htaccess fake 403

Forum Moderators: phranque

Message Too Old, No Replies

htaccess fake 403

wesg

1:27 am on Oct 11, 2008 (gmt 0)

I have a folder that I wish to keep to keep away from prying eyes because it's used only for FTP. Rather than changing permissions and generating an actual 403 error, I want to use htaccess to redirect all requests for the folder ftp and all it's subfolders.

This would mean that requests for ftp/, ftp/user1, ftp/everyone would all be redirected to my custom 403 page 403.php.

This is what I have so far:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ftp/(.*) blog/(*) [L]
</IfModule>

I don't want to actually redirect users, I just want to load 403.php instead of the requested file.

wesg

1:29 am on Oct 11, 2008 (gmt 0)

Whoops! I already found my error! turns out I've been writing Wordpress plugins for so long I used (*) instead of $1. All better now.

g1smd

1:58 am on Oct 11, 2008 (gmt 0)

Be aware that your code is for a rewrite. It is not a redirect.

As written, it has the potential to return the same content at an infinite number of URLs.

Check the HTTP response code for such a request. If it is 200 or 302 then you might regret doing it this way.

wesg

4:38 am on Oct 11, 2008 (gmt 0)

Can you explain a little more, g1? Ideally, I want the content of page 403.php whenever a file or folder within "ftp" is requested.

THe other thing i've noticed is that it only redirects when the file requested actually exists.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ftp/(.*) 403.php [L]
</IfModule>

This hasn't solved it either.

jdMorgan

1:53 pm on Oct 11, 2008 (gmt 0)

How about a real 403?
All in one simple line:


RewriteRule ^ftp/ - [F]

That should invoke whatever page you have declared as your custom 403 error page using ErrorDocument.

Jim

wesg

1:07 am on Oct 12, 2008 (gmt 0)

Can I set an error document priority? If someone requests a file inside that folder that doesn't exist, instead of getting a 403 they get a 404. Suggestions?

jdMorgan

2:22 am on Oct 12, 2008 (gmt 0)

You declare ErrorDocuments per-error, not by priority.

If the directory is forbidden, then they get no access, and that includes "no access to information about whether particular files exist in that directory."

I suppose you could use some of the "file-exists" constructs you posted above to *not* return a 403 if the file doesn't exist, and therefore, fall through to the default 404-handling, but really, why bother? To paraphrase Albert Einstein, "Keep your code as simple as possible, but no simpler."

I see many people make a big mistake when blocking access by malicious agents or troublesome people: They put up an "Access Denied" page that contains far too much information -- For example, they'll crow about "We blocked your site downloader."

Well, the *really* troublesome people will read that, and then proceed to do some searches until they find out how a Web site might identify a site downloader, stumble across the phrase "User-agent header" and then proceed to "Spoof user-agent header" or "Change user-agent header." They find that information, modify or configure their site downloader to spoof IE or Firefox, and then come back and raid the whole site.

So, the "bragging error page" has just defeated its own purpose.

Really, the less information you give out, the better -- I've got some error pages that, under specific circumstances, look like the malicious visitor just triggered a fatal scripting error... They get a 403 or 500 response code and a short string of apparently random characters. ;)

Jim