Apache Modules

Apache Modules

---

Real-Life Htaccess Files from My Server

#### No https except to wp-admin -
# If the request is empty ( implies fopen or normal file access by a php script )
RewriteCond %{THE_REQUEST} ^$ [OR]
 
# OR if the request if for wp-admin or wp-login.php
RewriteCond %{REQUEST_URI} ^/(wp-admin|wp-login\.php).*$ [NC,OR]
 
# OR if the Referer is https
RewriteCond %{HTTP_REFERER} ^https://www.askapache.com/.*$ [NC]
 
# THEN skip the following rule, basically all this does is force https or badhost to be redirected
# BUT because of the above 3 rewritecond's, this won't break poorly written admin scripts
RewriteRule .* - [S=1]
 
RewriteCond %{HTTPS} =on [OR]
RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
RewriteRule .* http://www.askapache.com%{REQUEST_URI} [R=301,L]
 
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(wp-admin/.*|wp-login\.php.*)\ HTTP/ [NC]
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

· htaccess example  ·  RSS | 11:06 AM

---

HTTP Status Codes and .htaccess ErrorDocuments

There are a total of 57 HTTP Status Codes recognized by the Apache Web Server. Wouldn’t you like to see what all those headers and their output, ErrorDocuments look like?

· ErrorDocuments  ·  RSS | 3:56 PM

---

Protecting Files with Advanced Mod_Rewrite Anti-Hotlinking

If you have files on your site that you don’t want indexed by malicious search engines, grabbed and leeched by malicious spammers, or stolen and made available elsewhere, you can use mod_rewrite to drastically reduce or totally reduce that activity.

· Files  ·  RSS | 1:09 AM

---

Crazy Advanced Mod_Rewrite Tutorial

Note: Extremely ILL Content
Find the key to unlocking mod_rewrite and you WILL be sick.. sick with a diamond disease on your wrist!

· modrewrite  ·  RSS | 12:55 PM

---

An AskApache Plugin Upgrade to Rule them All

So my blog as been rather quiet for almost a year now, and very few updates if any have been released for my Password Protection PLugin, my Google 404 Plugin, and definately not for my AskApache CrazyCache plugin, which I will be releasing last… So for all of you who’ve helped me out by sending me suggestions and notifying me of errors and sticking with it… Just wanted to say sorry about that, and thanks for all the great ideas.. Well, I’ve been sticking with it as well believe it our not. I manage to get free days once in a while, and then its time to jam.

· Google 404 Plugin  ·  RSS | 1:59 PM

---

DNS Round Robin Configuration using Rsync over SSH

The goal is to add the HostGator server to be an exact mirror of the static.askapache.com domain, then to add that server as a 2nd A record to my DNS zone. That way half the visitors to the size will be taking up resources and bandwidth on the HostGator server instead of mine.

Round Robin A records in DNS are intended to evenly distribute queries between each host of the same name. Using some tricks straight out of a hackers toolbox we can verify if the distribution is taking place. (It is.)

· Configuration  ·  RSS | 1:46 AM

---

Advanced Htaccess – SSI, ErrorDocuments, DirectoryIndexing SEO

3-Part article covering practical implementation of 3 advanced .htaccess features. Discover an easy way to boost your SEO the AskApache way (focus on visitors), a tip you might keep and use for life. Get some cool security tricks to use against spammers, crackers, and other nefarious sorts. Take your site’s error handling to the next level, enhanced ErrorDocuments that go beyond 404′s.

· ErrorDocuments  ·  RSS | 4:02 AM

---

The Ultimate Htaccess

Skip this – still under edit

I discovered these tips and tricks mostly while working as a network security penetration specialist hired to find security holes in web hosting environments. Shared hosting is the most common and cheapest form of web-hosting where multiple customers are placed on a single machine and “share” the resources (CPU/RAM/SPACE). The machines are configured to basically ONLY do HTTP and FTP. No shells or any interactive logins, no ssh, just FTP access. That is when I started examining htaccess files in great detail and learned about the incredible untapped power of htaccess. For 99% of the worlds best Apache admins, they don’t use .htaccess much, if AT ALL. It’s much easier, safer, and faster to configure Apache using the httpd.conf file instead. However, this file is almost never readable on shared-hosts, and I’ve never seen it writable. So the only avenue left for those on shared-hosting was and is the .htaccess file, and holy freaking fiber-optics.. it’s almost as powerful as httpd.conf itself!

