Mod_Security rivals Mod_Rewrite in the amount of features it provides. I decided to go ahead and post what I learned about it today, even though its tough to give away such awesome htaccess and apache tricks.. Learn how to control spam once and for all, conditionally log/deny/allow/redirect requests based on IP, username, etc.. Mod_Security is so fine!
.htaccess file tutorials and htaccess articles
.htaccess (Hypertext Access) is the default name of Apache's directory-level configuration file. It provides the ability to customize configuration directives defined in the main configuration file. The configuration directives need to be in .htaccess context and the user needs appropriate permissions. ".htaccess iis" for windows, ".htaccess windows" and also look at sample .htaccess files to really get good at creating htaccess files.
The directive quick reference (below) shows the usage, default, status, and context of each Apache configuration directive. For more information about each of these, see the Directive Dictionary.
More .htaccess: Htpasswd, Htaccess Redirection, Htaccess Generators, Htaccess Redirect, Htaccess File FTP No Password, 302 Htaccess, Htaccess Instructions
Mod_Security .htaccess tricks
Blocking Bad Bots and Scrapers with .htaccess
Want to block a bad robot or web scraper using .htaccess files? Here are 2 methods that illustrate blocking 436 various user-agents.
Hacking WP Super Cache for Speed
A plugin built to generate static files from php+mysql for Apache to serve the way its supposed to be.. My dream. Conclusion: Needs some improvement, pretty sweet though.
Fresh .htaccess Examples: Cookies, Variables, Custom Headers
Fresh .htaccess code for you! Check out the Cookie Manipulation and environment variable usage with mod_rewrite! I also included a couple Mod_Security .htaccess examples. Enjoy!
PHP Sessions/Cookies On The Fly
This article shows how to save and modify php session data, cookies, do anything really… without using ajax or iframes or forcing the user make a request.
Securing php.ini and php.cgi with .htaccess
If you have a php.cgi or php.ini file in your /cgi-bin/ directory or other pub directory, try requesting them from your web browser. If your php.ini shows up or worse you are able to execute your php cgi, you’ll need to secure it ASAP. This shows several ways to secure these files, and other interpreters like perl, fastCGI, bash, csh, etc.
Speed Tips: Add Cache-Control Headers
Using Cache-Control headers you can specify which types of proxies can cache certain content, and how long files should be cached.
Skeleton .htaccess file for Powweb Hosting
If you have a Powweb Webhosting account, you will appreciate this simple skeleton .htaccess file for use on their systems.
.htaccess mod_rewrite rewrite examples
A hit-list of some of my favorite mod_rewrite code snippets for .htaccess files
Continue ReadingLog all .htaccess/.htpasswd logins
Learn how to log and debug usernames and passwords used to login to a htaccess basic authorization protected website using php. This article is BOSS and will show you how to fully take control of this aspect of security using php and .htaccess, I don’t believe you will find instructions to do this anywhere else on the net.
| s | server config |
|---|---|
| v | virtual host |
| d | directory |
| h | .htaccess |
| C | Core |
|---|---|
| M | MPM |
| B | Base |
| E | Extension |
| X | Experimental |
| T | External |
- AcceptPathInfo On|Off|Default
- Resources accept trailing pathname information
- Action action-type cgi-script [virtual]
- Activates a CGI script for a particular handler or content-type
- addalt
- Alternate text to display for a file, instead of an icon selected by filename
- AddAltByEncoding string MIME-encoding [ MIME-encoding ]
- Alternate text to display for a file instead of an icon selected by MIME-encoding
- addaltbytype
- Alternate text to display for a file, instead of an icon selected by MIME content-type
- AddCharset charset extension [ extension ]
- Maps the given filename extensions to the specified content charset
- adddefaultcharset
- Default charset parameter to be added when a response content-type is
text/plainortext/html - AddDescription string file [ file ]
- Description to display for a file
- addencoding
- Maps the given filename extensions to the specified encoding type
- AddHandler handler-name extension [ extension ]
- Maps the filename extensions to the specified handler
- addicon
- Icon to display for a file selected by name
- AddIconByEncoding icon MIME-encoding [ MIME-encoding ]
- Icon to display next to files selected by MIME content-encoding
- addiconbytype
- Icon to display next to files selected by MIME content-type
- AddInputFilter filter [; filter ...] extension [ extension ]
- Maps filename extensions to the filters that will process client requests
- addlanguage
- Maps the given filename extension to the specified content language
- addoutputfilter
- Maps filename extensions to the filters that will process responses from the server
- AddOutputFilterByType filter [; filter ...] MIME-type [ MIME-type ]
- assigns an output filter to a particular MIME-type
- addtype
- Maps the given filename extensions onto the specified content type
- Allow from all| host |env= env-variable [ host |env= env-variable ]
- Controls which hosts can access an area of the server
- Anonymous user [ user ]
- Specifies userIDs that are allowed access without password verification
- Anonymous_LogEmail On|Off
- Sets whether the password entered will be logged in the error log
- Anonymous_MustGiveEmail On|Off
- Specifies whether blank passwords are allowed
- Anonymous_NoUserID On|Off
- class="odd"
- Anonymous_VerifyEmail On|Off
- Sets whether to check the password field for a correctly formatted email address
- AuthBasicAuthoritative On|Off
- Sets whether authorization and authentication are passed to lower level modules
- AuthBasicProvider provider-name [ provider-name ]
- class="odd"
- AuthDBMGroupFile file-path
- Sets the name of the database file containing the list of user groups for authorization
- AuthDBMType default|SDBM|GDBM|NDBM|DB
- Sets the type of database file that is used to store passwords
- AuthDBMUserFile file-path
- Sets the name of a database file containing the list of users and passwords for authentication
- AuthDefaultAuthoritative On|Off
- Sets whether authentication is passed to lower level modules
- AuthDigestAlgorithm MD5|MD5-sess
- Selects the algorithm used to calculate the challenge and response hashes in digest authentication
- authdigestdomain
- URIs that are in the same protection space for digest authentication
- AuthDigestNonceFormat format
- class="odd"
- AuthDigestNonceLifetime seconds
- How long the server nonce is valid
- AuthDigestProvider provider-name [ provider-name ]
- class="odd"
- AuthDigestQop none|auth|auth-int [auth|auth-int]
- Determines the quality-of-protection to use in digest authentication
- AuthGroupFile file-path
- Sets the name of a text file containing the list of user groups for authorization
- AuthLDAPBindDN distinguished-name
- class="odd"
- AuthLDAPBindPassword password
- Password used in conjuction with the bind DN
- AuthLDAPCompareDNOnServer on|off
- Use the LDAP server to compare the DNs
- AuthLDAPDereferenceAliases never|searching|finding|always
- class="odd"
- AuthLDAPGroupAttribute attribute
- LDAP attributes used to check for group membership
- AuthLDAPGroupAttributeIsDN on|off
- Use the DN of the client username when checking for group membership
- AuthLDAPRemoteUserAttribute uid
- Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable
- AuthLDAPRemoteUserIsDN on|off
- Use the DN of the client username to set the REMOTE_USER environment variable
- AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS]
- URL specifying the LDAP search parameters
- authname
- Authorization realm for use in HTTP authentication
- AuthType Basic|Digest
- class="odd"
- AuthUserFile file-path
- Sets the name of a text file containing the list of users and passwords for authentication
- AuthzDBMType default|SDBM|GDBM|NDBM|DB
- Sets the type of database file that is used to store list of user groups
- AuthzDefaultAuthoritative On|Off
- Sets whether authorization is passed to lower level modules
- AuthMergeRules on | off
- Set to 'on' to allow the parent's <Directory> or <Location> authz rules to be merged into the current <Directory> or <Location>. Set to 'off' to disable merging. If set to 'off', only the authz rules defined in the current <Directory> or <Location> block will apply.
- browsermatch
- Sets environment variables conditional on HTTP User-Agent
- browsermatchnocase
- Sets environment variables conditional on User-Agent without respect to case
- CGIMapExtension cgi-path .extension
- Technique for locating the interpreter for CGI scripts
- CharsetDefault charset
- class="odd"
- CharsetOptions option [ option ]
- Configures charset translation behavior
- CharsetSourceEnc charset
- class="odd"
- CheckCaseOnly on|off
- Limits the action of the speling module to case corrections
- CheckSpelling on|off
- Enables the spelling module
- ContentDigest On|Off
- Enables the generation of
Content-MD5HTTP Response headers - CookieDomain domain
- The domain to which the tracking cookie applies
- CookieExpires expiry-period
- class="odd"
- CookieName token
- class="odd"
- CookieStyle Netscape|Cookie|Cookie2|RFC2109|RFC2965
- Format of the cookie header field
- CookieTracking on|off
- class="odd"
- defaulticon
- Icon to display for files when no specific icon is configured
- DefaultLanguage MIME-lang
- Sets all files in the given scope to the specified language
- defaulttype
- MIME content-type that will be sent if the server cannot determine a type in any other way
- Deny from all| host |env= env-variable [ host |env= env-variable ]
- Controls which hosts are denied access to the server
- DirectoryIndex local-url [ local-url ]
- List of resources to look for when the client requests a directory
- DirectorySlash On|Off
- Toggle trailing slash redirects on or off
- EnableMMAP On|Off
- Use memory-mapping to read files during delivery
- EnableSendfile On|Off
- class="odd"
- ErrorDocument error-code document
- What the server will return to the client in case of an error
- Example
- Demonstration directive to illustrate the Apache module API
- ExpiresActive On|Off
- class="odd"
- ExpiresByType
- Value of the
Expiresheader configured by MIME type - ExpiresDefault
- class="odd"
- fileetag
- File attributes used to create the ETag HTTP response header
- <Files filename > ... </Files>
- Contains directives that apply to matched filenames
- > ... </FilesMatch>
- Contains directives that apply to regular-expression matched filenames
- FilterChain [+=-@!] filter-name ...
- Configure the filter chain
- FilterDeclare filter-name [type]
- class="odd"
- FilterProtocol filter-name [ provider-name ] proto-flags
- Deal with correct HTTP protocol handling
- FilterProvider filter-name provider-name [req|resp|env]= dispatch match
- class="odd"
- ForceLanguagePriority None|Prefer|Fallback [Prefer|Fallback]
- Action to take if a single acceptable document is not found
- ForceType MIME-type |None
- Forces all matching files to be served with the specified MIME content-type
- header
- Configure HTTP response headers
- headername
- Name of the file that will be inserted at the top of the index listing
- > ... </IfDefine>
- Encloses directives that will be processed only if a test is true at startup
- > ... </IfModule>
- Encloses directives that are processed conditional on the presence or absence of a specific module
- > ... </IfVersion>
- contains version dependent configuration
- ImapBase map|referer| URL
- [ http://servername/ | hsvd | B ]
- imapdefault
- Default action when an imagemap is called with coordinates that are not explicitly mapped
- ImapMenu none|formatted|semiformatted|unformatted
- Action if no coordinates are given when calling an imagemap
- IndexIgnore file [ file ]
- Adds to the list of files to hide when listing a directory
- indexoptions
- Various configuration settings for directory indexing
- IndexOrderDefault Ascending|Descending Name|Date|Size|Description
- Sets the default ordering of the directory index
- IndexStyleSheet url-path
- class="odd"
- ISAPIAppendLogToErrors on|off
- Record
HSE_APPEND_LOG_PARAMETERrequests from ISAPI extensions to the error log - ISAPIAppendLogToQuery on|off
- Record
HSE_APPEND_LOG_PARAMETERrequests from ISAPI extensions to the query field - ISAPIFakeAsync on|off
- class="odd"
- ISAPILogNotSupported on|off
- Log unsupported feature requests from ISAPI extensions
- isapireadaheadbuffer
- Size of the Read Ahead Buffer sent to ISAPI extensions
- languagepriority
- The precendence of language variants for cases where the client does not express a preference
- LDAPTrustedClientCert type directory-path/filename/nickname [password]
- Sets the file containing or nickname referring to a per connection client certificate. Not all LDAP toolkits support per connection client certificates.
