shared environment, the users don't
    have access to the main configuration file (httpd.conf). However, they
    can override some of these setting through the use of a file called
    ``.htaccess``.

    The .htaccess file is an ASCII file (so must be uploaded as ASCII, not
    BINARY) and *only* affects the directory it is in and all of its
    sub-directories. It can be created and edited in any tezt editor, such
    as ``vim``, ``Notepad``...etc.

    To make sure that visitors cannot view this file, set the permissions
    to rw-r--r-- (644) as your .htaccess file may contain sensitive
    information.



    Directory Browsing
    ------------------

    Options +Indexes

    This sets directory browsing on. This means, that if there is no index
    page, you will be able to see all the pages and click whichever one
    you want to enter.

    Here are some more options you can enable and disable in this manner:

    Options +Includes
    Options +FollowSymLinks
    Options +ExecCGI
    Options +MultiViews



    Custom Error Messages
    ----------------------

    ErrorDocument 404 /error.html

    This would tell the server that, instead of viewing the regular "Error
    404" page, you can set your own. Here's a list of the different error
    numbers and what they mean.

    Note: Error 402 (Payment Required) isn't utilised in Apache servers
    yet.

    400 Bad Request
    401 Authorization Required
    402 Payment Required
    403 Forbidden
    404 Not Found
    405 Method Not Allowed
    406 Not Acceptable (encoding)
    407 Proxy Authentication Required
    408 Request Timed Out
    409 Conflicting Request
    410 Gone
    411 Content Length Required
    412 Precondition Failed
    413 Request Entity Too Long
    414 Request URI Too Long
    415 Unsupported Media Type
    500 Internal Server Error
    501 Not Implemented
    502 Bad Gateway
    503 Service Unavailable
    504 Gateway Timeout
    505 HTTP Version Not Supported

    The most common errors are 400, 403, 404 and 500. Personally, I only
    like to change the Error 404 page and let Apach use its default pages
    for the others.

    Another feature is that you can use text.

    Example:

    ErrorDocument 404 "Page Not Found

    ****
    Note: There is only one (") marks, which is at the start of the text.
    ****
    Note #2: The text should not exceed a line
    ****



    Redirection
    -----------

    Redirect permanent /myscript.php http://www.blah.com/myscript.php3

    This redirects /myscript.php to http://www.blah.com/myscript.php3. This
    is useful if you have renamed or moved a page to another directory of
    your website or to another web server completely.

    The same can be done for directories:

    Redirect permanent /old http://www.blah.com/new

    This feature (redirection) of .htaccess can be very useful, because you
    don't have to go through hundreds of pages, updating the links.



    User Authentification
    ---------------------

    AuthUserFile /secret/.htpasswd
    AuthGroupFile /dev/null
    AuthName My Secret Hideout
    AuthType Basic

    <Limit GET POST>
    require valid-user
    </Limit>

    This feature deserves a tutorial of its own, but I'll explain it here
    anyway.

    The ``AuthUserFile`` tells the server where to find the password file.
    We'll explain that more in a minute.

    ``AuthName`` can be anything and is just used as a text string in the
    authentification process. It isn't too important.

    After you have done that, we need to create the password file. Don't
    worry if you're not using Linux, because it doesn't matter.

    When you installed Apache onto your computer. You should have gotten a
    program called "htpasswd.exe". This is located in the /bin directory.

    From the command prompt (cd to that directory), type:

    ``htpasswd -c .htpasswd <username>``

    It will then prompt you for a password. The -c switch just creates a
    new password file, from then on, you don't need it, you just need to
    type.

    ``htpasswd .htpasswd <username>``

    You can have as many usernames as you like, but it is recommendable to
    restrict it to a few usernames (unless it is a feature of your website
    for registered users)

    To delete users, just delete the line in .htpasswd with their username.

    ****
    Note: The encryption method used in htpasswd is altered DES, so it can
    be cracked with a UNIX-cracker. However on Windows, you may find it
    using MD5.
    ****



    Default Homepage
    ----------------

    DirectoryIndex index.cgi index.php index.html home.html

    This sets it so the server looks for one of these files (from left to
    right) to show as the index file. The files are given precedence the
    farther left they are, so ``index.cgi`` would be looked for first,
    then ``index.php``, then ``index.html`` and finally ``home.html``. If
    none of those pages could be found, then the server will just list out
    all the files in that directory (that's where the ``Options +indexes``
    part comes in handy)



    SSI Parsing
    -----------

    AddType text/html .html
    AddHandler server-parsed .html
    AddHandler server-parsed .htm

    This makes it so that server side includes are parsed in the following
    file types (.html, .htm). To add a file type to that list, just add
    the AddHandler file and the extension which that document type has.



