BPS HTML htaccess file for HTML websites or subfolders

Home Forums BulletProof Security Free BPS HTML htaccess file for HTML websites or subfolders

This topic contains 1 reply, has 1 voice, and was last updated by  AITpro Admin 5 years, 6 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #624

    AITpro Admin
    Keymaster

    Email Question:
    Hello,
    I was wondering if there’s any way to allow .html files in a subdirectory? I have a subdirectory that gives me 404 not found, but if I switch the file to .php it works. Because of something that is in print and can’t be changed, I need to keep a .html file.

    Thanks,
    Tim

    #625

    AITpro Admin
    Keymaster

    You can use an HTML version of the BPS Pro .htaccess files or HTML websites and HTML files in subdirectories.  If your index file is named index.html use the index.html .htaccess file.  If your index file is named index.htm then use the index.htm htaccess file.  You would create a new text document in Notepad (not Word or WordPad) and copy this htaccess code into the text file and save it with the name html.htaccess or htm.htaccess.  Then upload the .htaccess file to the location/folder where your HTML site is located or your sudirectory is located with the HTML files in it.  After uploading the file rename it to just .htaccess.

    If you are not sure about whether you have a root website or a subfolder website then see the Example below.

    HTML htaccess file for HTML sites/subdirectories where the index file is named index.html (not index.htm)

    # BULLETPROOF PRO SECURE .HTACCESS FOR HTML WEBSITES
    
    # This file is created for HTML websites and HTML websites that are in a root website folder
    # if you HTML website is in a subfolder then you will need to change the RewriteBase and RewriteRules
    # to match that subfolder name/path
    # Example: If an HTML website is in a subfolder called /example-html-website then the RewriteBase and
    # RewriteRule in this file need to be changed using these examples below:
    # RewriteBase /example-html-website/
    # RewriteRule ^/example-html-website/index\.html$ - [L]
    # RewriteRule . /example-html-website/index.html [L]
    
    # ADD A PHP HANDLER
    # If you are using a PHP Handler add your web hosts PHP Handler below
    
    # TURN OFF YOUR SERVER SIGNATURE
    # Suppresses the footer line server version number and ServerName of the serving virtual host
    ServerSignature Off
    
    # DO NOT SHOW DIRECTORY LISTING
    # If you are getting 500 Errors when activating BPS then comment out Options -Indexes
    # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.HTML
    # Use index.html as default directory index file
    # index.php and index.htm will be ignored will not load.
    DirectoryIndex index.php index.htm index.html /index.html
    
    # BRUTE FORCE LOGIN PAGE PROTECTION
    # PLACEHOLDER ONLY
    # Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
    # See this link: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
    # for more information.
    
    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.html$ - [L]
    
    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.html [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
    
    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.html [L]

    HTM htaccess file for HTM sites/subdirectories where the index file is named index.htm (not index.html)

    # BULLETPROOF PRO SECURE .HTACCESS FOR HTM WEBSITES
    
    # This file is created for HTM websites and HTM websites that are in a root website folder
    # if your HTM website is in a subfolder then you will need to change the RewriteBase and RewriteRules
    # to match that subfolder name/path
    # Example: If an HTM website is in a subfolder called /example-html-website then the RewriteBase and
    # RewriteRule in this file need to be changed using these examples below:
    # RewriteBase /example-html-website/
    # RewriteRule ^/example-html-website/index\.htm$ - [L]
    # RewriteRule . /example-html-website/index.htm [L]
    
    # ADD A PHP HANDLER
    # If you are using a PHP Handler add your web hosts PHP Handler below
    
    # TURN OFF YOUR SERVER SIGNATURE
    # Suppresses the footer line server version number and ServerName of the serving virtual host
    ServerSignature Off
    
    # DO NOT SHOW DIRECTORY LISTING
    # If you are getting 500 Errors when activating BPS then comment out Options -Indexes
    # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.HTML
    # Use index.htm as default directory index file
    # index.php and index.html will be ignored will not load.
    DirectoryIndex index.php index.html index.htm /index.htm
    
    # BRUTE FORCE LOGIN PAGE PROTECTION
    # PLACEHOLDER ONLY
    # Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
    # See this link: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
    # for more information.
    
    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.htm$ - [L]
    
    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.htm [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
    
    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.htm [L]

    Examples of a root website/domain and a subfolder website

    This example is assuming the index file is index.html – if your index file is named index.htm then use index.htm instead of index.html

    If you have a website/domain installed/added in a folder named:
    /example.com

    Then this is a separate domain/website. This is a root website and not a subfolder website so the RewriteBase and RewriteRule is:

    RewriteBase /
    RewriteRule . /index.html [L]

    If you had another site installed/added in a subfolder named:

    /example.com/subfolder

    Then this is a subfolder site so the RewriteBase and RewriteRule is:

    RewriteBase /subfolder/
    RewriteRule . /subfolder/index.html [L]
Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.