FREE THOUGHT · FREE SOFTWARE · FREE WORLD

THE Ultimate Htaccess

htaccess file .htaccess is a very ancient configuration file for web servers, and is one of the most powerful configuration files most webmasters will ever come across. This htaccess guide shows off the very best of the best htaccess tricks and code snippets from hackers and server administrators.

You've come to the right place if you are looking to acquire mad skills for using .htaccess files!

Apache, Hosting, Htaccess, Optimization, Security, SEO, Web Development, WordPress

Apache HTTPD and Module API Versions

A list of API Versions and the corresponding HTTPD Version, for use in determining the version of Apache currently running without having to rely on the often inaccurate SERVER_SOFTWARE Header.

Security

Boosting Googles PageSpeed Module with TMPFS

pagespeed-moduleGoogle's mod_pagespeed speeds up your site and reduces page load time. This open-source Apache HTTP server module automatically applies web performance best practices to pages, and associated assets (CSS, JavaScript, images), all transparently like a Squid Proxy.

With TMPFS you can dramatically improve the speed of mod_pagespeed and the webpages served by it. TMPFS will store/serve the optimized PageSpeed output directly from RAM!

Hosting

.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

.htaccess security plugin 2

Well what can I say, other than this is sooo DOPE! Here is a list of the modules this plugin (version 4.7 unreleased) will automatically detect. I compiled the list myself using every module included with any default Apache installation for ALL the versions listed below, 1.3 to 2.2+

Want to know something else I'm including in this plugin? For each and every module that is detected, this plugin can then detect ALL of the modules .htaccess Directives! For instance, RewriteRule, AccessFileName, AddHandler, etc.. are each a directive belonging to a module that is allowed to be used from within .htaccess files.

Talk about sick.. these tricks have the diamond disease!

WordPress

Caching Tutorial for Webmasters

If you examine the preferences dialog of any modern Web browser (like Internet Explorer, Safari or Mozilla), you'll probably notice a 'cache' setting. This lets you set aside a section of your computer's hard disk to store representations that you've seen, just for you. The browser cache works according to fairly simple rules. It will check to make sure that the representations are fresh, usually once a session (that is, the once in the current invocation of the browser).

Optimization

Notes from Apache HTTPD Source Code

thought I'd take a break from coding and post about how open-source is such a great tool for finding the best answers to the toughest questions,

/** is the status code informational */
#define ap_is_HTTP_INFO(x)         (((x) >= 100)&&((x) < 200))
/** is the status code OK ?*/

#define ap_is_HTTP_SUCCESS(x)      (((x) >= 200)&&((x) < 300))
/** is the status code a redirect */
#define ap_is_HTTP_REDIRECT(x)     (((x) >= 300)&&((x) < 400))

/** is the status code a error (client or server) */
#define ap_is_HTTP_ERROR(x)        (((x) >= 400)&&((x) < 600))
/** is the status code a client error  */

#define ap_is_HTTP_CLIENT_ERROR(x) (((x) >= 400)&&((x) < 500))
/** is the status code a server error  */
#define ap_is_HTTP_SERVER_ERROR(x) (((x) >= 500)&&((x) < 600))

/** is the status code a (potentially) valid response code?  */
#define ap_is_HTTP_VALID_RESPONSE(x) (((x) >= 100)&&((x) < 600))

Hacking

An AskApache Plugin Upgrade to Rule them All

apache-server-statusSo my blog as been rather quiet for almost a year now, and very few updates if any have been released for my Password Protection PLugin, my Google 404 Plugin, and definately not for my AskApache CrazyCache plugin, which I will be releasing last... So for all of you who've helped me out by sending me suggestions and notifying me of errors and sticking with it... Just wanted to say sorry about that, and thanks for all the great ideas.. Well, I've been sticking with it as well believe it our not. I manage to get free days once in a while, and then its time to jam.

WordPress

Security with Apache htaccess Tutorial

Apache Security tips and tricks for securing Apache Web Servers using htaccess, httpd.conf, and other built-in techniques to thwart attackers. This really should be required reading for any Apache admin or user because these little tricks are so easy to do.

