SlideShare a Scribd company logo

htaccess

Morten Bergset
Morten Bergset

The document discusses various ways to configure .htaccess files to modify Apache server behavior. Some examples covered include: 1. Using ErrorDocument directives to customize error pages for different HTTP status codes like 400, 401, 403, 404, and 500. 2. Authentication and authorization using Auth directives like AuthUserFile and AuthGroupFile to password protect directories. 3. Rewrite rules to redirect requests, rewrite URLs, and route requests through index.php for an MVC framework. 4. Common flags used in rewrite rules like L, QSA, and R to control matching and redirection behavior.

Internet
1 of 37
Download to read offline
En lightning talk av Morten Bergset
Hva er .htaccess • det er en fil en kan overstyre det som Apache i httpd.conf tillater • endringen gjelder i den mappen .htaccess filen er lagret, og underliggende mapper • med veldig lite kode kan man gjøre store endringer!
Error dokumenter ErrorDocument 400 /errors/badrequest.html ErrorDocument 401 /errors/authreqd.html ErrorDocument 403 /errors/forbid.html ErrorDocument 404 /errors/notfound.html ErrorDocument 500 /errors/serverr.html
Passord beskytte fil/mappe AuthUserFile /usr/local/you/safedir/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user valid-user
Blokkere besøk på IP order allow,deny deny from 123.45.6.7 allow from all
.html som .php AddHandler application/x-httpd-php .html Security through obscurity…
Redirect vs RewriteRule • Redirect er nesten samme som RewriteRule • Redirect er enkel • RewriteRule er kraftig (regex)
Redirects # Ny url på en mappe:
 Redirect /old /new # Redirecte hele website til ny url (301=permanent)
 Redirect 301 / http://test.com/ # Ny url på fil:
 Redirect /dir/oldfile.php /newfile.php
RewriteRules Example:
 RewriteRule ^dir/([0-9]+)/?$ /index.php?id=$1 [L] Pattern: ^dir/([0-9]+) /?$
 Rewrite: /index.php?id=$1
 Command Flag: [L]
Betingelser # Turn on the rewrite engine
 RewriteEngine on # If the request doesn't end in .php, continue processing rules
 RewriteCond %{REQUEST_URI} !.php$ [NC] # If the request doesn't end in a slash continue processing the rules
 RewriteCond %{REQUEST_URI} [^/]$ # Rewrite the request with a .php extension. L means this is the 'Last' rule
 RewriteRule ^(.*)$ $1.php [L]
Redirect http til https RewriteEngine On 
 RewriteCond %{SERVER_PORT} 80 
 RewriteRule ^(.*)$ https://sub.profundo.no/$1 [R,L]
Få den siste delen av url som parameter RewriteEngine On 
 RewriteRule ^(w+)$ ./index.php?id=$1 ————————————————————————————————————————————- I PHP kode: <?= $_GET["id"] ?>
Slippe å ha .php i url Options MultiViews
Vise innhold i annen folder uten å gå til annen URL Options +FollowSymLinks -MultiViews RewriteEngine On RewriteBase / RewriteRule ^kunde$ /kunde/ [QSA,L,R=301,NC] RewriteRule ^kunde?(.*)$ /app/$1 [QSA,L,NC]
Fjerne www i URL RewriteEngine On RewriteCond %{HTTP_HOST} !^your-site.com$ [NC] RewriteRule ^(.*)$ https://your-site.com/$1 [L,R=301]
Dette bruker jeg i mitt MVC prosjekt hjemme RewriteEngine on RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php?route=$1 [L,NC,QSA]
Alle requester går via index.php, 
 unntatt filer som er tilgjengelig i public folder AddDefaultCharset utf-8
 AddCharset utf-8 .html .css .php .txt .js
 
