I am trying to write an .htaccess file to only allow access to pdf files in a subdirectory. I'm going to deploy the file on a host that I don't control, so I can't make changes to the apache configuration.
I want to only allow access to .pdf files in the Foo directory. I have attempted:
Deny From All
<FilesMatch ".+\/Foo\/.+\.pdf$">
Allow From All
</FilesMatch>
However, when I attempt to access example.com/bar/Foo/baz.pdf, I am given an HTTP 403 Forbidden response.
How can I deny access to everything, except for pdf files in one particular directory?
Thanks
Create a this inside root .htaccess as your very first rule:
RewriteEngine On
# prohibit everything except .pdf files
RewriteRule ^foo/(?!.*\.pdf$) - [F,NC]
Related
I have the following file structure in cPanel
web_root_folder_
|____.neverDelete/_____
| |_____img/logo-30.png
| |_____js/error-page.js
| |_____css/error-page.css
|
|____403.shtml
|
|____.htaccess
I wanted to write .htaccess with some code that puts the website in 'maintenance mode'.
So...I wrote 403.shtml page, which uses external css, javascript and images stored in .neverDelete folder.
I wrote the following code in .htaccess
# The WORKING CODE (Too Long 😑)
Deny From All
<FilesMatch 404-layout.min.css>
Allow From All
</FilesMatch>
<FilesMatch logo-small-transparent-30.png>
Allow From All
</FilesMatch>
<FilesMatch error-page.js>
Allow From All
</FilesMatch>
This code successfully worked. It implemented a 403(forbidden) for all files except the 3 files (mentioned in .htaccess file)
but, I want to make all the files n folders present in .neverDelete/ to be served on my website when in maintenance mode.
So i visited http://httpd.apache.org/docs/1.3/mod/core.html#directory to get help. I wrote the code in .htaccess below that actually gave in a 500(server error).
# WRONG CODE
Deny From All
<Directory .neverDelete/ >
Allow From All
</Directory>
How can I make all the files n folders present in .neverDelete/ to be served on my website when in maintenance mode.
Thanks to #CBroe
In the .htaccess file, we can't use a <Directory> container, since the .htaccess file itself defines the directory.
Since .htaccess defines the directory...we can put a .htaccess file in the .neverDelete/ directory with the following code
Allow from all
This will make the contents of the .neverDelete/ directory always available.
On a subdomain I want to use only a .htaccess file for redirects. No PHP, no database or something else will be used. Can a .htaccess file still be hacked? What should I do to protect it?
The apache2.conf file has following lines by default which prevent viewing of htaccess files:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
It will not be visible under standard Apache setup which blocks all files starting with.ht from being served. So nobody will be able to view the contents or get at it through the Apache front-end. Take the usual precaution of having it be 644 permissions and not owned by the user that Apache runs as. No extra security needed outside of protecting your server generally.
Check that the standard protection is in place, so it can't be viewed. Easiest way is just to try visiting it in a web browser. You should get a 403 forbidden.
If you're worried you could put the rules in the main server config instead. I wouldn't worry as long as the above is in place.
I want to restrict access to some folders and files but only when a user tries to access to it through the url, not when the website access to these files. For example restrict the folders images, javascript,...
I tried in different ways but I always got error 500.
Basically, I don't want external users to list my website directory and open their files, if it is possible to accomplish.
Thanks in advance
This is pure mod_rewrite based solution:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains certain paths.
You are getting a 500 error because the container cannot be used in an htaccess file (which is essentially all inside a directory container for the directory that it's in). What you need to do is remove the container from your htaccess file, and leave the Deny from all bit:
htaccess file in your document root:
Refuse direct access to all files
Order deny,allow
Deny from all
Allow from 127.0.0.1
Then create an htaccess file in the uploads/files/, uploads/images/pages/ and uploads/images/store/ (and whatever other directories that you want to allow access to):
Allow from all
put .htaccess and edit with "Deny from all".
That's it.
Excluding one or more directories from rewrite rules in .htaccess files seems to be a common question. However, my .htaccess does more than just set rewrite rules. I've also set some server changes (we don't have suPHP on this server) as well as set some prepending of some php files. For example these are a few examples:
# Make files ending in .php, .html and .xml files etc. parsed by php.
AddType application/x-httpd-php .php .html .xml .css .js .le .txt
<FilesMatch "\.html$">
php_value auto_prepend_file "/home/2427/spwebsites/www.spwebsites.co.uk/incs/phps/config.php"
</FilesMatch>
# Internal Server Error
ErrorDocument 500 /admin/errors.html?code=500
RewriteEngine On
RewriteRule ^([a-zA-Z0-9-]+)/$ $1.html [L]
I don't want any of these set for one directory (where my word press installation is), is there a way I can do this? Can I set a conditional statement for the whole .htaccess file?
Adding a blank .htaccess file in the word press directory won't work because this won't undo the settings in the parent directory.
I was just looking into your dilemma and it is a tricky one. It would be nice to be able to have the DirectoryMatch directive available in .htaccess ...
What you can try is to reset your values in the specific directory via another .htaccess file.
So in the case of the AddType perhaps, resetting it back to just ".php" might work (assuming it doesn't inherit the other values). Definitely not an ideal solution with out access to the main config file/ virtual host.
Here is a weird idea that you can try/test ... place the "wordpress" dir outside of the main root (or whereever you have the offending .htaccess file). Now route all requests to the wordpress (inner dir) to the outer dir. I wonder if Apache would not use the offending .htaccess considering the requests are being routed?
I have a directory on my webserver. It does not have an index page. so when u access the directory via a web browser it lists the files in it. Now i want to create a htaccess file that can block the directory listing so that when you access it via the web browser, the files in the directory would not be listed but would be able to access the files by appending the name of the file you wish to access to the url making it a full part to the file. Also the htaccess file should be able to restrict access from all but files with a particular extention. Thanks.
Options -Indexes
Order allow,deny
Deny from all
<Files "*.gif">
Allow from all
Deny from none
</Files>
You can turn off the file listing for a particular directory in the directory's .htaccess with
Options -Indexes
OR
You could just put an empty index.html file in the directory you want to protect.
In the .htaccess file in your directory just put
Options -Indexes
As stated before.
Edited to remove the wrong htaccess setting. Again sorry