Htaccess

Linux Debugging using a Bootloader with Kernel Parameters

grub awesomeAs an example, here is the boot line that I am using at the moment on an older Dell Desktop, just to illustrate module parameters and environment vars. 

title  Arch Linux X-256
linux   /vmlinuz-linux root=UUID rw rootfstype=ext4 elevator=noop selinux=0 plymouth.enable=0 raid=noautodetect ipv6.disable=1 video=DP1:d rcutree.rcu_idle_gp_delay=1 i915.panel_ignore_lid=-1 i915.modeset=1 TERM=rxvt-256color

Linux

WordPress Plugin for Apache .htaccess Security

Askapache Password Protect Security Features

  1. gzip's previous .htaccess file and sends it as an attachment to the logged in users email account along with password user setup.
  2. Now also works for sites running on SSL (PHP version >4.3.0)
  3. Rewrote the security module code in the form of snort, nessus, and mod_security rules and signatures
  4. Added a *real* check to see if mod_rewrite is installed
  5. Added Modules that remove directoryindexes
  6. Much more on the way..

WordPress

Mod_Security .htaccess tricks

Mod_Security rivals Mod_Rewrite in the amount of features it provides. I decided to go ahead and post what I learned about it today, even though its tough to give away such awesome htaccess and apache tricks.. Learn how to control spam once and for all, conditionally log/deny/allow/redirect requests based on IP, username, etc.. Mod_Security is so fine!

Htaccess

COMPUTER SECURITY TOOLBOX

List of mainly obscure security software geared more for the master pentester. These are mostly for unix, bsd, and mac and many are difficult to install and setup (require custom servers, inside access points, obscure libraries). Only programs that output data are included, so no actual exploits or anything. Most of these output extremely useful albeit extremely technical information.

Security

Questions I Ask Web Hosting Companies, Before Buying

The following is a transcript of a chat I had with a company called tektonic, and at that time I was looking for a cheap linux host to use for some redundancy/failover operations. I generally contact a new hosting company like this every few months.. I like to have options available in case of some kind of failure or network attack, so it's always a good idea to have a few ace linux servers in your back pocket.

If you've read any other articles on AskApache, you can see a certain obsession towards optimization, speed, and security -- so that is the purpose of the following questions.

Hosting

PHP Session File Hacks

What they say about kung-fu is true..

It can be attained by anyone through hard work over time. You can become as good as the amount of work you put in. Here's a short look at a basic technique that I use. Simply reverse engineering the source code and taking notes along the way...

static void php_session_send_cookie(TSRMLS_D)
  if (SG(headers_sent)) {
          if (output_start_filename) {
                  php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot send session cookie - headers already sent by (output started at %s:%d)",
                          output_start_filename, output_start_lineno);
          } else {
                  php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot send session cookie - headers already sent");
          }
          return;
  }

  /* URL encode session_name and id because they might be user supplied */
  e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)), NULL);

PHP

Securing php.ini and php.cgi with .htaccess

If you have a php.cgi or php.ini file in your /cgi-bin/ directory or other pub directory, try requesting them from your web browser. If your php.ini shows up or worse you are able to execute your php cgi, you'll need to secure it ASAP. This shows several ways to secure these files, and other interpreters like perl, fastCGI, bash, csh, etc.

Htaccess

AskApache Debug Viewer Plugin for WordPress

screenshot-1The story behind this plugin is sorta wack, but in a good way :). While doing tons of security research on permissions, authorization, access, etc.. for the Password Protection plugin (still being worked on), I needed to have unheard of debugging capabilities while working on the plugin on the various websites, webhosts, and test servers that I use to test in different environments. So I hacked together a bunch of php code that helped me debug, actually I pretty much went overkill and tried to get as much debugging info as programmatically possible, and it ended up being so much code that I took it out of my Password Protection code and made it its own plugin.

WordPress

AskApache Password Protection 4.7 Update in 2 Weeks

AskApache Debug Viewer OptionsI am now about 1 week away from publishing the much-anticipated 4.7 update to the AskApache Password Protection WordPress plugin. It's an upgrade I've been working on for almost 2 years (off and on)! I have been using the new version for quite some time now, and have made a lot of improvements to it, and finally I decided enough users have suffered with the old version. I am very excited for this release, it fixes all known bugs in the older versions, and brings some heavy-duty improvements to all facets of this plugin.. not to mention way better security modules (Lots more COOKIE use) based on code I use with clients.

WordPress