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^ index.php
Flagg • QSA = preserve existing query parameters (query string append) • L = last rule • R = force redirect • NC = no case, case-insensitive
Tvinge download av filterer <Files *.xls> ForceType application/octet-stream Header set Content-Disposition attachment </Files>
Hindre tilgang i en mappe deny from all eller order deny,allow
 deny from all
 allow from xxx.xxx.xxx.xxx
Hindre tilgang til filer <FilesMatch ".(htaccess|htpasswd|ini|fla|psd|log|sh)$">
 Order Allow,Deny
 Deny from all
 </FilesMatch>
Legg til/endre MIME types # audio
 AddType audio/ogg oga ogg # video
 AddType video/ogg ogv
Directory listing # liste opp filer
 Options +Indexes # liste opp alle unntatt gif og jpg
 IndexIgnore *.gif *.jpg # IKKE liste opp filer
 Options -Indexes
Optimalisere statiske filer AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/ javascript text/css application/x-javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4.0[678] no-gzip BrowserMatch bMSIE !no-gzip !gzip-only-text/html
Browser caching <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresByType image/jpg "access 1 year"
 ExpiresByType image/jpeg "access 1 year"
 ExpiresByType image/gif "access 1 year"
 ExpiresByType image/png "access 1 year"
 ExpiresByType text/css "access 1 month"
 ExpiresByType application/pdf "access 1 month"
 ExpiresByType text/x-javascript "access 1 month"
 ExpiresByType application/x-shockwave-flash "access 1 month"
 ExpiresByType image/x-icon "access 1 year"
 ExpiresDefault "access 2 days"
 </IfModule>
Automatisk UTF-8 charset på filer <FilesMatch ".(htm|html|css|js)$"> AddDefaultCharset UTF-8 </FilesMatch>
Hindre robot indeksering Header set X-Robots-Tag "noindex, noarchive, nosnippet"
Sette caching av filer: optimalisering <FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf)$"> Header set Cache-Control "max-age=28800" </FilesMatch>
Maintenance page RewriteCond %{REMOTE_ADDR} !your_ip_address RewriteCond %{REMOTE_ADDR} !127.0.0.1 RewriteRule !offline.php$ http://www.example.com/back_soon.html [L,R=307]
Logge PHP errors # display no errs to user
 php_flag display_startup_errors off
 php_flag display_errors off
 php_flag html_errors off # log to file
 php_flag log_errors on
 php_value error_log /location/to/php_error.log
Compress output: GZIP <IfModule mod_gzip.c>
 mod_gzip_on Yes
 mod_gzip_dechunk Yes
 mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
 mod_gzip_item_include handler ^cgi-script$
 mod_gzip_item_include mime ^text/.*
 mod_gzip_item_include mime ^application/x-javascript.*
 mod_gzip_item_exclude mime ^image/.*
 mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
 </IfModule>
Shorter URLs Options +FollowSymlinks RewriteEngine on RewriteRule ^files/(.+)/(.+).zip download.php?type= $1&file=$2 [nc]
Laravel sin .htaccess
Joomla og htaccess

Recommended

Comparative Development Methodologies
Comparative Development MethodologiesComparative Development Methodologies
Comparative Development Methodologies
elliando dias
 
Running the Apache Web Server
Running the Apache Web ServerRunning the Apache Web Server
Running the Apache Web Server
webhostingguy
 
CORS review
CORS reviewCORS review
CORS review
Eric Ahn
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
Information Technology
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1
Information Technology
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
Perfectial, LLC
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
n|u - The Open Security Community
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps_Fest
 

Recommended

Comparative Development Methodologies
Comparative Development MethodologiesComparative Development Methodologies
Comparative Development Methodologies
elliando dias
 
Running the Apache Web Server
Running the Apache Web ServerRunning the Apache Web Server
Running the Apache Web Server
webhostingguy
 
CORS review
CORS reviewCORS review
CORS review
Eric Ahn
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
Information Technology
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1
Information Technology
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
Perfectial, LLC
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
n|u - The Open Security Community
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps_Fest
 
Tips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad LaskyTips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad Lasky
WordCamp Sydney
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Evan J Johnson (Not a CISSP)
 
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul HakimCross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cefalo
 
CrossRef Technical Basics 2010 CrossRef Workshops
CrossRef Technical Basics 2010 CrossRef WorkshopsCrossRef Technical Basics 2010 CrossRef Workshops
CrossRef Technical Basics 2010 CrossRef Workshops
Crossref
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
Joseph Scott
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
Vladimir Dzhuvinov
 
