Search
Search titles only
By:
Search titles only
By:
Log in
Register
Search
Search titles only
By:
Search titles only
By:
Menu
Install the app
Install
Forums
New posts
All threads
Latest threads
New posts
Trending threads
Trending
Search forums
What's new
New posts
New ads
New profile posts
Latest activity
Free Ads
Latest reviews
Search ads
Members
Current visitors
New profile posts
Search profile posts
Contact us
Latest ads
NURSING , CAREGIVER , HOTEL & BEAUTY COURSES
IVA Para Medical Campus
Updated:
Today at 9:24 AM
Handmade Character Soft Toys Peppa Pig Family
anil1961
Updated:
Yesterday at 9:58 PM
Ad icon
Video Content Creator
pramukag
Updated:
Sunday at 6:10 AM
Ad icon
QA Engineer Intern
pramukag
Updated:
Sunday at 6:07 AM
Ad icon
Sell your Land, House on idamata.lk for FREE
sajith.xp.pk
Updated:
Jun 25, 2026
Electronics
Vehicles
Property
Search
Reply to thread
Forums
Computers & Internet
Tips & Tricks
Tips & Tricks Collection of DC
Get the App
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Message
<blockquote data-quote="||~DxxCxxxx~||" data-source="post: 5117042" data-attributes="member: 137393"><p><strong>Creating a .htaccess File</strong></p><p></p><p><img src="http://www.wise-women.org/tutorials/htaccess/illu_htaccess.gif" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><strong>Creating a .htaccess file Index:</strong> </p><p></p><p>o Introduction</p><p>o Directory Browsing</p><p>o Custom Error Messages</p><p>o Redirection</p><p>o User Authentification</p><p>o Default Homepage</p><p>o SSI Parsing</p><p>o Blocking certain visitors.</p><p>o The PHF Exploit</p><p>o Example .htaccess file</p><p>o Conclusion </p><p></p><p></p><p><strong>Introduction</strong></p><p>------------</p><p></p><p>The Apache web server has many environmental options that are available to edit by the admin however, in a shared environment, the users don't have access to the main configuration file (httpd.conf). However, they can override some of these setting through the use of a file called ``.htaccess``.</p><p></p><p>The .htaccess file is an ASCII file (so must be uploaded as ASCII, not BINARY) and *only* affects the directory it is in and all of its sub-directories. It can be created and edited in any tezt editor, such as ``vim``, ``Notepad``...etc.</p><p></p><p>To make sure that visitors cannot view this file, set the permissions to rw-r--r-- (644) as your .htaccess file may contain sensitive information.</p><p></p><p></p><p><strong>Directory Browsing</strong></p><p>-------------------</p><p></p><p>Options +Indexes</p><p></p><p>This sets directory browsing on. This means, that if there is no index page, you will be able to see all the pages and click whichever one you want to enter.</p><p></p><p>Here are some more options you can enable and disable in this manner:</p><p></p><p>Options +Includes</p><p>Options +FollowSymLinks</p><p>Options +ExecCGI</p><p>Options +MultiViews</p><p></p><p></p><p></p><p><strong>Custom Error Messages</strong></p><p>-----------------------</p><p></p><p>ErrorDocument 404 /error.html</p><p></p><p>This would tell the server that, instead of viewing the regular "Error 404" page, you can set your own. Here's a list of the different error numbers and what they mean.</p><p></p><p>Note: Error 402 (Payment Required) isn't utilised in Apache servers yet.</p><p></p><p>400 Bad Request </p><p>401 Authorization Required </p><p>402 Payment Required</p><p>403 Forbidden </p><p>404 Not Found </p><p>405 Method Not Allowed </p><p>406 Not Acceptable (encoding) </p><p>407 Proxy Authentication Required </p><p>408 Request Timed Out </p><p>409 Conflicting Request </p><p>410 Gone </p><p>411 Content Length Required </p><p>412 Precondition Failed </p><p>413 Request Entity Too Long </p><p>414 Request URI Too Long </p><p>415 Unsupported Media Type </p><p>500 Internal Server Error </p><p>501 Not Implemented </p><p>502 Bad Gateway </p><p>503 Service Unavailable </p><p>504 Gateway Timeout </p><p>505 HTTP Version Not Supported</p><p></p><p>The most common errors are 400, 403, 404 and 500. Personally, I only like to change the Error 404 page and let Apach use its default pages for the others.</p><p></p><p>Another feature is that you can use text.</p><p></p><p>Example:</p><p></p><p>ErrorDocument 404 "Page Not Found</p><p></p><p>****</p><p>Note: There is only one (") marks, which is at the start of the text.</p><p>****</p><p>Note #2: The text should not exceed a line</p><p>****</p><p></p><p></p><p><strong>Redirection</strong></p><p>-----------</p><p></p><p>Redirect permanent /myscript.php <a href="http://google.com/myscript.php3" target="_blank">http://google.com/myscript.php3</a> </p><p></p><p>This redirects /myscript.php to <a href="http://google.com/myscript.php3" target="_blank">http://google.com/myscript.php3</a>. This is useful if you have renamed or moved a page to another directory of your website or to another web server completely.