-
Creating .htaccess files
.htaccess Files by Jethro
-------------------------
Index:
o Introduction
o Directory Browsing
o Custom Error Messages
o Redirection
o User Authentification
o Default Homepage
o SSI Parsing
o Blocking certain visitors.
o The PHF Exploit
o Example .htaccess file
o Conclusion
Introduction
------------
The Apache web server has many environmental options that are available
to edit by the admin however, in a shared environment, the users don't
have access to the main configuration file (httpd.conf). However, they
can override some of these setting through the use of a file called
``.htaccess``.
The .htaccess file is an ASCII file (so must be uploaded as ASCII, not
BINARY) and *only* affects the directory it is in and all of its
sub-directories. It can be created and edited in any tezt editor, such
as ``vim``, ``Notepad``...etc.
To make sure that visitors cannot view this file, set the permissions
to rw-r--r-- (644) as your .htaccess file may contain sensitive
information.
Directory Browsing
------------------
Options +Indexes
This sets directory browsing on. This means, that if there is no index
page, you will be able to see all the pages and click whichever one
you want to enter.
Here are some more options you can enable and disable in this manner:
Options +Includes
Options +FollowSymLinks
Options +ExecCGI
Options +MultiViews
Custom Error Messages
----------------------
ErrorDocument 404 /error.html
This would tell the server that, instead of viewing the regular "Error
404" page, you can set your own. Here's a list of the different error
numbers and what they mean.
Note: Error 402 (Payment Required) isn't utilised in Apache servers
yet.
400 Bad Request
401 Authorization Required
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable (encoding)
407 Proxy Authentication Required
408 Request Timed Out
409 Conflicting Request
410 Gone
411 Content Length Required
412 Precondition Failed
413 Request Entity Too Long
414 Request URI Too Long
415 Unsupported Media Type
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
The most common errors are 400, 403, 404 and 500. Personally, I only
like to change the Error 404 page and let Apach use its default pages
for the others.
Another feature is that you can use text.
Example:
ErrorDocument 404 "Page Not Found
****
Note: There is only one (") marks, which is at the start of the text.
****
Note #2: The text should not exceed a line
****
Redirection
-----------
Redirect permanent /myscript.php http://www.blah.com/myscript.php3
This redirects /myscript.php to http://www.blah.com/myscript.php3. This
is useful if you have renamed or moved a page to another directory of
your website or to another web server completely.
The same can be done for directories:
Redirect permanent /old http://www.blah.com/new
This feature (redirection) of .htaccess can be very useful, because you
don't have to go through hundreds of pages, updating the links.
User Authentification
---------------------
AuthUserFile /secret/.htpasswd
AuthGroupFile /dev/null
AuthName My Secret Hideout
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
This feature deserves a tutorial of its own, but I'll explain it here
anyway.
The ``AuthUserFile`` tells the server where to find the password file.
We'll explain that more in a minute.
``AuthName`` can be anything and is just used as a text string in the
authentification process. It isn't too important.
After you have done that, we need to create the password file. Don't
worry if you're not using Linux, because it doesn't matter.
When you installed Apache onto your computer. You should have gotten a
program called "htpasswd.exe". This is located in the /bin directory.
From the command prompt (cd to that directory), type:
``htpasswd -c .htpasswd <username>``
It will then prompt you for a password. The -c switch just creates a
new password file, from then on, you don't need it, you just need to
type.
``htpasswd .htpasswd <username>``
You can have as many usernames as you like, but it is recommendable to
restrict it to a few usernames (unless it is a feature of your website
for registered users)
To delete users, just delete the line in .htpasswd with their username.
****
Note: The encryption method used in htpasswd is altered DES, so it can
be cracked with a UNIX-cracker. However on Windows, you may find it
using MD5.
****
Default Homepage
----------------
DirectoryIndex index.cgi index.php index.html home.html
This sets it so the server looks for one of these files (from left to
right) to show as the index file. The files are given precedence the
farther left they are, so ``index.cgi`` would be looked for first,
then ``index.php``, then ``index.html`` and finally ``home.html``. If
none of those pages could be found, then the server will just list out
all the files in that directory (that's where the ``Options +indexes``
part comes in handy)
SSI Parsing
-----------
AddType text/html .html
AddHandler server-parsed .html
AddHandler server-parsed .htm
This makes it so that server side includes are parsed in the following
file types (.html, .htm). To add a file type to that list, just add
the AddHandler file and the extension which that document type has.
Blocking Certain Visitors
-------------------------
<Limit GET>
order deny,allow
deny from 123.456.789.000
deny from 123.456.789.
deny from .aol.com
allow from all
</Limit>
``deny from 123.456.789.000`` denies access to the website from anybody
from the exact IP address 123.456.789.000
``deny from 123.456.789.`` denies access to the website from anybody
from the IP range 123.456.789
``deny from .aol.com`` denies access to the website from anybody
connecting from ``aol.com``.
The PHF Exploit
---------------
PHF was a script installed by default on old Apache servers. Of course,
this feature has long since been eradicated, however some people still
attempt it in the one in a million chance that you can PHF enabled.
****
Note: The exploit was very serious, as anybody who fed a newline
character to the PHF script, could run remote commands, with the same
privilidges as the webserver, so anybody who found a webserver running
with root privilidges could easily access the /etc/passwd file through
the /bin/cat command...etc
****
Even though this technique is of no danger to your machine, it's fun to
mess around with the attacker and redirect them to either a logging
script which logs their IP address, or to some error page which
screams abuse at them.
<Location /cgi-bin/phf*>
Deny from all
ErrorDocument 403 /log-ip.php
</Location>
This denies access to any phf file in the /cgi-bin/ directory and
redirects them to /log-ip.php.
Example .htaccess file
----------------------
You can copy and paste this if you want and add/remove/edit any parts
of it.
***** .htacess *****
Options +Indexes
Options +MultiViews
ErrorDocument 403 "Forbidden!!!
ErrorDocument 404 /error.php?error=404
ErrorDocument 500 /error.php?error=500
Redirect permanent /links.html http://www.mysite.com/features/links.php
AuthUserFile /users/.htpasswd
AuthGroupFile /dev/null
AuthName Jethro's House of Love
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
DirectoryIndex index.php index.html /cgi-bin/index.cgi
AddType text/html .html
AddType text/html .htm
AddHandler server-parsed .html
AddHandler server-parsed .htm
<Limit GET>
order deny,allow
deny from 159.132.216.
allow from all
</Limit>
<Location /cgi-bin/phf*>
Deny from all
ErrorDocument 403 /cgi-bin/fakephp.cgi
</Location>
***************************************
Conclusion
----------
As you can see, .htaccess files can be a useful tool in web design and
administration.
Have fun,
Jethro
-
Nice.. I needed to create some and I am working on a few other things. Anyways, Nice tutorial!
-
where am i supposed to put the *.html files? for the errors?
-
Anywhere you want. In my examples, I put the error files in the root / directory of the website.
-
thats wut i did and it didn't work :/
-
Post your .htaccess file and the location of your error page.
Also, you are definitely using Apache aren't you?
-
yup yup yup yup yup yup...still don't work i will zip the .htaccess file, find it on the root of my file server so u can check it
dammit my sig isn't working... the fserve is at http://billgates891.ath.cx:891
-
It's either something to do with where you are saving the error page (you have it set on /root) or you have set up permissions on the .htaccess file wrong or something (605)
Also, some admins don't allow users to use .htaccess, which can be changed in the http.conf file in your /conf directory in your Apache directory, if you are allowed access to it.
-
i will check that, I keep it in my brother's room since i don't wanna run it off my machine, hehehe, but maybe he played with it or something
-
Also, I'm just after noticing, that you don't have port 80(80) open, so you're not *actually* running a website...
-
can u all help mi to create a .htaccess file and .htpasswd file
-
.htpasswd is an inferior method of providing access controls for websites. If the web service software is compromised so are all the .htaccess protected directories. Better off using the operating system access controls (though apache doesn't provide simple authentication pass through) or securing the material in a database.
Either way the data is not released by an application level bug in the web service.
catch
-
can anyone create User Authentication with php can give mi the code and how do u create username and passwd using php
-
Quote:
Originally posted here by catch
.htpasswd is an inferior method of providing access controls for websites. If the web service software is compromised so are all the .htaccess protected directories. Better off using the operating system access controls (though apache doesn't provide simple authentication pass through) or securing the material in a database.
Either way the data is not released by an application level bug in the web service.
catch
Greetings Calvin.
Catch is correct, although "Inferior", is an arrogant way to state it. He knows his Shiznit.
There is nothing wrong with research however, and a great deal can be learned from the "Old School"......"Obsolete". Crapola!
http://www.zend.com/zend/tut/authentication.php
Remember it all seems like crap two months later! :D
-
"Inferior" is not an arrogant way to say it at all, it is an accurate way to say that .htaccess is "lower in quality."
Good security is mathematically sound and never goes obsolete, this is why nearly all (good) current security principals date back to the 60's and 70's. Things like .htaccess were never good, not even when new as it is based on a flawed concept (allowing applications to control their own security.)
catch
-
IMO, a layered approach is best so that if there is a failure by one piece of software, it can be stopped by another. To use any one method to secure a system is to place all your eggs in one basket, and is a silly concept. You may want to look at using a combination of such methods in tandem.
If you rely on in the operating systems' access control software, database software, or the web application (PHP/ASP/CGI, etc) that utilizes the database, those are all also potential holes. Instead of guaranteeing access and relying on only those things to do all the prevention, what does another level of prevention cost? A few minutes of your time. It seems worth it to me.
-
The problem with layered security is that it is VERY rarely implemented correctly, so in fact it is not actually layered. That is many types of security not dependant on each other so if any one fails, the system is compromised. In that case you are merely creating additional surface area to attack. Really what needs to be done is to rely on a reference monitor, a single point of very high assurance security that is: tamperproof, small enough to be verified, and comprehensive. A single point of very high assurance security is much better than many low assurance mechanisms.
As a minimum security should never be controlled in a nonhirearchical manner (that is any application being responsible for it's own security).
catch
