Joomla! Help Site - <b>APACHE:</b> How do I protect a site using .htaccess and mod

Help Site

1.5 Template Project

The Joomla! Documentation Working Group is running a project to develop detailed reference and tutorial material on Joomla! 1.5 templates. There is a project page on the documentation wiki where you can see the work in progress and help us by contributing your knowledge.

Quicklinks

Joomla! License Details

Translations

Joomla! Developer Network

Framework Overview

API Reference

Dev Document Wiki

The Joomla! Shop presents to you a large collection of Joomla! books, as well as computer and Internet books. Purchase books in your language. This is a great way to support Joomla!

Help Site License

The Joomla! Help Site content is copyright © 2005 - 2008 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution NonCommercial ShareAlike 2.5. Some parts of this website may be subject to other licenses.

Home

FAQs

APACHE: How do I protect a site using .htaccess and mod_rewrite?

Author(s):	Rliskey	Experience level:	Beginner
Contributors:		Joomla! version:
Date added:	Monday, 26 March 2007	Date last changed:	Friday, 06 July 2007

Introduction

RobS created a set of mod_rewrite conditions (below) that you can tag onto the end of your .htaccess file. These conditions will block a good number of common exploit attempts while interferring as little as possible with legitimate usage.

Each server configuration is unique. If you are forwarded to your home page and receive a 403 Forbidden error, you will know these settings worked incorrectly on your site. If a particular rule breaks some feature of your site, just comment it out by placing a # in front of the offending rule.

Note: As of Joomla! version 1.0.11, these settings are included in the file, htaccess.txt (no dot in filename) which is automatically added to your site during the Joomla! install.

Directions
1. Append the following code to the .htaccess file in the same directory as your Joomla! index.php file (often your public_html directory).
2. Test your site.
3. If the site produces errors, comment out all of these lines, and uncomment and test one line at a time until you find the problem directive(s).
4. Try to tweak these directives to work on your server, or leave them commented out.

########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [OR]
# Block out any script that includes a tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

More Information

Help finding or creating your .htaccess file is here.
Good background information on Apache mod rewrite is on Wikipedia.
Discuss this FAQ here.

Last Updated Friday, 06 July 2007

Tags: security, htaccess, mod_rewrite, apache

< Prev		Next >

[ Back ]

Help Site

Joomla! 1.5.x Documentation

Joomla! 1.0.x Documentation

FAQ Section

1.5 Template Project

Quicklinks

Who's Online

Help Site License