.htaccess examples

A .htaccess file is a configuration file supported by several web servers(including Apache), that allows for decentralized management(local) of web server configuration. .htaccess supports quite a few modifications and it’s quite flexible and customizable. The original purpose of .htaccess was to allow directory access control(requiring a password to access the content). Its functionality nowadays is way beyond access control since the .htaccess file override many other configuration settings such as content type, character set, handlers, and so on. The most common functions for .htaccess are used to facilitate the following:

  • Authorization, authentication
  • Blocking, allowing access
  • Rewriting URLs
  • Enable, disable Webserver options
  • Cache Control
  • MIME types
  • Here are a few .htaccess examples to achieve certain functionality.

    Deny all traffic to the site

    Deny from all

    Deny all traffic and allow only one IP address

    Order deny,allow
    Deny from all
    Allow from 1.2.3.4

    where 1.2.3.4 is the IP address that you to be permitted for access.

    This can go even further and redirect all the visitors to a different page while only your IP address(1.2.3.4) can access it:

    ErrorDocument 403 http://www.google.com/
    Order deny,allow
    Deny from all
    Allow from 1.2.3.4

    Redirect one file to a new one

    Redirect 301 /old/file.html /new/file.html

    Redirect an entire directory

    RedirectMatch 301 /folder(.*) /$1

    Redirect all traffic to www

    This is quite handy if you want to keep your traffic and links using www:

    RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
    RewriteCond %{HTTP_HOST} !^www\.hostingstuff\.net$ [NC]
    RewriteRule ^(.*)$ /$1 [R=301,L]

    Setup custom error documents based on HTTP response code

    The syntax is quite simple and straight forward:

    ErrorDocument RESPONSE_CODE PAGE

    Here are a few .htaccess examples for 403, 404, 500 error codes:

    ErrorDocument 403 /403.html
    ErrorDocument 404 /404.html
    ErrorDocument 500 /500.html

    Enable directory listing and fancy indexing, declare the DirectoryIndex variable

    Options +Indexes
    IndexOptions +FancyIndexing
    DirectoryIndex index.html index.php

    Disable directory listing

    Options -Indexes

    Fix GHOST: glibc vulnerability CVE-2015-0235

    Red Hat Product Security released on January 27, 2015 details about a critical vulnerability that affects glibc and which is known as GHOST. This vulnerability was assigned CVE-2015-0235 and is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library – hence the name GetHOST.

    Fortunately the fix is easy it just involves running a yum update on the system. For CentOS, RHEL or Fedora we can check the RPM version installed using:

    rpm -q glibc

    In order to fix this glibc vulnerability you’ll need to simply:

    yum update glibc

    and reboot the system. If it’s not possible to reboot the system we can also restart all the services that use glibc. In order to determine which services need to be restarted we can run this command:

    lsof +c 15 | grep libc- | awk '{print $1}' | sort -u

    The output should be something similar to this:

    [root@CentOS ~]# lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
    agetty
    auditd
    avahi-daemon
    awk
    bash
    crond
    dbus-daemon
    gdbus
    gmain
    grep
    in:imjournal
    iprdump
    iprinit
    iprupdate
    JS
    lsof
    master
    mysqld
    mysqld_safe
    NetworkManager
    nginx
    php-fpm
    pickup
    polkitd
    qmgr
    rs:main
    rsyslogd
    runaway-killer-
    sort
    sshd
    systemd
    systemd-journal
    systemd-logind
    systemd-udevd
    tuned

    We can restart the public facing services to temporary fix this for certain services but the best way to go would be by rebooting the machine.

    Once that’s done we can check again the version and make sure we’re safe:

    [root@CentOS ~]# rpm -qa | grep glibc
    glibc-2.17-55.el7_0.5.x86_64
    glibc-common-2.17-55.el7_0.5.x86_64

    https://access.redhat.com – CVE-2015-0235

    Disable SELinux on CentOS 7

    How to disable SELinux on CentOS 7 or most Linux operating systems?

    SELinux stands for Security-Enhanced Linux and is a Linux kernel security module that provides a mechanism for supporting access control security policies. If you’ve recently installed your CentOS 7(works for CentOS 4,5,6 as well) and you don’t want to use SELinux, the easiest way would be to disable it first and then make sure it won’t start upon reboot.

    We can verify the status using sestatus which should return enabled along with some variables or disabled if it’s already turned off:


    [root@server ~]# sestatus
    SELinux status: disabled

    In order to disable it for the time being, until the machine is rebooted we can simply use the setenforce command:


    [root@server ~]# setenforce
    usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

    Simply running setenforce Permissive from shell as root:

    [root@server ~]# setenforce Permissive

    OR:

    [root@server ~]# setenforce 0

    should to the trick but we also need to make sure it remains permanent. In order to do this we’ll simply edit SELinux’s configuration file located under: /etc/sysconfig/selinux and alter the SELINUX variable to disabled:

    [root@server ~]# vi /etc/sysconfig/selinux

    After saving the file and exiting the editor SELinux should be off and it shouldn’t interfere unless you enable it again. It recommended that we reboot the machine after changing SELinux between modes. If you plan to install cPanel/WHM on the machine this is a mandatory step. cPanel/WHM doesn’t work on your machine with SELinux set to Enforcing(1).

    Please note that if we disable SELinux on CentOS 7 it doesn’t mean the machine will be less protected, however the OS will be more permissive. For example an user would be able to set 777 permissions for sensitive files like SSH Keys which means that other users will be able to see them.

    Read more about SELinux:

    SELinux on Wikipedia
    HowTos SELinux

    phpMyAdmin – Error: Token Mismatch

    phpMyAdmin isn’t quite helpful when it comes to error management and outputs, however if you hit into phpMyAdmin – Error: Token Mismatch, like in the screenshot below:

    phpMyAdmin Error Token Mismatch

    The solution is quite easy and it’s usually related to quota. The same solution applies for a 401 – Access Denied(if it’s a cPanel 11.44+ server):


    401 - Access Denied

    Access Denied
    Unable to establish a PHP session.
    If you believe that this is in error or inadvertent, contact your system administrator and ask them to review your server settings.

    Verify the account’s quota and make sure it hasn’t reached the limit.

    If there’s no problem with the quota you should check /tmp partition and make sure it’s not full along with the session.save_path variable in PHP:


    session.save_path = /tmp

    If /tmp has enough disk space you should check its permissions and make sure the account in question is allowed to create session files in that folder.