    Blocking Certain Visitors
    -------------------------

    <Limit GET>
    order deny,allow
    deny from 123.456.789.000
    deny from 123.456.789.
    deny from .aol.com
    allow from all
    </Limit>

    ``deny from 123.456.789.000`` denies access to the website from anybody
    from the exact IP address 123.456.789.000

    ``deny from 123.456.789.`` denies access to the website from anybody
    from the IP range 123.456.789

    ``deny from .aol.com`` denies access to the website from anybody
    connecting from ``aol.com``.



    The PHF Exploit
    ---------------

    PHF was a script installed by default on old Apache servers. Of course,
    this feature has long since been eradicated, however some people still
    attempt it in the one in a million chance that you can PHF enabled.

    ****
    Note: The exploit was very serious, as anybody who fed a newline
    character to the PHF script, could run remote commands, with the same
    privilidges as the webserver, so anybody who found a webserver running
    with root privilidges could easily access the /etc/passwd file through
    the /bin/cat command...etc
    ****

    Even though this technique is of no danger to your machine, it's fun to
    mess around with the attacker and redirect them to either a logging
    script which logs their IP address, or to some error page which
    screams abuse at them.

    <Location /cgi-bin/phf*>
    Deny from all
    ErrorDocument 403 /log-ip.php
    </Location>

    This denies access to any phf file in the /cgi-bin/ directory and
    redirects them to /log-ip.php.



    Example .htaccess file
    ----------------------

    You can copy and paste this if you want and add/remove/edit any parts
    of it.

    ***** .htacess *****

    Options +Indexes
    Options +MultiViews



    ErrorDocument 403 "Forbidden!!!
    ErrorDocument 404 /error.php?error=404
    ErrorDocument 500 /error.php?error=500



    Redirect permanent /links.html http://www.mysite.com/features/links.php



    AuthUserFile /users/.htpasswd
    AuthGroupFile /dev/null
    AuthName Jethro's House of Love
    AuthType Basic

    <Limit GET POST>
    require valid-user
    </Limit>



    DirectoryIndex index.php index.html /cgi-bin/index.cgi



    AddType text/html .html
    AddType text/html .htm
    AddHandler server-parsed .html
    AddHandler server-parsed .htm



    <Limit GET>
    order deny,allow
    deny from 159.132.216.
    allow from all
    </Limit>



    <Location /cgi-bin/phf*>
    Deny from all
    ErrorDocument 403 /cgi-bin/fakephp.cgi
    </Location>


    ***************************************



    Conclusion
    ----------

    As you can see, .htaccess files can be a useful tool in web design and
    administration.

    Have fun,
    Jethro

  2. #2
    Nice.. I needed to create some and I am working on a few other things. Anyways, Nice tutorial!

  3. #3
    where am i supposed to put the *.html files? for the errors?
    [gloworange]Website
    File Server

    [/gloworange]

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    Anywhere you want. In my examples, I put the error files in the root / directory of the website.

  5. #5
    thats wut i did and it didn't work :/
    [gloworange]Website
    File Server

    [/gloworange]

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    Post your .htaccess file and the location of your error page.
    Also, you are definitely using Apache aren't you?

  7. #7
    yup yup yup yup yup yup...still don't work i will zip the .htaccess file, find it on the root of my file server so u can check it

    dammit my sig isn't working... the fserve is at http://billgates891.ath.cx:891
    [gloworange]Website
    File Server

    [/gloworange]

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    It's either something to do with where you are saving the error page (you have it set on /root) or you have set up permissions on the .htaccess file wrong or something (605)

    Also, some admins don't allow users to use .htaccess, which can be changed in the http.conf file in your /conf directory in your Apache directory, if you are allowed access to it.

  9. #9
    i will check that, I keep it in my brother's room since i don't wanna run it off my machine, hehehe, but maybe he played with it or something
    [gloworange]Website
    File Server

    [/gloworange]

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    Also, I'm just after noticing, that you don't have port 80(80) open, so you're not *actually* running a website...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •