Here is even more information from the Ultimate Htaccess Part I. For now this is very rough and you will want to come back later to read it.

Merging Notes

The order of merging is:

1. <Directory> (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding <Directory>)
2. <DirectoryMatch> (and <Directory ~>)
3. <Files> and <FilesMatch> done simultaneously
4. <Location> and <LocationMatch> done simultaneously

Below is an artificial example to show the order of merging. Assuming they all apply to the request, the directives in this example will be applied in the order:

A > B > C > D > E

<Location />
E
</Location>
<Files askapache.txt>
D
</Files>
<VirtualHost *>
<Directory /a/b>
B
</Directory>
</VirtualHost>
<DirectoryMatch "^.*b$">
C
</DirectoryMatch>
<Directory /a/b>
A
</Directory>

Htaccess Software

Apache HTTP Server comes with the following programs.

httpd

Apache hypertext transfer protocol server

apachectl

Apache HTTP server control interface

ab

Apache HTTP server benchmarking tool

apxs

APache eXtenSion tool

dbmmanage

Create and update user authentication files in DBM format for basic authentication

fcgistarter

Start a FastCGI program

htcacheclean

Clean up the disk cache

htdigest

Create and update user authentication files for digest authentication

htdbm

Manipulate DBM password databases.

htpasswd

Create and update user authentication files for basic authentication

httxt2dbm

Create dbm files for use with RewriteMap

logresolve

Resolve hostnames for IP-addresses in Apache logfiles

log_server_status

Periodically log the server's status

rotatelogs

Rotate Apache logs without having to kill the server

split-logfile

Split a multi-vhost logfile into per-host logfiles

suexec

Switch User For Exec

Options All
AuthType "Basic"
AuthName "Protected Access"
 
#SetEnv APPLICATION_ENV production
SetEnv APPLICATION_ENV development
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
 
ErrorDocument 404 /index.php
 
AddType text/html url
 
order allow,deny
allow from all
Options +ExecCGI
 
AddHandler python-program .py
PythonHandler mod_python.publisher
PythonDebug On
PythonAutoReload On
 
RewriteEngine on
RewriteRule .* - [E=HTTP_IF_MODIFIED_SINCE:%{HTTP:If-Modified-Since}]
RewriteRule .* - [E=HTTP_IF_NONE_MATCH:%{HTTP:If-None-Match}]
 
# updating tab.ser takes lots of memory
php_value memory_limit 64000000
 
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
 
php_flag magic_quotes_gpc Off
php_flag magic_quotes_runtime Off
 
# redirect moved files
RedirectMatch Permanent ^/fop/anttask(.*) http://xmlgraphics.apache.org/fop/0.20.5/anttask$1
RedirectMatch Permanent ^/fop/compiling(.*) http://xmlgraphics.apache.org/fop/0.20.5/compiling$1
RedirectMatch Permanent ^/fop/configuration(.*) http://xmlgraphics.apache.org/fop/0.20.5/configuration$1
RedirectMatch Permanent ^/fop/embedding(.*) http://xmlgraphics.apache.org/fop/0.20.5/embedding$1
 
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 52 weeks"
</IfModule>
 
# $Id: .htaccess 1255 2003-12-21 05:30:57Z rufustfirefly $
# $Author: rufustfirefly $
#
# Since sometimes Apache isn't properly configured to view the
# proper PHP script, we do this instead, but only if PHP4 is
 
<IfModule mod_access.c>
<Files ~ "^wanewsletter">
Order Allow,Deny
Allow from 127.0.0.1
RewriteEngine On
# map phocoa framework wwwroot - enabled PHOCOA Versioning
RewriteRule ^/www/framework(/[0-9\.]*)?/?(.*) /wwwroot/www/framework/$2 [L]
#enable a normal wwwroot
 
RewriteEngine on
RewriteRule Boot/(.*) Boot/$1 [QSA,L]
 
RewriteEngine on
RewriteRule ^xbl.js build/xbl.php
RewriteRule ^ie-dom.js build/ie-dom.php
 
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]
 
# Rewrite rules for Zend Framework
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php/$1 [L]
 
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "You are not welcomed here"
AuthType Basic
<Limit GET POST>
 
AddHandler application/x-httpd-php-source php
 
DirectoryIndex index.html index.php
AddDefaultCharset UTF-8
RewriteEngine off
# Web Optimizer options
 
ErrorDocument 404 /~george/blog/index.php
AddType application/x-httpd-php .php .rdf
 
# redirect moved files
RedirectMatch Permanent ^/fop/anttask(.*) http://xmlgraphics.apache.org/fop/0.20.5/anttask$1
RedirectMatch Permanent ^/fop/compiling(.*) http://xmlgraphics.apache.org/fop/0.20.5/compiling$1
RedirectMatch Permanent ^/fop/configuration(.*) http://xmlgraphics.apache.org/fop/0.20.5/configuration$1
RedirectMatch Permanent ^/fop/embedding(.*) http://xmlgraphics.apache.org/fop/0.20.5/embedding$1
AddHandler x-httpd-php504 .php
AddType application/x-httpd-php .html
 
RewriteEngine on
# Remember to change RewriteBase to where your site really is - for example if
# you access the site by www.somesite.com/~myname/thesite, you do as so:
# RewriteBase /~myname/thesite/
 
<Files "config.php">
Order deny,allow
Deny From All
</Files>
 
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
 
DirectoryIndex membersite.pl
Options +ExecCGI
AddHandler cgi-script .pl
 
#AddType application/x-httpd-php .php3 .phtml .php .php4 .php5 .html .html .xml
Options -Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
 
# Comment/uncomment the lines below depending of your needs
# To deny any access to this directory
Deny from all
 
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php/$1 [L]
 
<FilesMatch "\.(php|inc)$">
Order allow,deny
Deny from all
</FilesMatch>
 
AddHandler application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
AddHandler application/x-httpd-php5 .snow
AddType application/x-httpd-php5 .snow
AddHandler image/jpeg me
Redirect permanent /~hoge/hns-lite/i/ http://www.example.ne.jp/~hoge/hns-lite/
 
# Make index.php the default
DirectoryIndex index.php
Options -Indexes
 
# In case it's on, turn off magic quotes:
php_value magic_quotes_gpc off
# On production servers, uncomment these lines and update the path
# to a suitable log file:
 
Deny from all
Satisfy All
 
##############################
# MicroMVC Apache settings
# .htaccess v1.0.0 9/29/2007
##############################
 
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
 
<filesmatch \.(thtml|ctp)$="">
DENY FROM ALL
</filesmatch>
 
RewriteEngine on
#RewriteCond %{REMOTE_HOST} ^yupi-cms*
RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
 
RewriteEngine On
RewriteBase /
# Rewrite www.domain.com to domain.com
RewriteCond %{HTTP_HOST} ^www\.(.*)
 
#
# OntoWiki requires Apache's rewrite engine to work
#
<IfModule mod_rewrite.c>
RewriteEngine Off
<IfModule mod_rewrite.c>
# Turn on URL rewriting
RewriteEngine On
 
RewriteEngine on
# Remember to change RewriteBase to where your site really is - for example if
# you access the site by www.somesite.com/~myname/thesite, you do as so:
# RewriteBase /~myname/thesite/
 
# this file is placed here to restrict the access to this directory
# for non authorized users
# Note that the AllowOverride directive (in the Apache's access.conf) must be
# set to "Limit" or "All"
 
# This folder does not require access over HTTP
Order deny,allow
Deny from all
Allow from none
 
RewriteEngine on
# Remember to change RewriteBase to where your site really is - for example if
# you access the site by www.somesite.com/~myname/thesite, you do as so:
# RewriteBase /~myname/thesite/
 
#
# Latitude .htaccess Rules
# Special thanks to Drupal for a template (http://drupal.org/)
#
 
AddHandler php5-script .php
Options +FollowSymLinks +ExecCGI
<IfModule mod_rewrite.c>
RewriteEngine On
 
Options +Indexes
IndexOptions FancyIndexing
IndexOptions +NameWidth=*
IndexOptions +DescriptionWidth=*
 
RewriteEngine off
Options -Indexes
 
############
# SECURITY #
###########################################################
<files *.php>
Options +Indexes
IndexOptions FancyIndexing
IndexOptions +NameWidth=*
IndexOptions +DescriptionWidth=*
 
AddHandler fcgid-script .abc
#update this path according to your setup
#you can place the executable fcgishell anywhere on your server
 
AddEncoding x-compress Z
AddEncoding x-gzip gz
 
AddHandler cgi-script rb
# Send any page with a slow.html suffix with a delay
AddHandler slow-down .slow
Action slow-down @PATH_PREFIX@/cgi/send-delayed.rb
 
DirectoryIndex index.htm
AddHandler server-parsed .htm
 
# for current work
<IfModule mod_php5.c>
php_value memory_limit 128M
php_value max_execution_time 150
php_flag magic_quotes_gpc off
 
<Files password.xml>
Deny from all
</Files>
 
ErrorDocument 404 /cgi-bin/error.cgi
 
deny from all
<Files *.php>
order allow,deny
deny from all
</Files>
 
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
# General Apache options
AddHandler fastcgi-script .fcgi
AddHandler cgi-script .cgi
Options +FollowSymLinks +ExecCGI
 
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule !\.(js|ico|gif|jpg|png|css|txt)$ - [C]
RewriteRule (.*) http://127.0.0.1:8080/$1 [P]
 
RewriteEngine on
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1
 
Order Deny,Allow
Deny from all
#dozwoleni userzy
Allow from localhost
 
# deny access to private folders and files, start with prefix "_"
<FilesMatch "(^|/)_">
deny from all
</FilesMatch>
# deny access to all executable files (.php)
 
php_flag register_globals off
php_flag magic_quotes_gpc off
php_flag short_open_tag off
php_flag allow_call_time_pass_reference off
php_flag safe_mode on
 
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /jblog/
RewriteCond %{REQUEST_FILENAME} !-f
 
deny from all
Satisfy all
 
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
 
RewriteEngine On
RewriteRule ^(\w*)/post$ index.php?at=$1&do=post [L,QSA]
RewriteRule ^edit/(\d*)$ index.php?do=edit&to=$1 [L,QSA]
RewriteRule ^comment/(\d*)$ index.php?do=comment&to=$1 [L,QSA]

Technical Look at .htaccess

Source: Apache API notes

Per-directory configuration structures

Let's look out how all of this plays out in mod_mime.c, which defines the file typing handler which emulates the NCSA server's behavior of determining file types from suffixes. What we'll be looking at, here, is the code which implements the AddType and AddEncoding commands. These commands can appear in .htaccess files, so they must be handled in the module's private per-directory data, which in fact, consists of two separate tables for MIME types and encoding information, and is declared as follows:

table *forced_types;      /* Additional AddTyped stuff */
table *encoding_types;    /* Added with AddEncoding... */
mime_dir_config;

When the server is reading a configuration file, or section, which includes one of the MIME module's commands, it needs to create a mime_dir_config structure, so those commands have something to act on. It does this by invoking the function it finds in the module's `create per-dir config slot', with two arguments: the name of the directory to which this configuration information applies (or NULL for srm.conf), and a pointer to a resource pool in which the allocation should happen.

(If we are reading a .htaccess file, that resource pool is the per-request resource pool for the request; otherwise it is a resource pool which is used for configuration data, and cleared on restarts. Either way, it is important for the structure being created to vanish when the pool is cleared, by registering a cleanup on the pool if necessary).

For the MIME module, the per-dir config creation function just ap_pallocs the structure above, and a creates a couple of tables to fill it. That looks like this:

void *create_mime_dir_config (pool *p, char *dummy)
mime_dir_config *new = (mime_dir_config *) ap_palloc (p, sizeof(mime_dir_config));
 
new->forced_types = ap_make_table (p, 4);
new->encoding_types = ap_make_table (p, 4);

Now, suppose we've just read in a .htaccess file. We already have the per-directory configuration structure for the next directory up in the hierarchy. If the .htaccess file we just read in didn't have any AddType or AddEncoding commands, its per-directory config structure for the MIME module is still valid, and we can just use it. Otherwise, we need to merge the two structures somehow.

To do that, the server invokes the module's per-directory config merge function, if one is present. That function takes three arguments: the two structures being merged, and a resource pool in which to allocate the result. For the MIME module, all that needs to be done is overlay the tables from the new per-directory config structure with those from the parent:

void *merge_mime_dir_configs (pool *p, void *parent_dirv, void *subdirv)
mime_dir_config *parent_dir = (mime_dir_config *)parent_dirv;
mime_dir_config *subdir = (mime_dir_config *)subdirv;
mime_dir_config *new =  (mime_dir_config *)ap_palloc (p, sizeof(mime_dir_config));
new->forced_types = ap_overlay_tables (p, subdir->forced_types, parent_dir->forced_types);
new->encoding_types = ap_overlay_tables (p, subdir->encoding_types, parent_dir->encoding_types);

As a note --- if there is no per-directory merge function present, the server will just use the subdirectory's configuration info, and ignore the parent's. For some modules, that works just fine (e.g., for the includes module, whose per-directory configuration information consists solely of the state of the XBITHACK), and for those modules, you can just not declare one, and leave the corresponding structure slot in the module itself NULL.

Command handling

Now that we have these structures, we need to be able to figure out how to fill them. That involves processing the actual AddType and AddEncoding commands. To find commands, the server looks in the module's command table. That table contains information on how many arguments the commands take, and in what formats, where it is permitted, and so forth. That information is sufficient to allow the server to invoke most command-handling functions with pre-parsed arguments. Without further ado, let's look at the AddType command handler, which looks like this (the AddEncoding command looks basically the same, and won't be shown here):

char *add_type(cmd_parms *cmd, mime_dir_config *m, char *ct, char *ext)
if (*ext == '.') ++ext;
ap_table_set (m->forced_types, ext, ct);

This command handler is unusually simple. As you can see, it takes four arguments, two of which are pre-parsed arguments, the third being the per-directory configuration structure for the module in question, and the fourth being a pointer to a cmd_parms structure. That structure contains a bunch of arguments which are frequently of use to some, but not all, commands, including a resource pool (from which memory can be allocated, and to which cleanups should be tied), and the (virtual) server being configured, from which the module's per-server configuration data can be obtained if required.

Another way in which this particular command handler is unusually simple is that there are no error conditions which it can encounter. If there were, it could return an error message instead of NULL; this causes an error to be printed out on the server's stderr, followed by a quick exit, if it is in the main config files; for a .htaccess file, the syntax error is logged in the server error log (along with an indication of where it came from), and the request is bounced with a server error response (HTTP error status, code 500).

The MIME module's command table has entries for these commands, which look like this:

command_rec mime_cmds[] =
{ "AddType", add_type, NULL, OR_FILEINFO, TAKE2, "a mime type followed by a file extension" },
{ "AddEncoding", add_encoding, NULL, OR_FILEINFO, TAKE2, "an encoding (e.g., gzip), followed by a file extension" },

The entries in these tables are:

• The name of the command
• The function which handles it a (void *) pointer, which is passed in the cmd_parms structure to the command handler --- this is useful in case many similar commands are handled by the same function.
• A bit mask indicating where the command may appear. There are mask bits corresponding to each AllowOverride option, and an additional mask bit, RSRC_CONF, indicating that the command may appear in the server's own config files, but not in any .htaccess file.
• A flag indicating how many arguments the command handler wants pre-parsed, and how they should be passed in. TAKE2 indicates two pre-parsed arguments. Other options are TAKE1, which indicates one pre-parsed argument, FLAG, which indicates that the argument should be On or Off, and is passed in as a boolean flag, RAW_ARGS, which causes the server to give the command the raw, unparsed arguments (everything but the command name itself). There is also ITERATE, which means that the handler looks the same as TAKE1, but that if multiple arguments are present, it should be called multiple times, and finally ITERATE2, which indicates that the command handler looks like a TAKE2, but if more arguments are present, then it should be called multiple times, holding the first argument constant.
• Finally, we have a string which describes the arguments that should be present. If the arguments in the actual config file are not as required, this string will be used to help give a more specific error message. (You can safely leave this NULL).

Finally, having set this all up, we have to use it. This is ultimately done in the module's handlers, specifically for its file-typing handler, which looks more or less like this; note that the per-directory configuration structure is extracted from the request_rec's per-directory configuration vector by using the ap_get_module_config function.

Side notes --- per-server configuration, virtual servers, etc.

The basic ideas behind per-server module configuration are basically the same as those for per-directory configuration; there is a creation function and a merge function, the latter being invoked where a virtual server has partially overridden the base server configuration, and a combined structure must be computed. (As with per-directory configuration, the default if no merge function is specified, and a module is configured in some virtual server, is that the base configuration is simply ignored).

The only substantial difference is that when a command needs to configure the per-server private module data, it needs to go to the cmd_parms data to get at it. Here's an example, from the alias module, which also indicates how a syntax error can be returned (note that the per-directory configuration argument to the command handler is declared as a dummy, since the module doesn't actually have per-directory config data):

Ultimate Htaccess Part II originally appeared on AskApache.com

Apache Security tips and tricks for securing Apache Web Servers using htaccess, httpd.conf, and other built-in techniques to thwart attackers. This really should be required reading for any Apache admin or user because these little tricks are so easy to do.

« Apache Authentication in htaccess | .htaccess Tutorial Index | » SSL example usage in htaccess

Security with Apache htaccess

• CHMOD your files
• Prevent access to .htaccess and .htpasswd files
• Show Source Code instead of executing
• Securing directories: Remove the ability to execute scripts
• ErrorDocuments
  • Common STATUS Codes and ErrorDocument Implementations
  • When using CGI PHP, php 404 Error example
  • An example 404 Error page in perl cgi
  • ErrorDocuments generated by Apache

CHMOD your files

Chmod your .htpasswd files 640, .htaccess files 644. Chmod php files 600, chmod files that you really dont want people to see as 400 (wp-config.php, config.php) and NEVER chmod 777, if something requires write access use 766 first then 775

Prevent access to .htaccess and .htpasswd files

You will almost never have to do this unless you are working with your config file for the whole server. Anyway its easy to test if you need this.

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

Show Source Code instead of executing

If you'd rather have .pl, .py, or .cgi files displayed in the browser as source rather than be executed as scripts

RemoveHandler cgi-script .pl .py .cgi

Securing directories: Remove the ability to execute scripts

This is cool, you are basically categorizing all files that end in certain extensions so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks. And the opposite is also true, +ExecCGI also turns on +FollowSymLinks

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

ErrorDocuments in htaccess

Note: 401 Errors only redirect to a local file, not an external file. Also, When you use an external link, don't do an external link to your site or you will cause a loop that will hurt your SEO.

Article: ErrorDocument Info and Examples, HTTP Status Codes

Common STATUS Codes and ErrorDocument Implementations

NOTE:
You will most definately want to check out and use the Google 404 Error Page.

#BAD_REQUEST
ErrorDocument 400 /cgi-bin/e400.php
 
#UNAUTHORIZED
ErrorDocument 401 /cgi-bin/e401.php
 
#FORBIDDEN
ErrorDocument 403 /cgi-bin/e403.php
 
#NOT_FOUND
ErrorDocument 404 /cgi-bin/e404.php
 
#METHOD_NOT_ALLOWED
ErrorDocument 405 /cgi-bin/e405.php
 
#REQUEST_TIME_OUT
ErrorDocument 408 /cgi-bin/e408.php
 
#GONE
ErrorDocument 410 /cgi-bin/e410.php
 
#LENGTH_REQUIRED
ErrorDocument 411 /cgi-bin/e411.php
 
#PRECONDITION_FAILED
ErrorDocument 412 /cgi-bin/e412.php
 
#REQUEST_ENTITY_TOO_LARGE
ErrorDocument 413 /cgi-bin/e413.php
 
#REQUEST_URI_TOO_LARGE
ErrorDocument 414 /cgi-bin/e414.php
 
#UNSUPPORTED_MEDIA_TYPE
ErrorDocument 415 /cgi-bin/e415.php
 
#INTERNAL_SERVER_ERROR
ErrorDocument 500 /cgi-bin/e500.php
 
#NOT_IMPLEMENTED
ErrorDocument 501 /cgi-bin/e501.php
 
#BAD_GATEWAY
ErrorDocument 502 /cgi-bin/e502.php
 
#SERVICE_UNAVAILABLE
ErrorDocument 503 /cgi-bin/e503.php
 
#VARIANT_ALSO_VARIES
ErrorDocument 506 /cgi-bin/e506.php

When using CGI PHP, php 404 Error example

You may also have to send a "Status" header in addition to the HTTP 1/1 header.

<?php
ob_start();
header('HTTP/1.1 404 Not Found');
header('Status: 404 Not Found');
?>
<html>
<body>
Error message
</body>
</html>

An example 404 Error page in perl cgi

#!/usr/local/bin/perl
 
print "Status: 503 Service Temporarily Unavailable\n";
print "Content-Type: text/html; charset=UTF-8;\n";
print "Retry-After: 3600\r\n\r\n";
print "
<!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\">
\n
<html>
<head>\n
<title>503 Service Temporarily Unavailable</title>
\n
print "
</head>
<body>
\n
<h1>Service Temporarily Unavailable</h1>
\n
<p>The server is temporarily unable to service your\n";
print "request due to maintenance downtime or capacity\nproblems. Please try again later.</p>
\n
</body>
</html>
";

ErrorDocuments generated by Apache

Have a top.html

<!--#if expr="! $CONTENT_LANGUAGE"
-->
<!--#set var="CONTENT_LANGUAGE" value="en"
-->
<!--#endif
-->
<!--#if expr="! $CHARACTER_ENCODING"
-->
<!--#set var="CHARACTER_ENCODING" value="ISO-8859-1"
-->
<!--#endif
-->
<?xml version="1.0" encoding="<!--#echo var="CHARACTER_ENCODING" -->"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="<!--#echo var="CONTENT_LANGUAGE" -->
" xml:lang="
<!--#echo var="CONTENT_LANGUAGE" -->
">
<head>
    <title>
    <!--#echo encoding="none" var="TITLE" -->
    </title>
    <link rev="made" href="mailto:<!--#echo encoding="url" var="SERVER_ADMIN" -->
" />
<style type="text/css">
<!--/*--><![CDATA[/*><!--*/
    body { color: #000000; background-color: #FFFFFF; }
    a:link { color: #0000CC; }
    p, address {margin-left: 3em;}
    span {font-size: smaller;}
/*]]>*/-->
</style>
</head><body>
<h1>
    <!--#echo encoding="none" var="TITLE" -->
</h1>
<p>

bottom.html

</p>
<p>
<!--#include virtual="../contact.html.var" -->
</p>
 
<h2>Error
    <!--#echo encoding="none" var="REDIRECT_STATUS" -->
</h2>
<address>
<a href="http://www.askapache.com/">
<!--#echo var="SERVER_NAME" -->
</a><br />
<!--#config timefmt="%c" -->
<span>
<!--#echo var="DATE_LOCAL" -->
<br />
<!--#echo var="SERVER_SOFTWARE" -->
</span>
</address>
</body>
</html>

New

errordocument 401 /error/401.html
AuthType Basic
AuthName "site"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
Require valid-user
SetEnvIf Request_URI "^/(error/401\.html¦robots\.txt)$" allow_all
Order allow,deny
Allow from env=allow_all
Satisfy any

Mod_python Security Considerations

Many of the same security issues that apply to other embedded interpreters apply to mod_python. Here are some brief descriptions. Rather than list the solutions in detail, use them as a basis to search the mailing list or web:

Store sensitive data in modules outside of the DocumentRoot of your site. This prevents modules from being exposed if mod_python isn't running.

Because the embedded interpreter runs applications as the apache user, all other applications may have access to the same files. This can have serious implications in a multiuser environment, and applies to PHP, SSI, CGI, etc., as well.

Avoid any kind of dependency on the PATH environment variable. It can easily be changed by other applications, causing your own to fail. If you must call system programs, declare the full path explicitly, always.

Debugging information can be essential when developing an application. Take pains to ensure that error messages don't reveal sensitive data if they are returned to the browser. Review your code, and use try/except statements to catch errors when appropriate.

Learn about Python's mechanisms to restrict what gets exported by a module.

If your database and application are on the same machine, don't let the database listen on a port exposed to the Internet.

Understand the quirks of mod_python.publisher if you use it as a handler. For example, add a leading underscore to objects if you do not want them to be directly accessible via HTTP. (4)

_fo = "secret password"

If using mod_python.publisher and the legacy importer PythonOption mod_python. (or mod_python version < 3.3), don't use the same name for Python code files (module names) in multiple places. This is because there are bugs in its implementation which can cause cross contamination of modules, the loading of the wrong module and other issues. See: MODPYTHON-9MODPYTHON-10MODPYTHON-11

If you use PythonAutoReload, realise that modules are simply reloaded on top of the already loaded modules. This is in part shown in the MODPYTHON-11 bug report. It is mentioned here as a separate item because it means that if you rename a variable/function or remove it, that doesn't actually mean it is no longer accessible. The only way to guarantee that old variables/functions are no longer accessible is to restart Apache. Thus, if you heed (4) and rename variables to have a leading underscore, make sure you restart Apache at the same time.

If multiple people share the same web server, use PythonInterpreter to assign your area of the web site its own instance of the Python interpreter. This isn't fool proof as another user could do the same thing and use the same name. When working though, it will keep your stuff separate from others and avoid them being able to more easily see and fiddle with the internals of your running application.

When using the mod_python.psp handler with PythonDebug On the source code for your PSP pages can be visible by virtue of putting an underscore on the end of the extension. You need to add the .psp_ extension to your AddHandler configuration directive to turn on this feature.

AddHandler mod_python .psp .psp_
PythonHandler mod_python.psp
PythonDebug On

It is thus a good idea not to have PythonDebug enabled for production and/or public web site if using mod_python.psp. If you really need PythonDebug to be on, only enable it for requests coming from your own client machine in some way.

If Apache has write access to directories, it can write .pyc files into the directories for modules loaded. This extension isn't generally protected and people can download the ".pyc" files and potentially work out what your code is. Use something like:

<Files *.pyc>
deny from all
</Files>

Depending on platform, you may have to block access to .pyo files as well.

<Files *.pyo>
deny from all
</Files>

Use the FilesMatch directive to disallow access to important types of files, such as *.pyc, *.pyo, *~, etc.

Turn off automatic directory indexing for Apache on directories which use mod_python. This is generally applicable to any web site, but potentially more so for mod_python if you forget to do (3). Thus don't use "Indexes" option.

If using an extension such as ".html" with AddHandler to map to handler code in actual directory, ensure you block access to ".py" extension if need be.

<Files *.py>
deny from all
</Files>

Don't store backup files where they can be accessed via HTTP. Honestly, I'm sure I could gather about a thousand database passwords in a day if I simply created a bot that crawled dynamically driven sites and appended ~ to every file name it finds.

PythonDebug in general can reveal stack traces to a client when something goes wrong. In the worst case, this may reveal secret information.

Try to avoid putting source code in actual directories visible to Apache. Especially do not put sensitive information in such files. The reason here is that it only takes one mistake in Apache configuration and all your code would be visible.

When writing a custom handler and returning apache.DECLINED, make sure you understand what it does. Specifically, it will cause the builtin default Apache handler to still run, which will serve up static files. Like above, you may need to deny access to certain files as a result.

External Apache htaccess security Articles

• Hardening htaccess, Part One
• Hardening htaccess, Part One

htaccess Guide Sections

• htaccess tricks for Webmasters
• HTTP Header control with htaccess
• PHP on Apache tips and tricks
• SEO Redirects without mod_rewrite
• mod_rewrite examples, tips, and tricks
• HTTP Caching and Site Speedups
• Authentication on Apache
• htaccess Security Tricks and Tips
• SSL tips and examples
• Variable Fun (mod_env) Section
• .htaccess Security with MOD_SECURITY
• SetEnvIf and SetEnvIfNoCase Examples

« Apache Authentication in htaccess | .htaccess Tutorial Index | » SSL example usage in htaccess

Security with Apache htaccess Tutorial originally appeared on AskApache.com