Welcome to WebmasterWorld Guest from 54.242.115.55

Forum Moderators: Ocean10000 & phranque

Blocking the Apache icons folder in htaccess

block /icons/ gif and jpg

     
2:16 pm on Feb 2, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3234
votes: 17


I'm trying to block the Apache icons folder from remote access. Blocking by IP does not hack it so I've been trying the following:

RewriteCond %(REQUEST_URI) ^/icons/
(with and without leading ^ and /)
...followed by ONE of the following (none work)...
RewriteRule - - [F]
RewriteRule ^/icons/(\.(gif|jpg|png))$ - [F,NC]
RewriteRule \.(gif|jpg|png)$ - [F,NC]
RewriteRule /icons/ - [R=403,F]

The Apache docs and sundry online forums suggest I'm using the correct syntax but I can still load a selected icon in a browser.

Obviously I have something wrong but what? Help appreciated.

Abreviated htaccess file is:

#========
# security policies
#Secure cookies: in config editor section system.web/httpcookies set
#httpOnlyCookies true
#requireSSL true

Header set Strict-Transport-Security "max-age=15552001; includeSubDomains; preload"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Xss-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Content-Security-Policy "default-src 'none'; style-src 'self'; child-src 'self'; frame-ancestors 'self'; base-uri 'self'; script-src 'self'; form-action 'self'; img-src 'self'; object-src 'none'; block-all-mixed-content;"
Header set Expect-CT "enforce,max-age=30"

#========
# geo-block
GeoIPEnable On
#GeoIPDBFile /usr/share/GeoIP/GeoIP.dat Standard # cannot use in htaccess

SetEnvIf GEOIP_COUNTRY_CODE BR BlockCountry
(and others)
Deny from env=BlockCountry

#========
SetEnvIfNoCase User-Agent "urlwatch" dontlog

#========
order allow,deny
#========
(various deny from IP lines)

#========
RewriteEngine on

#========
# apache icons (as above code)

#========
# reject hotlinking
#RewriteBase /
#RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://mail\.bristolweb\.net/ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS]

#========
# block some simple UA substrings
RewriteCond %{HTTP_USER_AGENT} ^ht[tm][lpr] [NC]
RewriteRule . - [F]

# only allow get/post/http/1.1
#RewriteCond %{THE_REQUEST} !^(POST|GET)\ /.*\ HTTP/1\.1$ [NC]
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule .? - [F]

# only allow https
RewriteCond %{HTTPS} on
RewriteRule . - [F]

# allow urlwatch
RewriteCond %{HTTP_USER_AGENT} ^urlwatch/
RewriteRule . - [L]

# only allow mozilla 5
RewriteCond %{HTTP_USER_AGENT} !^Mozilla/5\.0
RewriteRule . - [F]

# not old firefox
RewriteCond %{HTTP_USER_AGENT} Firefox/[0-9]\.|Firefox/[0-5][0.9]\.|Windows\sNT\s[0-5] [NC]
RewriteRule . - [F]

# not initial symbols
RewriteCond %{HTTP_USER_AGENT} ^[\"\'$%&*()-=+_@~#{}[]<>,.?/|\\\!] [NC]
RewriteRule . - [F]

RewriteCond %{HTTP_USER_AGENT} (agent|analy[sz]|anonymous|archive|bandit|bot|brand|cherrypicker|clshttp|collector|compatible;[a-z]|craftbot|crawl|curl|deepnet|discover|download|explorer|extract|file|grab|greasemonkey|harvest|indy\slibrary|java|larbin|le[ae]ch|legs|link|lynx|mail|miner|netcraft|ninja|n[-_\s]?u[-_\s]?t[-_\s]?c[-_\s]?h|open|perl|php|proxy|python|ripper|script|search|seo|shodan|sitemap|snoop|sph?ider|stripper|sucker|survey|sweep|torrent|webpictures|webspider|worm) [NC]
RewriteRule . - [F]
#========
allow from all
#========
4:22 pm on Feb 2, 2019 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 323
votes: 24


The Apache icons folder (used by mod_autoindex) is served with an Apache Alias, so you can't block these requests in .htaccess because the Alias is processed earlier.