Php intro
Php introPhp intro
Php intro
Jennie Gajjar
 
Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)
Mandakini Kumari
 
一次Http请求过程分析
一次Http请求过程分析一次Http请求过程分析
一次Http请求过程分析
Tony Deng
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
Paolo Dolci
 
The cost of learning - advantage of mixer2
The cost of learning - advantage of mixer2The cost of learning - advantage of mixer2
The cost of learning - advantage of mixer2
Y Watanabe
 
Ajax basics
Ajax basicsAjax basics
Ajax basics
Hernán Garzón de la Roza
 
Decentralized storage
Decentralized storageDecentralized storage
Decentralized storage
Anurag Dashputre
 
PHP Hypertext Preprocessor
PHP Hypertext PreprocessorPHP Hypertext Preprocessor
PHP Hypertext Preprocessor
adeel990
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Caching. api. http 1.1
Caching. api. http 1.1Caching. api. http 1.1
Caching. api. http 1.1
Artjoker Digital
 
Session2 part1
Session2 part1Session2 part1
Session2 part1banputer
 
Die .htaccess richtig nutzen
Die .htaccess richtig nutzenDie .htaccess richtig nutzen
Die .htaccess richtig nutzen
Walter Ebert
 
Http
HttpHttp
Http
leminhvuong
 
Apache HTTP Server
Apache HTTP ServerApache HTTP Server
Apache HTTP Server
Tan Huynh Cong
 

More Related Content

What's hot

Tips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad LaskyTips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad Lasky
WordCamp Sydney
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Evan J Johnson (Not a CISSP)
 
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul HakimCross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cefalo
 
CrossRef Technical Basics 2010 CrossRef Workshops
CrossRef Technical Basics 2010 CrossRef WorkshopsCrossRef Technical Basics 2010 CrossRef Workshops
CrossRef Technical Basics 2010 CrossRef Workshops
Crossref
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
Joseph Scott
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
Vladimir Dzhuvinov
 
Php intro
Php introPhp intro
Php intro
Jennie Gajjar
 
Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)
Mandakini Kumari
 
一次Http请求过程分析
一次Http请求过程分析一次Http请求过程分析
一次Http请求过程分析
Tony Deng
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
Paolo Dolci
 
The cost of learning - advantage of mixer2
The cost of learning - advantage of mixer2The cost of learning - advantage of mixer2
The cost of learning - advantage of mixer2
Y Watanabe
 
Ajax basics
Ajax basicsAjax basics
Ajax basics
Hernán Garzón de la Roza
 
Decentralized storage
Decentralized storageDecentralized storage
Decentralized storage
Anurag Dashputre
 
PHP Hypertext Preprocessor
PHP Hypertext PreprocessorPHP Hypertext Preprocessor
PHP Hypertext Preprocessor
adeel990
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Caching. api. http 1.1
Caching. api. http 1.1Caching. api. http 1.1
Caching. api. http 1.1
Artjoker Digital
 
Session2 part1
Session2 part1Session2 part1
Session2 part1banputer
 

What's hot (19)

Tips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad LaskyTips for Fixing A Hacked WordPress Site - Vlad Lasky
Tips for Fixing A Hacked WordPress Site - Vlad Lasky
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
 
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul HakimCross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul Hakim
 
CrossRef Technical Basics 2010 CrossRef Workshops
CrossRef Technical Basics 2010 CrossRef WorkshopsCrossRef Technical Basics 2010 CrossRef Workshops
CrossRef Technical Basics 2010 CrossRef Workshops
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
 
Php intro
Php introPhp intro
Php intro
 
Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)
 
一次Http请求过程分析
一次Http请求过程分析一次Http请求过程分析
一次Http请求过程分析
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
 
The cost of learning - advantage of mixer2
The cost of learning - advantage of mixer2The cost of learning - advantage of mixer2
The cost of learning - advantage of mixer2
 
Ajax basics
Ajax basicsAjax basics
Ajax basics
 
Decentralized storage
Decentralized storageDecentralized storage
Decentralized storage
 
PHP Hypertext Preprocessor
PHP Hypertext PreprocessorPHP Hypertext Preprocessor
PHP Hypertext Preprocessor
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Caching. api. http 1.1
Caching. api. http 1.1Caching. api. http 1.1
Caching. api. http 1.1
 
