Apache Quick Reference
From 5dollarwhitebox.org Media Wiki
Contents |
Application Handlers
Windows Media Player Files
Add the following to the httpd.conf or whatever it is on your distro:
AddType video/x-ms-asf asf asx AddType audio/x-ms-wma wma AddType audio/x-ms-wax wax AddType video/x-ms-wmv wmv AddType video/x-ms-wvx wvx AddType video/x-ms-wm wm AddType video/x-ms-wmx wmx AddType application/x-ms-wmz wmz AddType application/x-ms-wmd wmd
Basic Authentication
I can never remember this
<Directory /var/www/restricted>
Options Indexes MultiViews FollowSymLinks
AllowOverride AuthConfig
AuthUserFile /var/www/.htpasswd
AuthGroupFile /var/www/.htgroup
AuthName "Back off it: Restricted!!!"
AuthType Basic
require valid user
</Directory>
Mod_Rewrite
Some good references:
Satisfy Security Scans
Some security scanners will want to disable the TRACE and TRACK headers from Apache. Add the following to '/etc/httpd/conf.d/security_rewrites.conf' (RedHat) or '/etc/apache2/conf.d/security_rewrites.conf' (Debian):
Apache 1.3/2:
# For security reasons disable the TRACE command
RewriteEngine on
RewriteCond %{REQUEST_METHOD} (TRACE|TRACK)
RewriteRule .* - [F,L]
Then make sure that the Apache Config includes this file (Most distros have 'Include conf.d/*.conf' in the global config
Force SSL
RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R=301,L]
Block Hot Linking
This will allow you to restrict image links to only the domain specified in the rewrite condition
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/.*$ [NC]
RewriteRule \.(gif|jpg|tiff|)$ - [F]
Doctor URLs
- ACCESSED URL: http://www.domain.com/quickSearch/yaddayadda
- REAL URL: http://www.domain.com/quickSearch.php?search=yaddayadda
Add the following to your .htaccess of Directory Directive:
<Files ~ "^[^\.]+$"> SetOutputFilter PHP SetInputFilter PHP LimitRequestBody 524288 AcceptPathInfo On </Files> RewriteEngine On RewriteBase /var/www/path/to/htdocs RewriteRule ^quickSearch/([^/]+)$ /quickSearch.php?search=$1
Doctor URLs 2 - Look Back Feature
Another example of using multiple variables in the URL and hiding the script:
AcceptPathInfo On RewriteEngine On RewriteRule ^index/([^/]*)$ index.php?a=$1 RewriteRule ^index/([^/]*)/([^/]*)$ index.php?a=$1&b=$2 [PT] RewriteRule ^index/([^/]*)/([^/]*)/([^/]*)$ index.php?a=$1&b=$2&c=$3 [PT] RewriteRule ^index/([^/]*)/([^/]*)/([^/]*)/([^/]*)$ index.php?a=$1&b=$2&c=$3&d=$4 [PT]
You can test this with the following index.php:
<?php
$a = $_GET['a'];
$b = $_GET['b'];
$c = $_GET['c'];
$d = $_GET['d'];
print " hello world...<br><br>
Variable 'a' is set to \"$a\".<br>
Variable 'b' is set to \"$b\".<br>
Variable 'c' is set to \"$c\".<br>
Variable 'd' is set to \"$d\".<br>
";
?>
Now hit up the URL 'http://www.yourdomain.com/path/to/index.php?a=johnny&b=jane&c=dave&d=jack'. The same URL can be hit with 'http://www.yourdomain.com/path/to/index/johnny/jane/dave/jack'.
Mod_ReWrite Cheat Sheet
