0

I have a server with a security flaw:

There's the main site https://example.com (on server /var/www folder) Then there's an additional app (on server /var/www/app/public) that is configured to be on https://app.example.com.

So the app is also reachable via https://example.com/app/public (i'd like to change that)

I have also the problem that the whole app is saved on the server for the developer. Means also all resource files are stored on a public folder, for example https://example.com/app/config/settings.php

Now to fix this I thought I'd put a .htaccess into https://example.com/app with the following code:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^example\.com/app$ [NC]
RewriteRule ^(.*)$ https://app.example.com/ [R=301,L]

This would redirect everything with the wrong URL (example.com/app/, example.com/app/public, example.com/app/resources, ...) to https://app.example.com.

But when testing it, it doesn't work. I've probably messed up the syntax. Not very experienced with .htaccess. Tried for an hour with a .htaccess tester but didn't succeed. Can you (1) tell me what I'm doing wrong with the .htaccess syntax and (2) tell me if this workaround with the .htaccess is more or less safe enough?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
grimnebluna
  • 1
  • Don't use htaccess files and simply place the configuration directives in the htttpd.conf of the specific virtualhost entry for app.example.com and/or www.example.com - https://httpd.apache.org/docs/2.4/howto/htaccess.html#when – Rob May 13 '22 at 10:27
  • thanks for your reply. i've modified the httpd (and httpd-ssl).conf and added ` Order Allow,Deny Deny From All ` inside the of the domain example.com. It works! – grimnebluna May 13 '22 at 11:38
  • `Order` and `Deny` directives are Apache 2.2 and formerly deprectaed. You should be using `Require all denied` on Apache 2.4+ instead. – MrWhite May 13 '22 at 11:56
  • ok, will do. thank you! – grimnebluna May 13 '22 at 11:59

0 Answers0