Welcome to WebmasterWorld Guest from 54.227.127.109

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

htaccess fake 403

     
1:27 am on Oct 11, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 30, 2008
posts:104
votes: 0


I have a folder that I wish to keep to keep away from prying eyes because it's used only for FTP. Rather than changing permissions and generating an actual 403 error, I want to use htaccess to redirect all requests for the folder ftp and all it's subfolders.

This would mean that requests for ftp/, ftp/user1, ftp/everyone would all be redirected to my custom 403 page 403.php.

This is what I have so far:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ftp/(.*) blog/(*) [L]
</IfModule>

I don't want to actually redirect users, I just want to load 403.php instead of the requested file.

1:29 am on Oct 11, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 30, 2008
posts:104
votes: 0


Whoops! I already found my error! turns out I've been writing Wordpress plugins for so long I used (*) instead of $1. All better now.
1:58 am on Oct 11, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


Be aware that your code is for a rewrite. It is not a redirect.

As written, it has the potential to return the same content at an infinite number of URLs.

Check the HTTP response code for such a request. If it is 200 or 302 then you might regret doing it this way.

4:38 am on Oct 11, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 30, 2008
posts:104
votes: 0


Can you explain a little more, g1? Ideally, I want the content of page 403.php whenever a file or folder within "ftp" is requested.

THe other thing i've noticed is that it only redirects when the file requested actually exists.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ftp/(.*) 403.php [L]
</IfModule>

This hasn't solved it either.

1:53 pm on Oct 11, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


How about a real 403?
All in one simple line:

RewriteRule ^ftp/ - [F]

That should invoke whatever page you have declared as your custom 403 error page using ErrorDocument.

Jim

1:07 am on Oct 12, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 30, 2008
posts:104
votes: 0


Can I set an error document priority? If someone requests a file inside that folder that doesn't exist, instead of getting a 403 they get a 404. Suggestions?
2:22 am on Oct 12, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


You declare ErrorDocuments per-error, not by priority.

If the directory is forbidden, then they get no access, and that includes "no access to information about whether particular files exist in that directory."

I suppose you could use some of the "file-exists" constructs you posted above to *not* return a 403 if the file doesn't exist, and therefore, fall through to the default 404-handling, but really, why bother? To paraphrase Albert Einstein, "Keep your code as simple as possible, but no simpler."

I see many people make a big mistake when blocking access by malicious agents or troublesome people: They put up an "Access Denied" page that contains far too much information -- For example, they'll crow about "We blocked your site downloader."

Well, the *really* troublesome people will read that, and then proceed to do some searches until they find out how a Web site might identify a site downloader, stumble across the phrase "User-agent header" and then proceed to "Spoof user-agent header" or "Change user-agent header." They find that information, modify or configure their site downloader to spoof IE or Firefox, and then come back and raid the whole site.

So, the "bragging error page" has just defeated its own purpose.

Really, the less information you give out, the better -- I've got some error pages that, under specific circumstances, look like the malicious visitor just triggered a fatal scripting error... They get a 403 or 500 response code and a short string of apparently random characters. ;)

Jim

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members