Session2 part1
Session2 part1Session2 part1
Session2 part1
 

Similar to htaccess

Die .htaccess richtig nutzen
Die .htaccess richtig nutzenDie .htaccess richtig nutzen
Die .htaccess richtig nutzen
Walter Ebert
 
Http
HttpHttp
Http
leminhvuong
 
Apache HTTP Server
Apache HTTP ServerApache HTTP Server
Apache HTTP Server
Tan Huynh Cong
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server Tutorial
Jagat Kothari
 
Apache Presentation
Apache PresentationApache Presentation
Apache Presentation
Ankush Jain
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
webhostingguy
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
webhostingguy
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
webhostingguy
 
Apache server configuration & optimization
Apache server configuration & optimizationApache server configuration & optimization
Apache server configuration & optimization
Gokul Muralidharan
 
Apache
ApacheApache
Apache
NIRMAL FELIX
 
Apache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessApache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting Access
Wildan Maulana
 
WE18_Performance_Up.ppt
WE18_Performance_Up.pptWE18_Performance_Up.ppt
WE18_Performance_Up.ppt
webhostingguy
 
Htaccess crash course for Beginners
Htaccess crash course for BeginnersHtaccess crash course for Beginners
Htaccess crash course for Beginners
Imran Qasim
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
PROIDEA
 
Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501
Jinho Kim
 
Setting Up Security on Apache
Setting Up Security on ApacheSetting Up Security on Apache
Setting Up Security on Apache
elliando dias
 
Apache
ApacheApache
Apache
Rathan Raj
 
test pdf
test pdftest pdf
test pdf
thinkingeurope2011
 
testing pdf doc
testing pdf doctesting pdf doc
testing pdf doc
thinkingeurope2011
 

Similar to htaccess (20)

Die .htaccess richtig nutzen
Die .htaccess richtig nutzenDie .htaccess richtig nutzen
Die .htaccess richtig nutzen
 
Http
HttpHttp
Http
 
Apache HTTP Server
Apache HTTP ServerApache HTTP Server
Apache HTTP Server
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server Tutorial
 
Apache Presentation
Apache PresentationApache Presentation
Apache Presentation
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Apache server configuration & optimization
Apache server configuration & optimizationApache server configuration & optimization
Apache server configuration & optimization
 
Apache
ApacheApache
Apache
 
Apache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessApache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting Access
 
WE18_Performance_Up.ppt
WE18_Performance_Up.pptWE18_Performance_Up.ppt
WE18_Performance_Up.ppt
 
Htaccess crash course for Beginners
Htaccess crash course for BeginnersHtaccess crash course for Beginners
Htaccess crash course for Beginners
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
 
Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501
 
Setting Up Security on Apache
Setting Up Security on ApacheSetting Up Security on Apache
Setting Up Security on Apache
 
Apache
ApacheApache
Apache
 
test pdf
test pdftest pdf
test pdf
 
testing pdf doc
testing pdf doctesting pdf doc
testing pdf doc
 

More from Morten Bergset

KristiansandPHP 2017 - Nov
KristiansandPHP 2017 - NovKristiansandPHP 2017 - Nov
KristiansandPHP 2017 - Nov
Morten Bergset
 
Meetup16
Meetup16Meetup16
Meetup16
Morten Bergset
 
Laravel tips
Laravel tipsLaravel tips
Laravel tips
Morten Bergset
 
Laravel Spark, and Twig
Laravel Spark, and TwigLaravel Spark, and Twig
Laravel Spark, and Twig
Morten Bergset
 
Meetup 9 i KristansandPHP
Meetup 9 i KristansandPHPMeetup 9 i KristansandPHP
Meetup 9 i KristansandPHP
Morten Bergset
 
Meetup #7, Laravel intro, og design/GUI
Meetup #7, Laravel intro, og design/GUIMeetup #7, Laravel intro, og design/GUI
Meetup #7, Laravel intro, og design/GUI
Morten Bergset
 
KristiansandPHP meetup 6
KristiansandPHP meetup 6KristiansandPHP meetup 6
KristiansandPHP meetup 6
Morten Bergset
 
KristiansandPHP meetup 5
KristiansandPHP meetup 5KristiansandPHP meetup 5
KristiansandPHP meetup 5
Morten Bergset
 