</p><p></p><p>The same can be done for directories:</p><p></p><p>Redirect permanent /old <a href="http://google.com/new" target="_blank">http://google.com/new</a> </p><p></p><p>This feature (redirection) of .htaccess can be very useful, because you don't have to go through hundreds of pages, updating the links. </p><p></p><p></p><p><strong>User Authentification</strong></p><p>---------------------</p><p></p><p>AuthUserFile /secret/.htpasswd</p><p>AuthGroupFile /dev/null</p><p>AuthName My Secret Hideout</p><p>AuthType Basic</p><p></p><p><Limit GET POST></p><p>require valid-user</p><p></Limit></p><p></p><p>This feature deserves a tutorial of its own, but I'll explain it here anyway.</p><p></p><p>The ``AuthUserFile`` tells the server where to find the password file. We'll explain that more in a minute.</p><p></p><p>``AuthName`` can be anything and is just used as a text string in the authentification process. It isn't too important.</p><p></p><p>After you have done that, we need to create the password file. Don't worry if you're not using Linux, because it doesn't matter.</p><p></p><p>When you installed Apache onto your computer. You should have gotten a program called "htpasswd.exe". This is located in the /bin directory.</p><p></p><p>From the command prompt (cd to that directory), type:</p><p></p><p>``htpasswd -c .htpasswd <username>``</p><p></p><p>It will then prompt you for a password. The -c switch just creates a new password file, from then on, you don't need it, you just need to type.</p><p></p><p>``htpasswd .htpasswd <username>``</p><p></p><p>You can have as many usernames as you like, but it is recommendable to restrict it to a few usernames (unless it is a feature of your website for registered users)</p><p></p><p>To delete users, just delete the line in .htpasswd with their username.</p><p></p><p>******************************</p><p>Note: The encryption method used in htpasswd is altered DES, so it can be cracked with a UNIX-cracker. However on Windows, you may find it using MD5.</p><p>******************************</p><p></p><p></p><p><strong>Default Homepage</strong></p><p>--------------------</p><p></p><p>DirectoryIndex index.cgi index.php index.html home.html</p><p></p><p>This sets it so the server looks for one of these files (from left to right) to show as the index file. The files are given precedence the farther left they are, so ``index.cgi`` would be looked for first, then ``index.php``, then ``index.html`` and finally ``home.html``. If none of those pages could be found, then the server will just list out all the files in that directory (that's where the ``Options +indexes`` part comes in handy)</p><p></p><p><strong></strong></p><p><strong>SSI Parsing</strong></p><p>------------</p><p></p><p>AddType text/html .html</p><p>AddHandler server-parsed .html</p><p>AddHandler server-parsed .htm </p><p></p><p>This makes it so that server side includes are parsed in the following file types (.html, .htm). To add a file type to that list, just add the AddHandler file and the extension which that document type has.</p><p></p><p></p><p><strong>Blocking Certain Visitors</strong></p><p>--------------------------</p><p></p><p><Limit GET></p><p>order deny,allow</p><p>deny from 123.456.789.000</p><p>deny from 123.456.789.</p><p>deny from .aol.com</p><p>allow from all</p><p></Limit></p><p></p><p>``deny from 123.456.789.000`` denies access to the website from anybody from the exact IP address 123.456.789.000</p><p></p><p>``deny from 123.456.789.`` denies access to the website from anybody</p><p>from the IP range 123.456.789</p><p></p><p>``deny from .aol.com`` denies access to the website from anybody</p><p>connecting from ``aol.com``.</p><p></p><p><strong></strong></p><p><strong>The PHF Exploit</strong></p><p>-----------------</p><p></p><p>PHF was a script installed by default on old Apache servers. Of course, this feature has long since been eradicated, however some people still attempt it in the one in a million chance that you can PHF enabled.</p><p></p><p>****</p><p>Note: The exploit was very serious, as anybody who fed a newline character to the PHF script, could run remote commands, with the same privilidges as the webserver, so anybody who found a webserver running with root privilidges could easily access the /etc/passwd file through the /bin/cat command...etc</p><p>****</p><p></p><p>Even though this technique is of no danger to your machine, it's fun to mess around with the attacker and redirect them to either a logging script which logs their IP address, or to some error page which screams abuse at them.