- ] ... > ... </Limit>
- Restrict enclosed access controls to only certain HTTP methods
- ] ... > ... </LimitExcept>
- Restrict access controls to all HTTP methods except the named ones
- limitrequestbody
- Restricts the total size of the HTTP request body sent from the client
- LimitXMLRequestBody bytes
- class="odd"
- MetaDir directory
- Name of the directory to find CERN-style meta information files
- MetaFiles on|off
- class="odd"
- MetaSuffix suffix
- File name suffix for the file containg CERN-style meta information
- MultiviewsMatch Any|NegotiatedOnly|Filters|Handlers [Handlers|Filters]
- The types of files that will be included when searching for a matching file with MultiViews
- options
- Configures what features are available in a particular directory
- order
- Controls the default access state and the order in which
AllowandDenyare evaluated. - passenv
- Passes environment variables from the shell
- readmename
- Name of the file that will be inserted at the end of the index listing
- Redirect [ status ] URL-path URL
- Sends an external redirect asking the client to fetch a different URL
- redirectmatch
- Sends an external redirect based on a regular expression match of the current URL
- RedirectPermanent URL-path URL
- Sends an external permanent redirect asking the client to fetch a different URL
- redirecttemp
- Sends an external temporary redirect asking the client to fetch a different URL
- Reject entity-name [ entity-name ]
- Rejects authenticated users or host based requests from accessing a resource
- removecharset
- Removes any character set associations for a set of file extensions
- removeencoding
- Removes any content encoding associations for a set of file extensions
- removehandler
- Removes any handler associations for a set of file extensions
- removeinputfilter
- Removes any input filter associations for a set of file extensions
- removelanguage
- Removes any language associations for a set of file extensions
- removeoutputfilter
- Removes any output filter associations for a set of file extensions
- removetype
- Removes any content type associations for a set of file extensions
- RequestHeader set|append|merge|add|unset|edit header [ value ] [ replacement ] [early|env=[!] variable ]
- Configure HTTP request headers
- require
- Selects which authenticated users can access a resource
- RewriteBase URL-path
- Sets the base URL for per-directory rewrites
- RewriteCond TestString CondPattern
- class="odd"
- RewriteEngine on|off
- Enables or disables runtime rewriting engine
- RewriteOptions Options
- class="odd"
- RewriteRule Pattern Substitution [flags]
- Defines rules for the rewriting engine
- |max]
- Limits the CPU consumption of processes launched by Apache children
- RLimitMEM bytes |max [ bytes |max]
- Limits the memory consumption of processes launched by Apache children
- |max]
- Limits the number of processes that can be launched by processes launched by Apache children
- Satisfy Any|All
- Interaction between host-level access control and user authentication
- <SatisfyAll> ... </SatisfyAll>
- Enclose a group of authorization directives that must all be satisfied in order to grant access to a resource. This block allows for 'AND' logic to be applied to various authorization providers.
- <SatisfyOne> ... </SatisfyOne>
- Enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource. This block allows for 'OR' logic to be applied to various authorization providers.
- ScriptInterpreterSource Registry|Registry-Strict|Script
- Technique for locating the interpreter for CGI scripts
- ServerSignature On|Off|EMail
- Configures the footer on server-generated documents
- SetEnv env-variable value
- Sets environment variables
- setenvif
- Sets environment variables based on attributes of the request
- setenvifnocase
- Sets environment variables based on attributes of the request without respect to case
- None
- Forces all matching files to be processed by a handler
- SetInputFilter filter [; filter ...]
- Sets the filters that will process client requests and POST input
- setoutputfilter
- Sets the filters that will process responses from the server
- SSIEnableAccess on|off
- Enable the -A flag during conditional flow control processing.
- ssierrormsg
- Error message displayed when there is an SSI error
- ssitimeformat
- Configures the format in which date strings are displayed
- SSIUndefinedEcho string
- class="odd"
- sslciphersuite
- Cipher Suite available for negotiation in SSL handshake
- SSLOptions [+|-]option
- Configure various SSL engine run-time options
- sslproxyciphersuite
- Cipher Suite available for negotiation in SSL proxy handshake
- SSLProxyVerify level
- Type of remote server Certificate verification
- sslproxyverifydepth
- Maximum depth of CA Certificates in Remote Server Certificate verification
- sslrequire
- Allow access only when an arbitrarily complex boolean expression is true
- SSLRequireSSL
- Deny access when SSL is not used for the HTTP request
- SSLUserName varname
- class="odd"
- SSLVerifyClient level
- Type of Client Certificate verification
- sslverifydepth
- Maximum depth of CA Certificates in Client Certificate verification
- unsetenv
- Removes variables from the environment
- XBitHack on|off|full
- Parse SSI directives in files with the execute bit set