Kristiansand php meeting #1
Kristiansand php meeting #1Kristiansand php meeting #1
Kristiansand php meeting #1
Morten Bergset
 
Responsiv design og Bootstrap 3
Responsiv design og Bootstrap 3Responsiv design og Bootstrap 3
Responsiv design og Bootstrap 3
Morten Bergset
 

More from Morten Bergset (10)

KristiansandPHP 2017 - Nov
KristiansandPHP 2017 - NovKristiansandPHP 2017 - Nov
KristiansandPHP 2017 - Nov
 
Meetup16
Meetup16Meetup16
Meetup16
 
Laravel tips
Laravel tipsLaravel tips
Laravel tips
 
Laravel Spark, and Twig
Laravel Spark, and TwigLaravel Spark, and Twig
Laravel Spark, and Twig
 
Meetup 9 i KristansandPHP
Meetup 9 i KristansandPHPMeetup 9 i KristansandPHP
Meetup 9 i KristansandPHP
 
Meetup #7, Laravel intro, og design/GUI
Meetup #7, Laravel intro, og design/GUIMeetup #7, Laravel intro, og design/GUI
Meetup #7, Laravel intro, og design/GUI
 
KristiansandPHP meetup 6
KristiansandPHP meetup 6KristiansandPHP meetup 6
KristiansandPHP meetup 6
 
KristiansandPHP meetup 5
KristiansandPHP meetup 5KristiansandPHP meetup 5
KristiansandPHP meetup 5
 
Kristiansand php meeting #1
Kristiansand php meeting #1Kristiansand php meeting #1
Kristiansand php meeting #1
 
Responsiv design og Bootstrap 3
Responsiv design og Bootstrap 3Responsiv design og Bootstrap 3
Responsiv design og Bootstrap 3
 

Recently uploaded

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 

Recently uploaded (12)

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 

htaccess

  • 1. En lightning talk av Morten Bergset
  • 2. Hva er .htaccess • det er en fil en kan overstyre det som Apache i httpd.conf tillater • endringen gjelder i den mappen .htaccess filen er lagret, og underliggende mapper • med veldig lite kode kan man gjøre store endringer!
  • 3. Error dokumenter ErrorDocument 400 /errors/badrequest.html ErrorDocument 401 /errors/authreqd.html ErrorDocument 403 /errors/forbid.html ErrorDocument 404 /errors/notfound.html ErrorDocument 500 /errors/serverr.html
  • 4. Passord beskytte fil/mappe AuthUserFile /usr/local/you/safedir/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user valid-user
  • 5.
  • 6.
  • 7. Blokkere besøk på IP order allow,deny deny from 123.45.6.7 allow from all
  • 8. .html som .php AddHandler application/x-httpd-php .html Security through obscurity…
  • 9. Redirect vs RewriteRule • Redirect er nesten samme som RewriteRule • Redirect er enkel • RewriteRule er kraftig (regex)
  • 10. Redirects # Ny url på en mappe:
 Redirect /old /new # Redirecte hele website til ny url (301=permanent)
 Redirect 301 / http://test.com/ # Ny url på fil:
 Redirect /dir/oldfile.php /newfile.php
  • 11.
  • 12. RewriteRules Example:
 RewriteRule ^dir/([0-9]+)/?$ /index.php?id=$1 [L] Pattern: ^dir/([0-9]+) /?$
 Rewrite: /index.php?id=$1
 Command Flag: [L]
  • 13. Betingelser # Turn on the rewrite engine
 RewriteEngine on # If the request doesn't end in .php, continue processing rules
 RewriteCond %{REQUEST_URI} !.php$ [NC] # If the request doesn't end in a slash continue processing the rules
 RewriteCond %{REQUEST_URI} [^/]$ # Rewrite the request with a .php extension. L means this is the 'Last' rule
 RewriteRule ^(.*)$ $1.php [L]
  • 14. Redirect http til https RewriteEngine On 
 RewriteCond %{SERVER_PORT} 80 
 RewriteRule ^(.*)$ https://sub.profundo.no/$1 [R,L]
  • 15. Få den siste delen av url som parameter RewriteEngine On 
 RewriteRule ^(w+)$ ./index.php?id=$1 ————————————————————————————————————————————- I PHP kode: <?= $_GET["id"] ?>
  • 16. Slippe å ha .php i url Options MultiViews
  • 17. Vise innhold i annen folder uten å gå til annen URL Options +FollowSymLinks -MultiViews RewriteEngine On RewriteBase / RewriteRule ^kunde$ /kunde/ [QSA,L,R=301,NC] RewriteRule ^kunde?(.*)$ /app/$1 [QSA,L,NC]
  • 18. Fjerne www i URL RewriteEngine On RewriteCond %{HTTP_HOST} !^your-site.com$ [NC] RewriteRule ^(.*)$ https://your-site.com/$1 [L,R=301]
  • 19. Dette bruker jeg i mitt MVC prosjekt hjemme RewriteEngine on RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php?route=$1 [L,NC,QSA]
  • 20. Alle requester går via index.php, 
 unntatt filer som er tilgjengelig i public folder AddDefaultCharset utf-8
 AddCharset utf-8 .html .css .php .txt .js
 
