Is there a way to force apache to return 404 instead of 403?

Related searches

Is there a way how I can configure the Apache web server to return a 404 (not found) error code instead of 403 (forbidden) for some specific directories which I want to disallow to be accessed?

I found some solutions suggesting the use of mod_rewrite, like e.g.

RewriteEngine On
RewriteRule ^.*$ /404 [L]

As the purpose of sending 404 instead of 403 is to obfuscate the directory structure, this solution is too revealing, because it redirects to some different location which makes it obvious that the directory originally accessed does in fact exist.

RedirectMatch as in e.g.

RedirectMatch 404 /\.

does the trick, it prohibits access to all files or directories starting with a dot, giving a "404 Not Found" error.

From the Apache manual: "The Redirect[Match] directive maps an old URL into a new one by asking the client to refetch the resource at the new location." By default, Redirect sends a 302 return code, but it can also return other status codes as shown above.

Redirecting to 404 from 403, The 403 page is dependant on Apache serving that html.. you can override it for any <Location> or <Directory> directive simply by using the� If you want to 'create' a conditional 404 with mod_rewrite, simply internally-rewrite the request to a non-existent URL-path. Or use the [G] flag on a rule to create a 410-Gone response for HTTP/1.1 clients (and later).

You can make something like this:

.htaccess

ErrorDocument 403 /error/404.php

404.php

<?php
$status = $_SERVER['REDIRECT_STATUS'] = 404;
header( $_SERVER['SERVER_PROTOCOL'] . ' ' . $status);
?>

404 Error

Apache: return 404 instead of 403 w/ mod_access, Create a custom 403 script that returns an 404 error instead. Now configure Apache to use this script for 403 results: This is the last solution if there is no way to configure your server or to use .htaccess files. Additionally The second line of .htaccess disallow access to list items in app directory and all its subridectories. Viewed 3k times. 0. I have this simple mod_rewrite rule in my .htaccess, and both my browser tools (Firebug and Web Dev Toolbar) and my apache logs are showing the server returning a 404 instead of 403.

After having the same problem, I ended up with the following .htaccess file

Options -Indexes
RewriteCond %{HTTP_HOST} ^(www\.)?mydomain.com [NC]
RewriteRule ^(.*)/$ - [R=404,NC]

The 1st and 3rd line ensure that you can't list the folder content, and if you do it you will receive a 404 error. The RewriteCond directive ensures that this rewrite rule only applies to main domain. Since I have several subdomains, without the rewritecond, accessing www.mydomain.com/subdomain was also returning a 404, which was not what I intended.

Disable directory listings with 404 instead of 403, If somebody is trying to access a file or a folder on your server the least they know the How to force apache to return 404 instead of 403? That rule will return a 404 instead of the 403 Forbidden for the existing directory as you can see i had to write two rules with and without the ending / to handle both cases What i would like to write is one global rule that rewrites any 403 forbidden to a 404 not found. Please note that is not enough to serve custom error pages, such as:

In my opinion making this task in .htaccess is quite ugly solution.

It is possible to make it in apache configuration. Take a look:

Add to your apache config:

ErrorDocument 403 /404

Then restart apache:

service apache2 restart

That is all.

How to Return Page Not Found Error (Status 404) Instead of Access , I've been looking over my Apache logs and I noticed someone's /1486304/is- there-a-way-to-force-apache-to-return-404-instead-of-4. By default you don't need to do anything to return a 404; it simply means "The server can't find the file". If the request is for a directory, and there's no available index file and auto-indexing is disabled, the automatic response will instead be 403.

To change all 403,400 errors into 404 errors, put this at the end of /etc/apache2/conf.d/localized-error-pages OR into a .htaccess

# Will raise a 404 error, because the file <fake_file_for_apache_404.php> doesn't exist.
# We change 403 or 400 to 404 !
ErrorDocument 400 /fake_file_for_apache_404.php
ErrorDocument 403 /fake_file_for_apache_404.php
# We need to rewrite 404 error, else we will have "fake_file_for_apache_404.php not found"
ErrorDocument 404 "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL <script type=\"text/javascript\">document.write(document.location.pathname);</script> was not found on this server.</p></body></html>"
ErrorDocument 500 "Server in update. Please comme back later."

Show 404 instead of 403, possibly with URL Rewrite. How safe?, In short the handler will handle all requests to the docs folder and return 404 status (look at web.config params). If you wish to add more logic in the ProcessRequest function it is up to you but the initial request was to block everything and hide the 403 status.

Sure. Regardless of the directory-depth, if there is no filetype in the requested URI and the URI does not resolve to an existing directory-index file, then internally rewrite to an known-non-existent file to force a 404: RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^/]+/)*([^./]+)?$ /filepath-which-does-not-exist [L]

Is there a way to server 404 instead of 403 when matched with "deny from"? For example: <Files *> order deny,allow deny from 127.0.0.1 </Files> This will normally server a 403. But I want to server 404.

Many things can trigger 403 errors, I.e: web application firewalls (WAFs) and intrusion detection systems (IDS’); depending on the nature of your attacks, there are a myriad of ways to bypass said security measures. SQLi, RFI, LFI, and most other attack vectors have different routes you can take to carry out an attack.

Comments
  • Does this question solve your problem?
  • I didn't consider this question when I first saw it (too confusing), but after a second glance I found the line I've been looking for, thanks.
  • +1, but to match a single dot anywhere in the url path, do we really need the quotes and the dot-star? I.e., can't we just do RedirectMatch 404 /\. instead of RedirectMatch 404 ".*\/\..*" ?
  • @fuenfundachtzig it returns 403 for ".git/.htaccess"and ".git/.php" instead of 404
  • @Awaaaaarghhh, that's likely because you have a FilesMatch directive in your apache configuration that takes precedence. A custom ErrorDocument for 403 as suggested in Tomer's answer would cover this case, too, but requires php.
  • @fuenfundachtzig but requires php, no, why php?! - you can use also static html documents like "my404error.html" for your custom ErrorDocument! that's likely because you have a FilesMatch dir, no, i tested it without RedirectMatch. anyway thank you! :) I was able to fix everything, now all requests return 404 error: stackoverflow.com/a/61199481/4224741 (I used FilesMatch). I tested a lot & read apache docs, but was not able to use RedirectMatch properly in that specific case.
  • Because with html you won't be able to change 403 to 404.
  • Why is this not upvoted enough? I used this solution. It's very straightforward. However, since I have PHP >= 5.4.0, I simply used <?php http_response_code(404); ?> at the top of the 404.php page. This way I can use ErrorDocument *** any code *** /error/404.php and they will all become 404 in the HTTP header.
  • What if I want to send all requests to a unique index.php front controller script and have it decide if 404.php should be executed?
  • @ADTC, it's not relevant to the question, which was how to ask Apache to do this, not PHP.
  • @ChrisCogdon How to ask Apache to do this > this is exactly what .htaccess, an Apache-readable file, does. So in the end, this answer is still asking Apache to do this. Apache executes the 404.php file when there is a 403 error. PHP parses the file and sends the output through Apache web server to the browser. Where's the irrelevancy in this?
  • @tonix you simply need to redirect all the error codes to index.php and write the PHP script in it to do the needful (check and decide if 404, then include 404.php otherwise include some other content).