a pure Raspi web server with Raspbian Debian
Setups and configurations
Raspberry pi - Rpi
Raspi and sftp transfer
Exploring the hw and sw
Firewall explained : ufw
🔑 Secured by fail2ban
Apache / LAMP server
Varnish ram cache
Module : cgi and perl
Modules : php and mysql
⚙ Error handling
Server access log file
Domain with dyndns
Web server usage reports
⛔ Referreral spam
Sitemaps and robots.txt
Server .htaccess handling
The game not the island group
Setup and configuration
Windward first approach🎮 Setup game server
Windward adminstrative
Terrain level alteration
Tailor-made
✂ Embroidery & pennantRegarding unity3d
🙂 In-game char iconsOfficial Windward wiki
🛠 Wiki @gamepedia
This is in German language
💻 Linux - ubuntusers.deGet a handy weather widget
🌤 Weather code snippetHotchpotch of weblinks
📖 Yellow pagesWe got some boring movies
🎥 CinematiqueNo ads, no trackers and
no web beacons. Promised.
Apache 2.4 web server | .htaccess
That is simply just another http web server powered by Apache Software
and the Raspberry pi Foundation with Raspbian Debian OS Stretch Lite on it.
How to create one .htaccess files
You can create one by renaming a simple text document and giving it the name
.htaccess. Upload this text document to root e.g.
/var/www/html.
Eventually you need to CHMOD the .htaccess file to 644 or (rw-r–r–) so that the file is usable by apache and prevents it from being read by a web browser.
user@raspberry:~ $ sudo su
root@raspberrypi:# cd /var/www/html
root@raspberrypi:/var/www/html# chmod 644 .htaccess
One .htaccess will affect all sub-folders in which it is placed.
To make .htaccess working as expected, you need to edit the apache configuration file:
root@raspberry:~# nano /etc/apache2/apache2.conf
<Directory /var/www/>
...
AllowOverride None
...
</Directory>
Change AllowOverride from
Noneto
All.
<Directory /var/www/>
...
AllowOverride All
...
</Directory>
Save Ctrl O the file apache2.conf and close Ctrl X the nano editor.
root@raspberry:~# service apache2 restart
or if Apache requires
root@raspberry:~# systemctl daemon-reload
root@raspberry:~# service apache2 restart
Apache version 2.4 mod_rewrite
directives
Order, Allow, Deny
have changed to
Require all granted
Require all denied
Require not ip
Require not host
RewriteCond %{http_USER_AGENT} ^Mozilla/5.0 zgrab/0.x
RewriteCond %{http_REFERER} (facebook|twitter|amazon)
changed with " "
RewriteCond "%{http_USER_AGENT}" "^Mozilla/5.0 zgrab/0.x"
RewriteCond "%{http_REFERER}" "(facebook|twitter|amazon)"
Examples .htaccess | Apache version 2.4 and higher
# error handling, redirecting to a specific html document/domain
ErrorDocument 404 /404
ErrorDocument 403 https://duckduckgo.com
# disable directory browsing
Options -Indexes
# charset and language
AddDefaultCharset UTF-8
DefaultLanguage en-US
# hide server OS and server IP in error pages
ServerSignature Off
# configuration HTML5 formats
AddType video/mp4 .mp4
AddType audio/mp3 .mp3
❶ Method to ban unwanted beings & bots
If is a match, it is blocked via 403
Forbiddenresponse.
# individual
<Limit GET>
Require all granted
Require not ip 111.222.333.444
Require not ip 111.222.333
Require not ip 111.222
Require not ip 111.222.555.0/24
Require not host example.com
Require not host sub.example.com
Require not host example
</Limit>
# multiple
<Limit POST PUT DELETE>
Require all granted
Require not ip 111.222.333.444
Require not ip 111.222.333
Require not ip 111.222
Require not host example.com
Require not host sub.example.com
Require not host example
</Limit>
GET actually retrieves the resource. HEAD is similar to GET except that the message body is not returned. That is, it gets the file header information and not the entire resource. GET togehter with HEAD may give error 500 message Internal Server Error
.
