SEO Friendly URLs and Blocking common exploits using .htaccess - GeekUp

Message from discussion SEO Friendly URLs and Blocking common exploits using .htaccess

Ian Anderson Gray

More options Jun 27, 5:47 am

From: Ian Anderson Gray <i...@selectperformers.com>

Date: Fri, 27 Jun 2008 10:47:01 +0100

Local: Fri, Jun 27 2008 5:47 am

Subject: SEO Friendly URLs and Blocking common exploits using .htaccess

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

Hi.

I rebuilt a website some time ago and made the urls as seo and people friendly as possible using a php script that handled the web pages using this in .htaccess
(as recommended by a fellow geekUpr)...

########################################################################### ####
# Rewrite any url that doesn't have these file endings to the redirect script
# that will then sort out any further redirections
########################################################################### ####
RewriteRule !\.(js|ico|gif|jpg|png|rdf|css|xml|php|inc|swf|xspf|doc|rtf|pdf|mp3|txt|rss )$ rdirect.php [L]
########################################################################### ####

This works great.
However I also have the following rewrite rules to block common exploits. This is a fairly common script used by loads of webmasters I'm sure...

########################################################################### ####
# Begin - Rewrite rules to block out some common exploits
########################################################################### ####
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.html [F,L]
########################################################################### ####

The problem is that the condition that is supposed to give a 403 forbidden error for putting <script> in the url doesn't work. I assume this is because most
requests are being handled by the rdirect.php script. But I don't know why the condition that forbids adding <script> doesn't kick in before the rdirect
condition. Also I assume that this won't stop someone putting this url in- website.com/directory/list/cheeses/<script>ha!ha!ha!</script>/french/mouldy /smelly/ I
want this type of url to be given a forbidden error so surely the {QUERY_STRING} condition isn't the right one since there is no query string in the url.

Here is my .htaccess file in full (with certain bits changed of course for security). Just wandered people's thoughts on it and if there any other bits I should
add to make the site more secure?

########################################################################### #############################################
# Default .htaccess file
# Version: 1.02
# Date: 20/07/2008
# Author:
# Website: http://example.com/
########################################################################### #############################################

########################################################################### ####
# General Server Changes
########################################################################### ####
# Turn off the short php open tags (i.e. <? ) This is useful when we want to use xml and rss files which use short tags. We wouldn't want to confuse things
would we?
php_flag short_open_tag off

# Make files ending in .php, .html and .xml files etc. parsed by php. If using css, xml or js files, make sure that the correct headers are put in place.
AddType application/x-httpd-php .php .html .xml .css .js

# Display php errors. This is so we can use the 'parse error hack' (see below)
php_flag display_errors on

# Turn html formatting of php errors off. - We don't want php errors to be output in html as we want to format ourselves to use the 'parse error hack'.
php_flag html_errors off

# -- PARSE ERROR HACK --
# Prepend a bit of html to the php parse error so that the page can be automatically refreshed to an error page whilst commenting out php error
php_value error_prepend_string '<html><head><meta http-equiv="refresh" content="0;URL=/errors/problem.html"><!-- '

# Append a bit of html to finish off this redirection page
php_value error_append_string '--></head></html>'
# -- end of PARSE ERROR HACK --

# Get rid of etags. This is to increase performance. See- http://developer.yahoo.com/performance/rules.html#etags
FileETag none

# Set files to expire in far future. This means the files in question should be cached by the visitor's browser for longer and so increase performance
#
# A300 = 5 minutes
# A3600 = 1 hour
# A86400 = 1 Day
# A604800 = 7 days
# A2592000 = 30 days

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A300
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A3600
ExpiresByType text/css A3600
ExpiresByType image/gif A604800
ExpiresByType image/png A604800
ExpiresByType image/jpeg A604800
ExpiresByType text/plain A300
ExpiresByType application/x-shockwave-flash A604800
ExpiresByType video/x-flv A604800
ExpiresByType application/pdf A604800
ExpiresByType text/html A300
</IfModule>
########################################################################### ####

