-
June 27th, 2002, 06:47 PM
#1
Creating .htaccess files
.htaccess Files by Jethro
-------------------------
Index:
o Introduction
o Directory Browsing
o Custom Error Messages
o Redirection
o User Authentification
o Default Homepage
o SSI Parsing
o Blocking certain visitors.
o The PHF Exploit
o Example .htaccess file
o Conclusion
Introduction
------------
The Apache web server has many environmental options that are available
to edit by the admin however, in a shared environment, the users don't
have access to the main configuration file (httpd.conf). However, they
can override some of these setting through the use of a file called
``.htaccess``.
The .htaccess file is an ASCII file (so must be uploaded as ASCII, not
BINARY) and *only* affects the directory it is in and all of its
sub-directories. It can be created and edited in any tezt editor, such
as ``vim``, ``Notepad``...etc.
To make sure that visitors cannot view this file, set the permissions
to rw-r--r-- (644) as your .htaccess file may contain sensitive
information.
Directory Browsing
------------------
Options +Indexes
This sets directory browsing on. This means, that if there is no index
page, you will be able to see all the pages and click whichever one
you want to enter.
Here are some more options you can enable and disable in this manner:
Options +Includes
Options +FollowSymLinks
Options +ExecCGI
Options +MultiViews
Custom Error Messages
----------------------
ErrorDocument 404 /error.html
This would tell the server that, instead of viewing the regular "Error
404" page, you can set your own. Here's a list of the different error
numbers and what they mean.
Note: Error 402 (Payment Required) isn't utilised in Apache servers
yet.
400 Bad Request
401 Authorization Required
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable (encoding)
407 Proxy Authentication Required
408 Request Timed Out
409 Conflicting Request
410 Gone
411 Content Length Required
412 Precondition Failed
413 Request Entity Too Long
414 Request URI Too Long
415 Unsupported Media Type
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
The most common errors are 400, 403, 404 and 500. Personally, I only
like to change the Error 404 page and let Apach use its default pages
for the others.
Another feature is that you can use text.
Example:
ErrorDocument 404 "Page Not Found
****
Note: There is only one (") marks, which is at the start of the text.
****
Note #2: The text should not exceed a line
****
Redirection
-----------
Redirect permanent /myscript.php http://www.blah.com/myscript.php3
This redirects /myscript.php to http://www.blah.com/myscript.php3. This
is useful if you have renamed or moved a page to another directory of
your website or to another web server completely.
The same can be done for directories:
Redirect permanent /old http://www.blah.com/new
This feature (redirection) of .htaccess can be very useful, because you
don't have to go through hundreds of pages, updating the links.
User Authentification
---------------------
AuthUserFile /secret/.htpasswd
AuthGroupFile /dev/null
AuthName My Secret Hideout
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
This feature deserves a tutorial of its own, but I'll explain it here
anyway.
The ``AuthUserFile`` tells the server where to find the password file.
We'll explain that more in a minute.
``AuthName`` can be anything and is just used as a text string in the
authentification process. It isn't too important.
After you have done that, we need to create the password file. Don't
worry if you're not using Linux, because it doesn't matter.
When you installed Apache onto your computer. You should have gotten a
program called "htpasswd.exe". This is located in the /bin directory.
From the command prompt (cd to that directory), type:
``htpasswd -c .htpasswd <username>``
It will then prompt you for a password. The -c switch just creates a
new password file, from then on, you don't need it, you just need to
type.
``htpasswd .htpasswd <username>``
You can have as many usernames as you like, but it is recommendable to
restrict it to a few usernames (unless it is a feature of your website
for registered users)
To delete users, just delete the line in .htpasswd with their username.
****
Note: The encryption method used in htpasswd is altered DES, so it can
be cracked with a UNIX-cracker. However on Windows, you may find it
using MD5.
****
Default Homepage
----------------
DirectoryIndex index.cgi index.php index.html home.html
This sets it so the server looks for one of these files (from left to
right) to show as the index file. The files are given precedence the
farther left they are, so ``index.cgi`` would be looked for first,
then ``index.php``, then ``index.html`` and finally ``home.html``. If
none of those pages could be found, then the server will just list out
all the files in that directory (that's where the ``Options +indexes``
part comes in handy)
SSI Parsing
-----------
AddType text/html .html
AddHandler server-parsed .html
AddHandler server-parsed .htm
This makes it so that server side includes are parsed in the following
file types (.html, .htm). To add a file type to that list, just add
the AddHandler file and the extension which that document type has.