POST requests are used for HTML/PHP form data, likely be the typical username & password form.
❷ Method to ban unwanted beings & bots
<RequireAll>
Require all granted
Require not ip 111.222.333.444
Require not ip 111.222.333
Require not ip 111.222
Require not host example.com
Require not host sub.example.com
Require not host example
</RequireAll>
Source: apache.org Access Control, 2017
❸ Method to ban unwanted user agents, referers & IPs
# user agents, referers
RewriteEngine on
RewriteCond "%{http_USER_AGENT}" "^.*Mozilla/5.0 zgrab/0.x.*$" [NC,OR]
RewriteCond "%{http_REFERER}" "^.*(ru|ua|io|gov).*$" [NC]
RewriteRule "^/$" "-" [F,L]
RewriteEngine on
RewriteCond "%{http_USER_AGENT}" "^.*(YandexBot|SemrushBot|Wget).*$" [NC,OR]
RewriteCond "%{http_REFERER} "^.*(ru|ua|kz|by).*$" [NC,OR]
RewriteCond "%{http_REFERER} "^.*(facebook|twitter|amazon|etc.net).*$" [NC]
RewriteRule "^/$" "-" [F,L]
# IPs
RewriteEngine on
RewriteCond "%{REMOTE_ADDR}" "111\.222\.333\.444"
RewriteRule "^/$" "-" [F,L]
RewriteEngine on
RewriteCond "%{REMOTE_ADDR}" "111\.222" [OR]
RewriteCond "%{REMOTE_ADDR}" "333\.444\.555" [OR]
RewriteCond "%{REMOTE_ADDR}" "666\.777\.888\.999"
RewriteRule "^/$" "-" [F,L]
That requires to activate the mod_rewrite module. To enable mod_rewrite if it's not already.
Apache2 enable module:
root@raspberry:~# a2enmod rewrite
Module rewrite (already) enabled
root@raspberry:~# service apache2 restart
Reloads all the Apache config files.
Or as per new unified system control way:
root@raspberry:~# systemctl restart apache2
Disable php, Perl, CGI execution
# directive preferred
<FilesMatch ".*\.(php|pl|cgi)$">
Require all denied
</FilesMatch>
Send unwanted sniffers away
Most probably you detect in apache.log entries like ...
120.27.35.11 - - [16/Jan/2018:11:58:42 +0100]
"GET / http/1.1" 200 25057 "-" "-"
120.27.35.11 - - [16/Jan/2018:11:58:44 +0100]
"GET /xmlrpc.php http/1.1" 404 379 "-" "-"
120.27.35.11 - - [16/Jan/2018:11:58:44 +0100]
"HEAD /wp-login.php http/1.1" 404 379 "-" "-"
120.27.35.11 - - [16/Jan/2018:11:58:44 +0100]
"HEAD /mysql.php http/1.1" 404 379 "-" "-"
... and you don't use Wordpress, php, CGI-scripts or other features, then send the hackers & spies away by deploying the RedirectMatch 302 directive. A 302 redirect means that the page has moved to other location.
RedirectMatch 302 ^/xml.*$ https://duckduckgo.com
RedirectMatch 302 ^/wp-.*$ https://duckduckgo.com
RedirectMatch 302 ^/mysql.*$ https://duckduckgo.com
But handle carefully with ^/abc.*$
.
That may exclude any URI if it has a /abc
.
16-Jan 2018
To be with http://www.
or not to be with http://www.
❓
This all depends to your internet service provider support. Point out that without the www.
it’s simply not necessary. Neither is better than the other. But it is recommended that you use only one format. Either of the format is equally good. Without www.
all URLs are shorter, easier to read and quicker to type.
root@raspberry:# nano /var/www/html/.htaccess
Implement this snipped beyond of others on top of the .htaccess file.
⚠ Of course replace wih your own second level domain name (SLD) and top level domain name (TLD).
RewriteEngine on
Options +FollowSymLinks
RewriteCond "%{http_HOST}" "^www\.example\.com$" [NC]
RewriteRule (.*) "http://example.com/$1" [R=301,L]
08-Apr 2018