I'd like to use settings in my .htaccess-file to exclude certain files from being displayed.
For some files (here data/important.json) I want that even authenticated users are exceluded from viewing the content those files.
For other files (here showerror.php) I'd like to give access to everyone.
The .htaccess-file in my root directory contains:
SetEnvIf Request_URI ^/showerror.php noauth=1
#SetEnvIf Request_URI ^/data/important.json noway=1
Order Deny,Allow
Satisfy any
Deny from all
Require user TestUser
Allow from env=noauth
#Deny from env=noway
The .htaccess-File of the folder /data/ contains:
<Files "important.json">
#Order Allow,Deny
Deny from all
</Files>
It seems that the Satisfy any allows authenticated users to view the file. So is there a way to also exclude authenticated users from viewing the content of important.json?
You can simply overwrite the require of your root-.htaccess with the following require-setting in the .htaccess of your subdirectory:
Require all denied
Also see: https://httpd.apache.org/docs/current/upgrading.html
If you'd like to do this file by file, use:
<Files "important.json">
Require all denied
</Files>
I have an .htacces file and I am trying to open up access to a file and folder within a protected folder.
The file is index.php so I do the following:
<Files index.php>
Order Allow,Deny
Allow from All
Satisfy Any
</Files>
This works and give me access to this file. This file requires assets from the assets/ directory. So I try to open that directory up by doing the following:
<Directory "/assets">
Order Allow,Deny
Allow from All
Satisfy Any
</Directory>
But this is giving me a 500 error. Not sure why.
You can't use the <Directory> container inside an htaccess file (which is essentially like the <Directory> container itself). If you want to allow access to assets, then create an htaccess file inassets with just:
Order Allow,Deny
Allow from All
I'm trying to deny users from accessing the site/includes folder by manipulating the URL.
I don't know if I have to deny everything and manually make individual exceptions to allow, if I can just deny this one folder, or if there's a rewrite function that can be used.
Specific example: I don't want to see the directory files by typing in localhost/site/includes into the URL.
Create site/includes/.htaccess file and add this line:
Deny from all
You can also deny access to a folder using RedirectMatch
Add the following line to htaccess
RedirectMatch 403 ^/folder/?$
This will return a 403 forbidden error for the folder ie : http://example.com/folder/ but it doest block access to files and folders inside that folder, if you want to block everything inside the folder then just change the regex pattern to ^/folder/.*$ .
Another option is mod-rewrite
If url-rewrting-module is enabled you can use something like the following in root/.htaccss :
RewriteEngine on
RewriteRule ^folder/?$ - [F,L]
This will internally map a request for the folder to forbidden error page.
In an .htaccess file you need to use
Deny from all
Put this in site/includes/.htaccess to make it specific to the includes directory
If you just wish to disallow a listing of directory files you can use
Options -Indexes
We will set the directory to be very secure, denying access for all file types. Below is the code you want to insert into the .htaccess file.
Order Allow,Deny
Deny from all
Since we have now set the security, we now want to allow access to our desired file types. To do that, add the code below to the .htaccess file under the security code you just inserted.
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
your final .htaccess file will look like
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Source from Allow access to specific file types in a protected directory
You can create a .htaccess file for the folder, wich should have denied access with
Deny from all
or you can redirect to a custom 404 page
Redirect /includes/ 404.html
Just put .htaccess into the folder you want to restrict
## no access to this folder
# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Apache 2.2
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
Source: MantisBT sources.
Creating index.php, index.html, index.htm is not secure. Becuse, anyone can get access on your files within specified directory by guessing files name. E.g.: http://yoursite.com/includes/file.dat
So, recommended method is creating a .htaccess file to deny all visitors ;). Have fun !!
You can also put this IndexIgnore * at your root .htaccess file to disable file listing of all of your website directories including sub-dir
On Apache 2.4 you can use an Apache <If> expression in the root .htaccess file to block direct access to this specific subdirectory and everything within it.
For example:
<If "%{REQUEST_URI} =~ m#^/site/includes($|/)#">
Require all denied
</If>
You can do this dynamically that way:
mkdir($dirname);
#touch($dirname . "/.htaccess");
$f = fopen($dirname . "/.htaccess", "w");
fwrite($f, "deny from all");
fclose($f);
For some reasons which I did not understand, creating folder/.htaccess and adding Deny from All failed to work for me. I don't know why, it seemed simple but didn't work, adding RedirectMatch 403 ^/folder/.*$ to the root htaccess worked instead.
Here is my directory structure
root
private
public
Using .htaccess and/or httpd.conf, I want to limit access to the private folder to only code executed from the root folder. So, no external access to anything in the private folder. Honestly, I have tried a lot of options, but nothing seems to work.
My test environment is XAMPP - installed on my local machine.
EDIT
One of the issues I encountered was using the wrong directory path. I created a simple PHP page with just phpinfo()
<?php
phpinfo();
?>
In the PHP Variables section, I looked for _SERVER["CONTEXT_DOCUMENT_ROOT"]. I used this for the directory path and then added private (the folder in the root that I wanted to limit access to). Thus, my completed code in the httpd.conf is below:
<Directory "E:/xampp/htdocs/home/private">
Order deny,allow
Deny from all
</Directory>
Using Order deny,allow and Deny from all should be already sufficient
Order deny,allow
Deny from all
If you put this in a .htaccess in the private folder, all access from outside will be prohibited.
Alternatively, you can put it in a <Directory /path/to/root/private> in httpd.conf, which has the same effect
<Directory /path/to/root/private>
Order deny,allow
Deny from all
</Directory>
Update:
According to Apache HTTP Server Tutorial: .htaccess files you should prefer httpd.conf over .htaccess files
You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.
I have a apache machine which is serving a .js file. That file should be the only file that need to seen.
I have configured to do so in my apache like this :
<Location /var/www/test/test.js>
Order allow,deny
Allow from all
</Location>
The site address is test.in which points to test.js file in /var/www/test directory. That is working fine. But I wish when the user tries to hit test.in/someurl (which is not available) or some other url than test.in need to give an message with 401 error.
How do I do that? Thanks in advance.
You misused <Location> - the argument should be URI not the directory path... You should use <Directory> to get the expected behavior.
I would do something like this (you should finetune it, it shows just the principle):
# first deny access to everything
<Location />
Order Deny,Allow
Deny from All
</Location>
# then allow access to specific URL
<Location /test/test.js>
Order Allow,Deny
Allow from All
</Location>
Have a look on Order directive and one or more of following: Location, LocationMatch, Directory, DirectoryMatch, Files, FilesMatch, etc.