Most all .htaccess code works in the httpd.conf file, but not all httpd.conf code works in .htaccess files, around 50%. So all the best Apache admins and programmers never used .htaccess files. There was no incentive for those with access to httpd.conf to use htaccess, and the gap grew. It’s common to see “computer gurus” on forums and mailing lists rail against all uses and users of .htaccess files, smugly announcing the well known problems with .htaccess files compared with httpd.conf – I wonder if these “gurus” know the history of the htaccess file, like it’s use in the earliest versions of the HTTP Server- NCSA’s HTTPd, which BTW, became known as Apache HTTP. So you could easily say that htaccess files predates Apache itself.

Once I discovered what .htaccess files could do towards helping me enumerate and exploit security vulnerabilities even on big shared-hosts I focused all my research into .htaccess files, meaning I was reading the venerable Apache HTTP Source code 24/7! I compiled every released version of the Apache Web Server, ever, even NCSA’s, and focused on enumerating the most powerful htaccess directives. Good times! Because my focus was on protocol/file/network vulnerabilites instead of web dev I built up a nice toolbox of htaccess tricks to do unusual things. When I switched over to webdev in 2005 I started using htaccess for websites, not research. I documented most of my favorites and rewrote the htaccess guide for webdevelopers. After some great encouragement on various forums and nets I decided to start a blog to share my work with everyone, AskApache.com was registered, I published my guide, and it was quickly plagiarized and scraped all over the net. Information is freedom, and freedom is information, so this blog has the least restrictive copyright for you. Feel free to modify, copy, republish, sell, or use anything on this site ;)

· htaccesss  ·  RSS | 9:05 AM

---

Htaccess SetEnvIf and SetEnvIfNoCase Examples

SetEnv, SetEnvIf, and SetEnvIfNoCase directives conditionally set environment variables accessible by scripts and apache based on HTTP Headers, Variables, and Request information.

• Unique mod_setenvif Variables
• Populates HTTP_MY_ Variables with mod_setenvif variable values
• Set REMOTE_HOST to HTTP_HOST
• Allows only if HOST Header is present in request
• Add values from HTTP Headers
• Set the REDIRECT_STATUS for Interpreter Security

· htaccess  ·  RSS | 1:36 PM

---

Apache HTTPD and Module API Versions

A list of API Versions and the corresponding HTTPD Version, for use in determining the version of Apache currently running without having to rely on the often inaccurate SERVER_SOFTWARE Header.

· Version  ·  RSS | 4:35 PM

---

Mod_Rewrite Variables Cheatsheet

We’ve figured out what mod_rewrite variables look like, a cheatsheet of the actual value.

· htaccess  ·  RSS | 1:05 AM

---

Mod_Security .htaccess tricks

Mod_Security rivals Mod_Rewrite in the amount of features it provides. I decided to go ahead and post what I learned about it today, even though its tough to give away such awesome htaccess and apache tricks.. Learn how to control spam once and for all, conditionally log/deny/allow/redirect requests based on IP, username, etc.. Mod_Security is so fine!

· SetEnvIf  ·  RSS | 2:17 AM

---

Log all .htaccess/.htpasswd logins

Learn how to log and debug usernames and passwords used to login to a htaccess basic authorization protected website using php. This article is BOSS and will show you how to fully take control of this aspect of security using php and .htaccess, I don’t believe you will find instructions to do this anywhere else on the net.

· authorization  ·  RSS | 9:20 PM

---

Apache Directives and Modules on DreamHost

Apache .htaccess Directives and Loaded Modules allowed on DreamHost Apache Server 2 Setups.

· directive  ·  RSS | 7:23 AM

---

Troubleshooting Apache .htaccess Authentication

Apache Web Server users have problems getting Apache Authentication/password-protection in htaccess working, this is a troubleshooting guide to get Password Protection working!

· password prompt  ·  RSS | 5:44 AM

---

Using FilesMatch and Files in htaccess

Some good examples for how to use the Files and FilesMatch directives in .htaccess files and httpd.conf files for Apache.

<FilesMatch "\.(htm|html|css|js|php)$">
AddDefaultCharset UTF-8
DefaultLanguage en-US
</FilesMatch>

· htaccess  ·  RSS | 4:46 PM

---

FastCGI on DreamHost

Using FastCGI on DreamHost and .htaccess

· DreamHost  ·  RSS | 11:01 AM

---

Setting charset in htaccess

Learning about charset’s and file types maybe pretty boring, but using .htaccess it can be fun! Here’s a quicklist htaccess cheatsheet for adding the correct Charset to a web document.

· charset  ·  RSS | 1:55 PM

---

---