Joomla! Day UK 2009

Joomla! Day UK 2009 Effective use of the .htaccess file & Redirection Andrew Rose Inch Hosting http://www.inchhosting.co.uk/ The UK Joomla! Specialists

Introduction Background Exploit Blocking Rewrites - SEF Redirects Security Other

Background

Exploit Blocking

Rewrites - SEF

Redirects

Security

Other

Background Apache Servers! Regular Expressions Eleven characters with special meanings: opening square bracket [ backslash caret ^ dollar sign $ period or dot . vertical bar or pipe symbol | question mark ? asterisk or star * plus sign + opening round bracket ( closing round bracket )

Apache Servers!

Regular Expressions

Eleven characters with special meanings:

opening square bracket [

backslash

caret ^

dollar sign $

period or dot .

vertical bar or pipe symbol |

question mark ?

asterisk or star *

plus sign +

opening round bracket (

closing round bracket )

Block Exploits ## This attempts to block the most common type of exploit `attempts` to Joomla! # # Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [F,L] # ########## End - Rewrite rules to block out some common exploits

## This attempts to block the most common type of exploit `attempts` to Joomla!

#

# Block out any script trying to set a mosConfig value through the URL

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode crap to send via URL

RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

# Block out any script that includes a <script> tag in URL

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL

RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL

RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

# Send all blocked request to homepage with 403 Forbidden error!

RewriteRule ^(.*)$ index.php [F,L]

#

########## End - Rewrite rules to block out some common exploits

Rewrites – SEF ########## Begin - Joomla! core SEF Section # RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !^/index.php RewriteCond %{REQUEST_URI} (/|.php|.html|.htm|.feed|.pdf|.raw|/[^.]*)$ [NC] RewriteRule (.*) index.php RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] #

########## Begin - Joomla! core SEF Section

#

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_URI} !^/index.php

RewriteCond %{REQUEST_URI} (/|.php|.html|.htm|.feed|.pdf|.raw|/[^.]*)$ [NC]

RewriteRule (.*) index.php

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

#

Redirects Rewrite URLs to allow various redirections e.g. Re-write www.inchdesign.co.uk to a directory located inchhosting.co.uk/design/ RewriteCond %{HTTP_HOST} inchdesign.co.uk RewriteCond %{REQUEST_URI} !^/design RewriteRule ^(.*)$ design/$1 [L]

Rewrite URLs to allow various redirections

e.g. Re-write www.inchdesign.co.uk to a directory located inchhosting.co.uk/design/

RewriteCond %{HTTP_HOST} inchdesign.co.uk

RewriteCond %{REQUEST_URI} !^/design

RewriteRule ^(.*)$ design/$1 [L]

Security – Password Protection .htpasswd (put it out of the web accessible site) username:password (password needs to be encrypted - http://www.tools.dynamicdrive.com/password/) .htaccess AuthUserFile /root to your password file/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user username (the username you want to give access to)

.htpasswd (put it out of the web accessible site)

username:password (password needs to be encrypted - http://www.tools.dynamicdrive.com/password/)

.htaccess

AuthUserFile /root to your password file/.htpasswd

AuthGroupFile /dev/null AuthName EnterPassword

AuthType Basic

require user username (the username you want to give access to)

Security – IP Protection AuthName &quot;Protected Content&quot; AuthType Basic order deny,allow deny from all allow from 255.255.255.255

AuthName &quot;Protected Content&quot; AuthType Basic order deny,allow deny from all allow from 255.255.255.255

Other SetEnv DEFAULT_PHP_VERSION 5 php_flag register_globals off

SetEnv DEFAULT_PHP_VERSION 5

php_flag register_globals off