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^ index.php
  • 21. Flagg • QSA = preserve existing query parameters (query string append) • L = last rule • R = force redirect • NC = no case, case-insensitive
  • 22. Tvinge download av filterer <Files *.xls> ForceType application/octet-stream Header set Content-Disposition attachment </Files>
  • 23. Hindre tilgang i en mappe deny from all eller order deny,allow
 deny from all
 allow from xxx.xxx.xxx.xxx
  • 24. Hindre tilgang til filer <FilesMatch ".(htaccess|htpasswd|ini|fla|psd|log|sh)$">
 Order Allow,Deny
 Deny from all
 </FilesMatch>
  • 25. Legg til/endre MIME types # audio
 AddType audio/ogg oga ogg # video
 AddType video/ogg ogv
  • 26. Directory listing # liste opp filer
 Options +Indexes # liste opp alle unntatt gif og jpg
 IndexIgnore *.gif *.jpg # IKKE liste opp filer
 Options -Indexes
  • 27. Optimalisere statiske filer AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/ javascript text/css application/x-javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4.0[678] no-gzip BrowserMatch bMSIE !no-gzip !gzip-only-text/html
  • 28. Browser caching <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresByType image/jpg "access 1 year"
 ExpiresByType image/jpeg "access 1 year"
 ExpiresByType image/gif "access 1 year"
 ExpiresByType image/png "access 1 year"
 ExpiresByType text/css "access 1 month"
 ExpiresByType application/pdf "access 1 month"
 ExpiresByType text/x-javascript "access 1 month"
 ExpiresByType application/x-shockwave-flash "access 1 month"
 ExpiresByType image/x-icon "access 1 year"
 ExpiresDefault "access 2 days"
 </IfModule>
  • 29. Automatisk UTF-8 charset på filer <FilesMatch ".(htm|html|css|js)$"> AddDefaultCharset UTF-8 </FilesMatch>
  • 30. Hindre robot indeksering Header set X-Robots-Tag "noindex, noarchive, nosnippet"
  • 31. Sette caching av filer: optimalisering <FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf)$"> Header set Cache-Control "max-age=28800" </FilesMatch>
  • 32. Maintenance page RewriteCond %{REMOTE_ADDR} !your_ip_address RewriteCond %{REMOTE_ADDR} !127.0.0.1 RewriteRule !offline.php$ http://www.example.com/back_soon.html [L,R=307]
  • 33. Logge PHP errors # display no errs to user
 php_flag display_startup_errors off
 php_flag display_errors off
 php_flag html_errors off # log to file
 php_flag log_errors on
 php_value error_log /location/to/php_error.log
  • 34. Compress output: GZIP <IfModule mod_gzip.c>
 mod_gzip_on Yes
 mod_gzip_dechunk Yes
 mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
 mod_gzip_item_include handler ^cgi-script$
 mod_gzip_item_include mime ^text/.*
 mod_gzip_item_include mime ^application/x-javascript.*
 mod_gzip_item_exclude mime ^image/.*
 mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
 </IfModule>
  • 35. Shorter URLs Options +FollowSymlinks RewriteEngine on RewriteRule ^files/(.+)/(.+).zip download.php?type= $1&file=$2 [nc]