Month: February 2018

3 Things You Should Know About The Apache HTTP htaccess file – 2018

3 Things You Should Know About The Apache HTTP htaccess file – 2018

I have been using the Apache HTTP Server since early 2000’s, and it only continues to get better. While most people don’t need to know how to set it up from scratch and configure it, you should know how to use the htaccess file. If you create a file named “.htaccess” in the “public_html” folder of your website, you can do some really neat things. I’ll cover three things everyone using Apache should know.

Block Users With htaccess

You may find yourself wanting to block a certain visit from your site, and that’s okay, but how do you do it?

allow from all
deny from 1.2.3.4 # blocks one IP address
deny from 1.3 # blocks every IP beginning with 1.3

SEO Friendly URLs With htaccess

If you’re tired of having “index.php” in your URLs, I don’t blame you. Below is a snippet you can add to your htaccess file to easily rewrite your URLs to remove it. Doing it this way, you don’t have to change any of your code, just add the snippet below.

RewriteEngine On
RewriteBase /

# Removes index.php
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]

# If 404s, "No Input File" or every URL returns the same thing
# make it /index.php?/$1 above (add the question mark)

Forcing HTTPS With htaccess

If your site has an SSL certificate, then I recommend you force your users to use it. That green “Secure” text in the address bar makes everyone feel a little safer, and it helps with SEO.

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Conclusion

While nginx gets all the attention lately, we can’t forget about Apache HTTP Server because it’s going to be around for quite awhile. Be sure to check out the Apache docs or leave a question below.

If you are familiar with Apache but would like to try nginx, you could always use nginx as a reverse proxy.

How to secure your PHP Web App with a simple Firewall

How to secure your PHP Web App with a simple Firewall

I was trying to find a simple way to secure my PHP Web App when I realized how difficult it could be. Securing it the easy way cost more money than I’m willing to spend, so I decided to build my own solution.

old school firewall

What are your options?

Compiling nginx with ModSecurity isn’t easy, and I don’t think your WAF (Web Application Firewall) should be tied into your web server. If you want to simplify things, you could use Cloudflare or Sucuri, but that can be expensive. While Cloudflare works great and is fast, shouldn’t you have your own WAF? These services do offer more than just a WAF, so be sure to do your own research before committing to any one solution.

Elite Hacker desktop

PHP Web App Firewall

I’m writing my PHP WAF in Go. The criteria I set for this project is fairly simple.

Criteria

  • It needs to be uber fast
  • Handle XSS and SQL Injections
  • Work with Docker

The Journey

Two weeks ago I sketched the idea out on the back of an envelope. If nginx could talk to my Go service, and my Go service could talk to PHP-FPM, then this might be a pretty easy solution. I know that nginx has the proxy_pass config option and that Go can handle HTTP traffic. But how can Go talk to PHP-FPM? I did some research and tried out a few different FastCGI client packages for Go until I found one that suited my needs. Now I have two ends of the stick figured out, but I’ve yet to even think about what happens in the middle.

I ended up finding a Go package that does an excellent job at filtering XSS. I then wrote some middleware for HTTP and used that Go package to filter any requests that contain an XSS attempt.

But what about SQL injection? Well, I found some regular expressions that match common SQL injection and implemented those into my HTTP Request analyzer. If any SQL injection is detected, it kills the request and your PHP Web App never sees it. At the time of writing this, I still need to implement more security measures.

I’ve also built a Docker container that runs this Go app as a service and is pretty easy to set up. While I haven’t used this for anything in production, I have tested it and it was able to handle several thousand requests a second.

Conclusion

This code should actually work with any language that can use FastCGI as a means of communication, but I haven’t tested it. I’m looking for people to help me finish this project since I’m just now learning Go. Please feel free to fork my repo if you can contribute in any way.

github.com/levidurfee/gowafp