Blocking access to files by extension in Apache

Usually, you might have a simple rule to prevent users from accessing sensitive files such as “.htaccess“, that rule might look like:

<FilesMatch "^\.ht">
Order deny,allow
Deny from all
Satisfy all
</FilesMatch>

You can also use this capability to prevent other file extensions. For example, if you wanted to block common image formats extensions, you might add the following:

<FilesMatch "\.(gif|png|jpg|ico)$">
Order allow,deny
Deny from all
Satisfy all
</FilesMatch>

Some other file extensions to consider, *.bak, *.old, *.inc

REFERENCES:

Setup of Static IP addresses on Ubuntu

In these examples, I have used the OpenDNS servers, please change as appropriate.


sudo vi /etc/network/interfaces

Example contents:

auto l0 eth0
auto lo
iface lo inet loopback
iface eth0 inet static
address 10.1.10.xxx
netmask 255.255.255.0
network 10.1.10.0
broadcast 10.1.10.255
gateway 10.1.10.1
dns-nameservers 208.67.222.222 208.67.220.220
dns-search home


sudo vi /etc/resolv.conf

NOTE: I’m not 100% sure if this is required!
Add appropriate content, example:

nameserver 208.67.222.222
nameserver 208.67.220.220
search home

sudo restart networking
ifconfig
sudo ifdown eth0 && ifup eth0
sudo restart

REFERENCES:

Sample Tomcat7 setup

There are a few steps that I generally take to setup a new Tomcat server instance, this enables the following:

  • The manager console
  • HTTP compression
  • UTF-8 encoding

Steps:

  1. tomcat-users.xml – add to bottom:

    <role rolename="manager-gui"/>
    <user username="tomcat" password="s3cr3t" roles="manager-gui"/>

  2. server.xml – add compression and URIEncoding, change port if desired:

    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" compression="on" URIEncoding="UTF-8" />

  3. server.xml – relocate webapps by adding ../ to appBase

    <Host name="localhost" appBase="../webapps"
    unpackWARs="true" autoDeploy="true">

  4. Restart your server, on Ubuntu use:

    sudo service tomcat7 restart

X-Content-Type-Options: nosniff

To prevent XSS/CSRF exploits in MSIE8 and newer, it’s often best to close as many attack vectors as possible. An easy one to implement is an HTTP Header to prevent MSIE from “sniffing” the content to change it when incorrect.

Example: we would not want an HTML page intentionally served with ‘text/plain’ to be rendered as HTML.


X-Content-Type-Options: nosniff
Content-Type: text/plain

This could be added programatically to pages in your application, via a servlet or servlet filter or added to the httpd.conf file.

Apache2 example: httpd.conf

<IfModule headers_module>
Header set X-Content-Type-Options nosniff
</IfModule>

REFERENCES:

NetBeans jdkhome error

After updating the JDK on my development workstations, NetBeans started reporting the following at each start up.

Cannot locate java installation in specified jdkhome:
C:\Program Files\Java\jdk1.7.0_04
Do you want to try to use default version?
[ Yes | No ]

Thankfully, after a little searching, I found that the solution is very simple. You can change the value or comment it out with a # in:
C:\Program Files\NetBeans #.#.#\etc\netbeans.conf

netbeans_jdkhome="C:\Program Files\Java\jdk1.7.0_04

REFERENCES:

HTML5 offline appcache manifest

In my testing, you don’t need to fully embrace HTML5 markup to take advantage of the “offline” functionality, you simply need to add the attribute and related files to your existing website/page. Any modern browser that supports HTML5 should automatically recognize the offline content and use it when appropriate, unfortunately no version of MSIE yet supports this.

<html manifest="/offline.appcache">

In that file, you must then specify the offline behavior, something like this is a good start:

CACHE MANIFEST
#This is to provide minimal HTML5 offline capabilities
#MIME mapping must be 'appcache=text/cache-manifest'
#Reference to this file is per page, you can have different ones in an app.
#Common image files and css may be 'cached'
CACHE:
/index.html
/css/offline.css
NETWORK:
*
FALLBACK:
/ /offline.html

On the server side, you’ll have to serve up that file with the appropriate MIME type (text/cache-manifest, for ApacheHTTPD you simply need to add one line to httpd.conf:

AddType text/cache-manifest .appcache

REFERENCES:

Enable .htaccess on Apache HTTPD Server

Occasionally, there becomes a need to expose the use of the .htaccess file to the domains hosted on your Apache server. This technique is particularly useful when you host websites for external clients (or developers).

The steps to enable it are relatively easy,

  • Uncomment the ‘httpd.conf’ line that reads as:

    LoadModule rewrite_module modules/mod_rewrite.so

  • Review (and replace as appropriate) all cases of :

    AllowOverride None with AllowOverride All

    in the following files:
    httpd.conf, /extra/httpd-vhosts.conf, /extra/httpd-autoindex.conf and any related files you may be using.

  • Add the .htaccess file into the appropriate websites/folders
  • Restart the server to accept the changes

NOTE: If you develop or host on Windows, you’ll likely have problems creating the file because there is no filename, just a file extension. You can create (or download) it from any non-Windows host and use it without additional changes. Apache does let you use a different filename, but you also need to be careful to update related security configuration that is used to prevent download of such files.

Happy hosting!