However, you can use a directive in a server (or virtualhost) context to block these requests (using a directive like you have already tried) as this is processed before the Alias is resolved:

# (In a server or virtualhost context)
RewriteRule ^/icons/ - [F]


However, if you have access to the server config then you would just remove the Alias directive.
4:40 pm on Feb 2, 2019 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 323
votes: 24


Aside: A quick flick through your config file....

# only allow https 
RewriteCond %{HTTPS} on
RewriteRule . - [F]


This appears to do the opposite (of what the comment says)... it blocks HTTPS for everything except the document root?!
5:54 pm on Feb 2, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15507
votes: 752


The OP clearly and unambiguously used the word .htaccess. That means that any rule containing the element
RewriteRule ^/
will fail, because the pattern will never match.

I've never used custom icons, but this all happens internally, right, like /index.html in a directory? If so I'd say
RewriteCond %{THE_REQUEST} /icons
RewriteRule ^icons - [F]
or simply (without condition)
RewriteRule ^icons - [F,NS]
6:33 pm on Feb 2, 2019 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 323
votes: 24


The OP clearly and unambiguously used the word .htaccess.


And I said, "you can't block these requests in .htaccess". (I could have just stopped there I suppose, but I then gave a working directive for the server config - as stated in the comment immediately before it).
3:53 pm on Feb 3, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3234
votes: 17


Whitespace:
> just remove the Alias directive.

That did the trick - after tracking it down! :) Many thanks for that and the explanation.

> # only allow https

That was my fault. Sorry. I altered it when I posted in mistake for something I'm develping on another machine. I get confused. :(
6:29 pm on Feb 3, 2019 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 323
votes: 24


That did the trick - after tracking it down! :)


Yes, I should have perhaps said... it's usually declared in "httpd-autoindex.conf" (which is included in the main server config) - although whether that can vary between configs I'm not sure.

If you are removing (ie. commenting out) the Alias then you should also remove the associated <Directory> section that grants access (and sets options) for the target of the Alias.

In fact, if this is your server and you are not using the "auto-generated directory listings", you could go the whole hog and just disable mod_autoindex altogether (which should naturally prevent access to the "icons" because the Alias will not be called). However, this does appear to have an additional side effect... requesting directories without a directory index document will result in a 404 Not Found, not a 403 Forbidden (which is actually quite a good thing IMO).
11:42 pm on Feb 3, 2019 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 323
votes: 24


@lucy24 Ha, feel like I've been caught with my hand in the cookie jar!

I was just curious because you said, "I've never used custom icons". And sure enough, your site (at least the one in your profile) is returning a 404 for such a request. On a "default" Apache install you would (unfortunately) expect a request for "/icons/" to return a directory listing of these "Apache icons", such as: [apache.org...] (regardless of whether you've disabled directory listings for your main site with "Options -Indexes".) or "/icons/unknown.gif" would return the said image.

So, I'm still curious... did you specifically remove this Alias or something?

(It seems this Alias can be defined in a number of places, depending on the version/distribution I guess... In addition to "autoindex.conf", I've seen references to "alias.conf" and the main "http.conf".)
2:13 am on Feb 4, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15507
votes: 752


did you specifically remove this Alias or something?
I'm on shared hosting, where mod_alias can't be used for anything but redirection. But it makes sense not to alias to something located elsewhere on the server (unless it's something like logs where security really requires a separate location). Poring over Apache docs, it looks as if an /icons/ directory can also perfectly well be physically located within your own userspace or site directory, so if you want to do fancy icons it's up to you to create the directory.

But there must be something more going on at the server level, because setting +FancyIndexing has no effect. (Even without icons, it's supposed to enable header sorting.)
If the FancyIndexing option is given with the IndexOptions directive, the column headers are links that control the order of the display. If you select a header link, the listing will be regenerated, sorted by the values in that column.
This doesn't work, although IgnoreCase--the only option I could find that definitely has nothing to do with icons--does work.

:: insert fancy icon indicative of bafflement ::

For people coming along later: Part of the above makes reference to a deleted post, so it may appear not to make sense ;)
11:53 am on Feb 4, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3234
votes: 17


whitespace - this is Mint 18.1. File is /etc/apache2/mods-enabled/alias.conf for future reference.

I wasn't sure whether to comment out the directory - it worked without doing so - but I have done so now.

Thanks again for the help!