Apache: return 404 instead of 403 w/ mod_access

apache-2.2

I like the syntax of the Order deny,allow approach to restricting access and I'm trying to avoid mod_rewrite: is there a way I can make unathorized IPs just see a 404 instead of a 403, which is HTTP code for "THERE'S TOP SECRET STUFF HERE STOP LOOKING"?

Thanks.


Solution 1:

The 403 page is dependant on Apache serving that html.. you can override it for any <Location> or <Directory> directive simply by using the ErrorDocument directive:

<Directory /web/docs>
ErrorDocument 403 /404-page.html
</Directory>

Etc..http://httpd.apache.org/docs/1.3/mod/core.html#errordocument

Solution 2:

Please note that this look like but is not a solution!

When just serving a custom error page (such as a fake 404 for a 403 error), you may get the desired result in your web browser, but a remote attacker is still able to get the true HTTP response from the server, wich is still 403 (Forbidden), and thus, he can guess the filesystem structure.

Here you can see a curl -v -X GET http://desidered.path/forbidden_badly_hidden_folder/

`< HTTP/1.1 403 Forbidden
< Date: Thu, 04 Nov 2010 14:42:52 GMT
< Server: Apache/2.2.8 (CentOS)
< X-Powered-By: PHP/5.2.10
< Content-Length: 202
< Connection: close
< Content-Type: text/html; charset=ISO-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL was not found on this server.</p>`

Well, i can workaround this and get the deisdered output (404 not found) with a specific per-folder rule:

RewriteRule ^/WebSite/forbidden_badly_hidden_folder$ /error/fake_404_403.php
RewriteRule ^/WebSite/forbidden_badly_hidden_folder/$ /error/fake_404_403.php

Where /error/fake_404_403.php is purposely a non existant page, then you will get the following output from the same curl test:

< HTTP/1.1 404 Not Found
< Date: Thu, 04 Nov 2010 14:43:12 GMT
< Server: Apache/2.2.8 (CentOS)
< X-Powered-By: PHP/5.2.10
< Content-Length: 202
< Connection: close
< Content-Type: text/html; charset=ISO-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL was not found on this server.</p>`

Wich is the desidered behaviour;

My question is, is it possible to write one global rule that does such job for any 403 (F) resource on the /var/www/html and subfolders, rewriteing it to a non existant path and then returning the wanted 404 Not Found?

Thanks a lot in advance and best regards

Marco

Related

Set a different default value for terminationMessagePolicy
ERROR #98123 WEBPACK Generating development JavaScript bundle failed on `gatsby develop`
I am using levels(dataset$variable) and it is still showing a NULL output
Shared workbook - updating data before action
How to handle SEC_I_MESSAGE_FRAGMENT when performing a DTLS handshake via the SChannel SSPI?
How to keep fixed maximum amount of running tasks?
How to implement document.getElementById in Gatsby(React)
Error: Undefined name 'isRememberMe' Error: Required named parameter 'onChanged' must be provided
How to add readonly inline on django admin
Knitr & Rmarkdown docx tables
Prevent SQL injection for array ( xxx IN (y1, y2, y3, ...) )
What is "lifting" in Haskell?