Forum
rule
luk
19 March 2015, 12:01
I have rule in lighttpd :
$HTTP["url"] =~ "^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(?:$|(.*))" { url.access-deny = ( "" ) }
$HTTP["url"] =~ "^/(userfiles|pictures|design|install)(?:(.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi))" { url.access-deny = ( "" ) }
and it works perfect.
But it doesn't work in Hiawatha
Match ^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(?:$|(.*)) DenyAccess
Match ^/(userfiles|pictures|design|install)(?:(.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi)) DenyAccess
Hiawatha doesn't start with this ?:
Hiawatha version: v9.8
Operating System: CentOS 7
$HTTP["url"] =~ "^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(?:$|(.*))" { url.access-deny = ( "" ) }
$HTTP["url"] =~ "^/(userfiles|pictures|design|install)(?:(.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi))" { url.access-deny = ( "" ) }
and it works perfect.
But it doesn't work in Hiawatha
Match ^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(?:$|(.*)) DenyAccess
Match ^/(userfiles|pictures|design|install)(?:(.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi)) DenyAccess
Hiawatha doesn't start with this ?:
Hiawatha version: v9.8
Operating System: CentOS 7
Hugo Leisink
19 March 2015, 12:03
I'm no regexp guru, so I have no idea what the (?:$|(.*)) part does. What is it you try to achieve?
luk
19 March 2015, 12:35
i need to block all files of any type in that folders and subfolders
Hugo Leisink
19 March 2015, 13:07
That can be done via
Match ^/(temp|smarty|sql|modules ... design|install)/ DenyAccess
luk
19 March 2015, 13:48
for folder yes, but not for file in this folder.
I test it, and file like .../temp/index.xml accesseble
I test it, and file like .../temp/index.xml accesseble
Hugo Leisink
19 March 2015, 13:51
If /temp/ can also be subdirectory, simply remove the '^' at the beginning of the pattern.
luk
19 March 2015, 13:52
for Apach this rule looks like
RewriteRule ^(temp|userfiles|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(.*) - [F]
RewriteRule ^(userfiles|pictures)/.+\.(php|php3|php4|php5|phtml|pl|cgi) - [F]
for Nginx
location ~* /(temp|userfiles|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(?:$|(.*)) {
return 403;
}
location ~* /(userfiles|pictures|design|install)(?:(.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi)) {
return 403;
}
RewriteRule ^(temp|userfiles|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(.*) - [F]
RewriteRule ^(userfiles|pictures)/.+\.(php|php3|php4|php5|phtml|pl|cgi) - [F]
for Nginx
location ~* /(temp|userfiles|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/(?:$|(.*)) {
return 403;
}
location ~* /(userfiles|pictures|design|install)(?:(.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi)) {
return 403;
}
luk
19 March 2015, 14:00
Without '^' at the beginning of the pattern nothing has changed. Work for folder, not for file.
Look's like a bug must work with this
Match ^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/($|(.*)) DenyAccess
Look's like a bug must work with this
Match ^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)/($|(.*)) DenyAccess
luk
19 March 2015, 14:09
Oo I have left,
before this rule RequestURI isfile Return
before this rule RequestURI isfile Return
Hugo Leisink
19 March 2015, 14:13
Thought it would be something like that, cause I tested it here and it works just fine.
luk
19 March 2015, 15:33
Ok, it works with this:
Match ^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)($|/.*) DenyAccess
Match ^/(userfiles|pictures|design|install)((.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi|html|htm))$ DenyAccess
without:
RequestURI isfile Return
Thank you.
And I want to ask you, if there any differense to use: DenyAccess instead of: Redirect /
from security reason?
Match ^/(temp|smarty|sql|modules|languages|includes|functions|fonts|files|config|classes|cache|backup)($|/.*) DenyAccess
Match ^/(userfiles|pictures|design|install)((.*)/$|/.+\.(tpl\.html|php|php3|php4|php5|phtml|pl|cgi|html|htm))$ DenyAccess
without:
RequestURI isfile Return
Thank you.
And I want to ask you, if there any differense to use: DenyAccess instead of: Redirect /
from security reason?
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