</p><p></p><p><Location /cgi-bin/phf*></p><p>Deny from all</p><p>ErrorDocument 403 /log-ip.php</p><p></Location></p><p></p><p>This denies access to any phf file in the /cgi-bin/ directory and</p><p>redirects them to /log-ip.php.</p><p></p><p><strong>Example .htaccess file</strong></p><p>--------------------</p><p></p><p>You can copy and paste this if you want and add/remove/edit any parts of it.</p><p></p><p>***** .htacess *****</p><p></p><p>Options +Indexes</p><p>Options +MultiViews</p><p></p><p></p><p>ErrorDocument 403 "Forbidden!!!</p><p>ErrorDocument 404 /error.php?error=404</p><p>ErrorDocument 500 /error.php?error=500</p><p></p><p></p><p>Redirect permanent /links.html <a href="http://www.mysite.com/features/links.php" target="_blank">http://www.mysite.com/features/links.php</a></p><p></p><p></p><p>AuthUserFile /users/.htpasswd</p><p>AuthGroupFile /dev/null</p><p>AuthName Jethro's House of Love</p><p>AuthType Basic</p><p></p><p></p><p><Limit GET POST></p><p>require valid-user</p><p></Limit></p><p></p><p></p><p> DirectoryIndex index.php index.html /cgi-bin/index.cgi</p><p></p><p></p><p>AddType text/html .html</p><p>AddType text/html .htm</p><p>AddHandler server-parsed .html</p><p>AddHandler server-parsed .htm </p><p></p><p></p><p><Limit GET></p><p>order deny,allow</p><p>deny from 159.132.216.</p><p>allow from all</p><p></Limit></p><p></p><p></p><p></p><p><Location /cgi-bin/phf*></p><p>Deny from all</p><p>ErrorDocument 403 /cgi-bin/fakephp.cgi</p><p></Location></p><p></p><p></p><p>***************************************</p></blockquote><p></p>
[QUOTE="||~DxxCxxxx~||, post: 5117042, member: 137393"] [b]Creating a .htaccess File[/b] [IMG]http://www.wise-women.org/tutorials/htaccess/illu_htaccess.gif[/IMG] [B]Creating a .htaccess file Index:[/B] o Introduction o Directory Browsing o Custom Error Messages o Redirection o User Authentification o Default Homepage o SSI Parsing o Blocking certain visitors. o The PHF Exploit o Example .htaccess file o Conclusion [B]Introduction[/B] ------------ The Apache web server has many environmental options that are available to edit by the admin however, in a shared environment, the users don't have access to the main configuration file (httpd.conf). However, they can override some of these setting through the use of a file called ``.htaccess``. The .htaccess file is an ASCII file (so must be uploaded as ASCII, not BINARY) and *only* affects the directory it is in and all of its sub-directories. It can be created and edited in any tezt editor, such as ``vim``, ``Notepad``...etc. To make sure that visitors cannot view this file, set the permissions to rw-r--r-- (644) as your .htaccess file may contain sensitive information. [B]Directory Browsing[/B] ------------------- Options +Indexes This sets directory browsing on. This means, that if there is no index page, you will be able to see all the pages and click whichever one you want to enter. Here are some more options you can enable and disable in this manner: Options +Includes Options +FollowSymLinks Options +ExecCGI Options +MultiViews [B]Custom Error Messages[/B] ----------------------- ErrorDocument 404 /error.html This would tell the server that, instead of viewing the regular "Error 404" page, you can set your own. Here's a list of the different error numbers and what they mean. Note: Error 402 (Payment Required) isn't utilised in Apache servers yet. 400 Bad Request 401 Authorization Required 402 Payment Required 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable (encoding) 407 Proxy Authentication Required 408 Request Timed Out 409 Conflicting Request 410 Gone 411 Content Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request URI Too Long 415 Unsupported Media Type 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported The most common errors are 400, 403, 404 and 500. Personally, I only like to change the Error 404 page and let Apach use its default pages for the others. Another feature is that you can use text. Example: ErrorDocument 404 "Page Not Found **** Note: There is only one (") marks, which is at the start of the text. **** Note #2: The text should not exceed a line **** [B]Redirection[/B] ----------- Redirect permanent /myscript.php [URL="http://google.com/myscript.php3"]http://google.com/myscript.php3[/URL] This redirects /myscript.php to [URL="http://google.com/myscript.php3"]http://google.com/myscript.php3[/URL]. This is useful if you have renamed or moved a page to another directory of your website or to another web server completely. The same can be done for directories: Redirect permanent /old [URL="http://google.com/new"]http://google.com/new[/URL] This feature (redirection) of .htaccess can be very useful, because you don't have to go through hundreds of pages, updating the links. [B]User Authentification[/B] --------------------- AuthUserFile /secret/.htpasswd AuthGroupFile /dev/null AuthName My Secret Hideout AuthType Basic <Limit GET POST> require valid-user </Limit> This feature deserves a tutorial of its own, but I'll explain it here anyway. The ``AuthUserFile`` tells the server where to find the password file. We'll explain that more in a minute. ``AuthName`` can be anything and is just used as a text string in the authentification process. It isn't too important. After you have done that, we need to create the password file. Don't worry if you're not using Linux, because it doesn't matter. When you installed Apache onto your computer. You should have gotten a program called "htpasswd.exe". This is located in the /bin directory. From the command prompt (cd to that directory), type: ``htpasswd -c .htpasswd <username>`` It will then prompt you for a password. The -c switch just creates a new password file, from then on, you don't need it, you just need to type. ``htpasswd .htpasswd <username>`` You can have as many usernames as you like, but it is recommendable to restrict it to a few usernames (unless it is a feature of your website for registered users) To delete users, just delete the line in .htpasswd with their username. ****************************** Note: The encryption method used in htpasswd is altered DES, so it can be cracked with a UNIX-cracker. However on Windows, you may find it using MD5. ****************************** [B]Default Homepage[/B] -------------------- DirectoryIndex index.cgi index.php index.html home.html This sets it so the server looks for one of these files (from left to right) to show as the index file. The files are given precedence the farther left they are, so ``index.cgi`` would be looked for first, then ``index.php``, then ``index.html`` and finally ``home.html``. If none of those pages could be found, then the server will just list out all the files in that directory (that's where the ``Options +indexes`` part comes in handy) [B] SSI Parsing[/B] ------------ AddType text/html .html AddHandler server-parsed .html AddHandler server-parsed .htm This makes it so that server side includes are parsed in the following file types (.html, .htm). To add a file type to that list, just add the AddHandler file and the extension which that document type has. [B]Blocking Certain Visitors[/B] -------------------------- <Limit GET> order deny,allow deny from 123.456.789.000 deny from 123.456.789. deny from .aol.com allow from all </Limit> ``deny from 123.456.789.000`` denies access to the website from anybody from the exact IP address 123.456.789.000 ``deny from 123.456.789.`` denies access to the website from anybody from the IP range 123.456.789 ``deny from .aol.com`` denies access to the website from anybody connecting from ``aol.com``. [B] The PHF Exploit[/B] ----------------- PHF was a script installed by default on old Apache servers. Of course, this feature has long since been eradicated, however some people still attempt it in the one in a million chance that you can PHF enabled. **** Note: The exploit was very serious, as anybody who fed a newline character to the PHF script, could run remote commands, with the same privilidges as the webserver, so anybody who found a webserver running with root privilidges could easily access the /etc/passwd file through the /bin/cat command...etc **** Even though this technique is of no danger to your machine, it's fun to mess around with the attacker and redirect them to either a logging script which logs their IP address, or to some error page which screams abuse at them. <Location /cgi-bin/phf*> Deny from all ErrorDocument 403 /log-ip.php </Location> This denies access to any phf file in the /cgi-bin/ directory and redirects them to /log-ip.php. [B]Example .htaccess file[/B] -------------------- You can copy and paste this if you want and add/remove/edit any parts of it. ***** .htacess ***** Options +Indexes Options +MultiViews ErrorDocument 403 "Forbidden!!! ErrorDocument 404 /error.php?error=404 ErrorDocument 500 /error.php?error=500 Redirect permanent /links.html [URL="http://www.mysite.com/features/links.php"]http://www.mysite.com/features/links.php[/URL] AuthUserFile /users/.htpasswd AuthGroupFile /dev/null AuthName Jethro's House of Love AuthType Basic <Limit GET POST> require valid-user </Limit> DirectoryIndex index.php index.html /cgi-bin/index.cgi AddType text/html .html AddType text/html .htm AddHandler server-parsed .html AddHandler server-parsed .htm <Limit GET> order deny,allow deny from 159.132.216. allow from all </Limit> <Location /cgi-bin/phf*> Deny from all ErrorDocument 403 /cgi-bin/fakephp.cgi </Location> *************************************** [/QUOTE]
Insert quotes…
Verification
Asuwa dahayen wadi kalama keeyada?
Post reply
Top
Bottom