########################################################################### ####
# Redirect users to custom error pages...
########################################################################### ####
# Redirect users to custom error pages...
# Partial Content
ErrorDocument 206 /errors/errors.html?code=206
# Bad Request
ErrorDocument 400 /errors/errors.html?code=400
# Not Authorized
ErrorDocument 401 /errors/errors.html?code=401
# Forbidden
ErrorDocument 403 /errors/errors.html?code=403
# File Not Found
ErrorDocument 404 /errors/404.html
# Method Not Allowed
ErrorDocument 405 /errors/errors.html?code=405
# Not Acceptable
ErrorDocument 406 /errors/errors.html?code=406
# Request Time-Out
ErrorDocument 408 /errors/errors.html?code=408
# Conflict
ErrorDocument 409 /errors/errors.html?code=409
# Gone
ErrorDocument 410 /errors/errors.html?code=410
# Requested URI Too Large
ErrorDocument 410 /errors/errors.html?code=414
# Internal Server Error
ErrorDocument 500 /errors/errors.html?code=500
# Not Implemented
ErrorDocument 501 /errors/errors.html?code=501
# Bad Gateway
ErrorDocument 502 /errors/errors.html?code=502
# Service Not Available
ErrorDocument 503 /errors/errors.html?code=503
# Gateway Time-out
ErrorDocument 504 /errors/errors.html?code=504
########################################################################### ####

########################################################################### ####
# Turn Rewriting on
########################################################################### ####
RewriteEngine On
########################################################################### ####

########################################################################### ####
# Get rid of the www. from domain url if there
########################################################################### ####
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
########################################################################### ####

########################################################################### ####
# When running routine maintenance, redirect all users except admin's IP to upgrading page
# Change ip address below to the admins' current IP address
# (see http://whatsmyip.org/ to get current IP)
########################################################################### ####
#rewriteCond %{REMOTE_ADDR} !^92\.40\.23\.148$
#rewriteCond $1 !^errors/
#RewriteRule ^(.*)$ /errors/maintenance.html [L]
########################################################################### ####

########################################################################### ####
# When upgrading, redirect all users except admin's IP to upgrading page
# Change ip address below to the admins' current IP address
# (see http://whatsmyip.org/ to get current IP)
########################################################################### ####
#rewriteCond %{REMOTE_ADDR} !^80\.229\.172\.199$
#rewriteCond $1 !^errors/
#RewriteRule ^(.*)$ /errors/upgrading.php [L]
########################################################################### ####

########################################################################### ####
# Block Access to rougue spiders...
########################################################################### ####
RewriteCond %{HTTP_REFERER} q=Guestbook [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craft...@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GornKer [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Irvine [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^omniexplorer_bot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} dloader(NaverRobot) [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SearchExpress [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebBandit [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [OR]
RewriteCond %{HTTP_USER_AGENT} ^ZyBorg [OR]
########################################################################### ####

########################################################################### ####
# Other .html and .php redirections not covered in above redirecion script
########################################################################### ####
# redirect index.htmls to the directory it is in.
RewriteRule ^(.*)/index.html /$2 [L]
# redirect index.phps to the directory it is in.
RewriteRule ^(.*)/index.php /$2 [L]
# redirect works.html to the works directory
RewriteRule ^works.html /works [L]
########################################################################### ####

That's it! If I don't use the redirect php script then I'll add the following...

########################################################################### ####
# Force a trailing slash on the url if one doesn't exist
########################################################################### ####
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
# Makes sure that files that already exist will not get a slash added.
RewriteCond %{REQUEST_URI} !example.php
# The above url should not be rewritten
RewriteCond %{REQUEST_URI} !(.*)/$
# The condition of the url without the trailing slash that the following rule should be executed
RewriteRule ^(.*)$ http://example.com/$1/ [L,R=301]
########################################################################### ####

########################################################################### ####
# Forward any url without the .html extension to the file with .html in it
########################################################################### ####
RewriteRule ^([a-zA-Z0-9-]+)/$ $1.html [L]
########################################################################### ####

Thanks!

Ian
--
Ian Anderson Gray
Partner, Web Designer & Developer
Select Performers
-----------------
Select Performers
28 Clough Lane, Grasscroft, Oldham, Greater Manchester, OL4 4EW
United Kingdom
(t) 0870 777 6475 / (m) 07900 996 328
(e) i.a.g...@selectperformers.com
-----------------

Reply to author Forward