Joomla! Day UK 2009 .htaccess

1,093
-1

Published on

Andrew Rose (UK Community member) presentation on the use of the .htaccess file and Joomla! and how to redirect pages properly part of the Hosting and Security track

Published in: Technology, Design
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,093
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • All Presentations must start with this page first
  • Joomla! Day UK 2009 .htaccess

    1. 1. Joomla! Day UK 2009
    2. 2. Joomla! Day UK 2009 Effective use of the .htaccess file & Redirection Andrew Rose Inch Hosting http://www.inchhosting.co.uk/ The UK Joomla! Specialists
    3. 3. Introduction <ul><li>Background </li></ul><ul><li>Exploit Blocking </li></ul><ul><li>Rewrites - SEF </li></ul><ul><li>Redirects </li></ul><ul><li>Security </li></ul><ul><li>Other </li></ul>
    4. 4. Background <ul><li>Apache Servers! </li></ul><ul><li>Regular Expressions </li></ul><ul><ul><li>Eleven characters with special meanings: </li></ul></ul><ul><ul><ul><li>opening square bracket [ </li></ul></ul></ul><ul><ul><ul><li>backslash </li></ul></ul></ul><ul><ul><ul><li>caret ^ </li></ul></ul></ul><ul><ul><ul><li>dollar sign $ </li></ul></ul></ul><ul><ul><ul><li>period or dot . </li></ul></ul></ul><ul><ul><ul><li>vertical bar or pipe symbol | </li></ul></ul></ul><ul><ul><ul><li>question mark ? </li></ul></ul></ul><ul><ul><ul><li>asterisk or star * </li></ul></ul></ul><ul><ul><ul><li>plus sign + </li></ul></ul></ul><ul><ul><ul><li>opening round bracket ( </li></ul></ul></ul><ul><ul><ul><li>closing round bracket ) </li></ul></ul></ul>
    5. 5. Block Exploits <ul><li>## This attempts to block the most common type of exploit `attempts` to Joomla! </li></ul><ul><li># </li></ul><ul><li># Block out any script trying to set a mosConfig value through the URL </li></ul><ul><li>RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|3D) [OR] </li></ul><ul><li># Block out any script trying to base64_encode crap to send via URL </li></ul><ul><li>RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] </li></ul><ul><li># Block out any script that includes a <script> tag in URL </li></ul><ul><li>RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] </li></ul><ul><li># Block out any script trying to set a PHP GLOBALS variable via URL </li></ul><ul><li>RewriteCond %{QUERY_STRING} GLOBALS(=|[|[0-9A-Z]{0,2}) [OR] </li></ul><ul><li># Block out any script trying to modify a _REQUEST variable via URL </li></ul><ul><li>RewriteCond %{QUERY_STRING} _REQUEST(=|[|[0-9A-Z]{0,2}) </li></ul><ul><li># Send all blocked request to homepage with 403 Forbidden error! </li></ul><ul><li>RewriteRule ^(.*)$ index.php [F,L] </li></ul><ul><li># </li></ul><ul><li>########## End - Rewrite rules to block out some common exploits </li></ul>
    6. 6. Rewrites – SEF <ul><li>########## Begin - Joomla! core SEF Section </li></ul><ul><li># </li></ul><ul><li>RewriteCond %{REQUEST_FILENAME} !-f </li></ul><ul><li>RewriteCond %{REQUEST_FILENAME} !-d </li></ul><ul><li>RewriteCond %{REQUEST_URI} !^/index.php </li></ul><ul><li>RewriteCond %{REQUEST_URI} (/|.php|.html|.htm|.feed|.pdf|.raw|/[^.]*)$ [NC] </li></ul><ul><li>RewriteRule (.*) index.php </li></ul><ul><li>RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] </li></ul><ul><li># </li></ul>
    7. 7. Redirects <ul><li>Rewrite URLs to allow various redirections </li></ul><ul><li>e.g. Re-write www.inchdesign.co.uk to a directory located inchhosting.co.uk/design/ </li></ul><ul><ul><li>RewriteCond %{HTTP_HOST} inchdesign.co.uk </li></ul></ul><ul><ul><li>RewriteCond %{REQUEST_URI} !^/design </li></ul></ul><ul><ul><li>RewriteRule ^(.*)$ design/$1 [L] </li></ul></ul>
    8. 8. Security – Password Protection <ul><li>.htpasswd (put it out of the web accessible site) </li></ul><ul><ul><ul><li>username:password (password needs to be encrypted - http://www.tools.dynamicdrive.com/password/) </li></ul></ul></ul><ul><li>.htaccess </li></ul><ul><ul><ul><li>AuthUserFile /root to your password file/.htpasswd </li></ul></ul></ul><ul><ul><ul><li>AuthGroupFile /dev/null AuthName EnterPassword </li></ul></ul></ul><ul><ul><ul><li>AuthType Basic </li></ul></ul></ul><ul><ul><ul><li>require user username (the username you want to give access to) </li></ul></ul></ul>
    9. 9. Security – IP Protection <ul><li>AuthName &quot;Protected Content&quot; AuthType Basic order deny,allow deny from all allow from 255.255.255.255 </li></ul>
    10. 10. Other <ul><li>SetEnv DEFAULT_PHP_VERSION 5 </li></ul><ul><li>php_flag register_globals off </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×