Blocking Certain Visitors
-------------------------
<Limit GET>
order deny,allow
deny from 123.456.789.000
deny from 123.456.789.
deny from .aol.com
allow from all
</Limit>
``deny from 123.456.789.000`` denies access to the website from anybody
from the exact IP address 123.456.789.000
``deny from 123.456.789.`` denies access to the website from anybody
from the IP range 123.456.789
``deny from .aol.com`` denies access to the website from anybody
connecting from ``aol.com``.
The PHF Exploit
---------------
PHF was a script installed by default on old Apache servers. Of course,
this feature has long since been eradicated, however some people still
attempt it in the one in a million chance that you can PHF enabled.
****
Note: The exploit was very serious, as anybody who fed a newline
character to the PHF script, could run remote commands, with the same
privilidges as the webserver, so anybody who found a webserver running
with root privilidges could easily access the /etc/passwd file through
the /bin/cat command...etc
****
Even though this technique is of no danger to your machine, it's fun to
mess around with the attacker and redirect them to either a logging
script which logs their IP address, or to some error page which
screams abuse at them.
<Location /cgi-bin/phf*>
Deny from all
ErrorDocument 403 /log-ip.php
</Location>
This denies access to any phf file in the /cgi-bin/ directory and
redirects them to /log-ip.php.
Example .htaccess file
----------------------
You can copy and paste this if you want and add/remove/edit any parts
of it.
***** .htacess *****
Options +Indexes
Options +MultiViews
ErrorDocument 403 "Forbidden!!!
ErrorDocument 404 /error.php?error=404
ErrorDocument 500 /error.php?error=500
Redirect permanent /links.html http://www.mysite.com/features/links.php
AuthUserFile /users/.htpasswd
AuthGroupFile /dev/null
AuthName Jethro's House of Love
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
DirectoryIndex index.php index.html /cgi-bin/index.cgi
AddType text/html .html
AddType text/html .htm
AddHandler server-parsed .html
AddHandler server-parsed .htm
<Limit GET>
order deny,allow
deny from 159.132.216.
allow from all
</Limit>
<Location /cgi-bin/phf*>
Deny from all
ErrorDocument 403 /cgi-bin/fakephp.cgi
</Location>
***************************************
Conclusion
----------
As you can see, .htaccess files can be a useful tool in web design and
administration.
Have fun,
Jethro
-
June 27th, 2002, 06:59 PM
#2
Nice.. I needed to create some and I am working on a few other things. Anyways, Nice tutorial!
-
June 29th, 2002, 10:12 PM
#3
Member
where am i supposed to put the *.html files? for the errors?
-
June 29th, 2002, 10:21 PM
#4
Anywhere you want. In my examples, I put the error files in the root / directory of the website.
-
June 29th, 2002, 10:37 PM
#5
Member
thats wut i did and it didn't work :/
-
June 30th, 2002, 12:01 AM
#6
Post your .htaccess file and the location of your error page.
Also, you are definitely using Apache aren't you?
-
June 30th, 2002, 12:03 AM
#7
Member
yup yup yup yup yup yup...still don't work i will zip the .htaccess file, find it on the root of my file server so u can check it
dammit my sig isn't working... the fserve is at http://billgates891.ath.cx:891
-
June 30th, 2002, 12:21 AM
#8
It's either something to do with where you are saving the error page (you have it set on /root) or you have set up permissions on the .htaccess file wrong or something (605)
Also, some admins don't allow users to use .htaccess, which can be changed in the http.conf file in your /conf directory in your Apache directory, if you are allowed access to it.
-
June 30th, 2002, 12:22 AM
#9
Member
i will check that, I keep it in my brother's room since i don't wanna run it off my machine, hehehe, but maybe he played with it or something
-
June 30th, 2002, 12:23 AM
#10
Also, I'm just after noticing, that you don't have port 80(80) open, so you're not *actually* running a website...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|