4

I need to redirect all requests on an Apache 2.2 server for any directory that gives a 403 to a 404 not found.

Ex:

  • /xyz or /xyz/ throws a 403 -> redirect to 404
  • /xyz/sometext.txt returns normally.

Looking around, I came across this post:

Problem redirecting 403 Forbidden to 404 Not Found

RedirectMatch 404 ^/include(/?|/.*)$

/include 404 (instead of 403)
/include/ 404
/include/config.inc 404 (instead of 403)

However, the last case for that also returns a 404. Also, it only affects /include/ directory, I was looking more for any forbidden directory. So far I have:

RedirectMatch 404 ^[\/[\w+]]+\/$

Anyone have an idea of how to accomplish this? Thanks,

Community
  • 1
  • 1
Tui Popenoe
  • 2,098
  • 2
  • 23
  • 44
  • Why not just use an `ErrorDocument 403 /404.html`? And then you can make it say whatever you want. – Panama Jack Mar 31 '14 at 19:07
  • 1
    That works for the end document, but I believe the headers still remain as 403's. So automated attacks wouldn't even be phased. – Tui Popenoe Mar 31 '14 at 20:30

2 Answers2

12

To return 404 not found for any request that is causing 403 today you can do:

ErrorDocument 403 /404.php

And then in /404.php you can add this line to return 404 status to clients:

<?php
# your custom 404 content goes here

# now make it return 404 status to browser
http_response_code(404);
?>

To return 404 for all the requests to directories you can do:

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ - [L,R=404]
anubhava
  • 761,203
  • 64
  • 569
  • 643
  • This won't work because it is simply overriding the 403 document with a 404, an astute attacker would still be able to tell the difference in the response header. – Tui Popenoe May 20 '14 at 03:06
  • 4
    It answers what you asked i.e. **`Redirect all Apache 2.2 403 Forbidden to 404 Not Found`**. There was no question to defend against attacks etc. How an attacker would know the difference just by looking at response header which is returning status=404 and presenting content which is a custom 404 document. If you clarify further what exact behavior you want from this 404/403 handling I can try to address that concern. – anubhava May 20 '14 at 07:14
  • Basically, use a regular expression to replace all 403 response's with 404's on the Apache server, not just replacing the error document. If you just replace the error document, the header will still reveal that the resource is forbidden. – Tui Popenoe May 23 '14 at 20:05
  • 1
    No that's not correct. Read my answer again. Replacing error document is just one part. It is also replacing status code to 404 by using `http_response_code(404);` so a client will never get to know it was originally 403. – anubhava May 24 '14 at 03:53
  • That is using php specifically. I am asking about redirecting using the .htcaccess file. – Tui Popenoe Jan 25 '15 at 05:40
  • Well the rewrite rule shown above is returning 404 via htaccess only for directories. First snippet is using PHP since you want to invoke a custom handle for 403 error first and then set 404 http status code later. – anubhava Jan 25 '15 at 15:14
  • Using your .htaccess alterations I get: `Internal Server Error` for any page requests at any location, whether they exist or not. – Joe Shanahan Jun 18 '15 at 18:56
  • Error: [Thu Jun 18 19:54:16.436410 2015] [core:alert] [pid 4964:tid 804] [client 127.0.0.1:57477] C:/~snip~/.htaccess: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration – Joe Shanahan Jun 18 '15 at 20:37
  • My issue was WAMP has the rewrite module disabled by default, for anyone coming here in the future! – Joe Shanahan Jun 18 '15 at 20:42
  • Hmm another issue, using this causes accessing my css to report 404? It's stored within `css/main.css` for what it's worth? – Joe Shanahan Jun 18 '15 at 20:46
  • @Joe: We cannot solve new problems using comments. Open a new question with all the details and I will attend. – anubhava Jun 18 '15 at 20:47
0

As long as your error document for 403 is in the restricted area, it will never show up, it must be outside the access denied area.

Bas Bubberman
  • 1