Hi im trying to get some basic rules in htaccess working but not having much luck.
At the top of my file I want to block certain IP's and certain user agents so I have
## block specific IPs
Order Deny,Allow
Deny from 62.210.122.209
Deny from 109.184.114.247
## stop requests with user agent that includes these texts
BrowserMatchNoCase "xyz" bad_bot
Deny from env=bad_bot
this works fine on its own however I also need to stop all php scripts being accessed except for index.php and index2.php
## stop all php files from being accessed
<Files *.php>
deny from all
</Files>
## except for index and index2
<Files ~ "^index(2)?\.php$">
allow from all
</Files>
but once I add this I get partial access to the site even with my user agent containing xyz
/index.php is blocked
but
/administrator/index.php is still open to me
Found the answer .. simply use the environment variable setup in the first part to deny access under the files directive for index.php in the second.
Related
I'd like to use settings in my .htaccess-file to exclude certain files from being displayed.
For some files (here data/important.json) I want that even authenticated users are exceluded from viewing the content those files.
For other files (here showerror.php) I'd like to give access to everyone.
The .htaccess-file in my root directory contains:
SetEnvIf Request_URI ^/showerror.php noauth=1
#SetEnvIf Request_URI ^/data/important.json noway=1
Order Deny,Allow
Satisfy any
Deny from all
Require user TestUser
Allow from env=noauth
#Deny from env=noway
The .htaccess-File of the folder /data/ contains:
<Files "important.json">
#Order Allow,Deny
Deny from all
</Files>
It seems that the Satisfy any allows authenticated users to view the file. So is there a way to also exclude authenticated users from viewing the content of important.json?
You can simply overwrite the require of your root-.htaccess with the following require-setting in the .htaccess of your subdirectory:
Require all denied
Also see: https://httpd.apache.org/docs/current/upgrading.html
If you'd like to do this file by file, use:
<Files "important.json">
Require all denied
</Files>
I need to block access to a particular route in my web application using a .htaccess file for everyone except a list of IP's. When I say block and whitelist IP's I want to use the following on particular route
order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2
I tried using the Location directive, but it is not allowed in .htaccess.
I do not have access to the server config file since it is a managed hosting provider
The route I want to block is for eg: http://www.example.com/route1
Is there a way?
Thanks for the help in advance
You can definitely achieve this using multiple methods.
.htaccess files:
<files route1>
order deny,allow
deny from all
allow from my.ip.address
</files>
If you are looking at whitelisting multiple ip's I would suggest the follow method:
<Files myfile.php>
order deny,allow
deny from all
allow from env=allowip
#Office 1
#132.11.32.222
SetEnvIf X-FORWARDED-FOR "^132\.11\.32\.222" allowip
#Office 2
#142.11.32.222
SetEnvIf X-FORWARDED-FOR "^142\.11\.32\.222" allowip
</Files>
A short explanation of what I'm doing is: I need to automatically create virtualhosts for each ip address on my machine, make it point to the vsftpd user directory (/home/xxx) and deny any kind of scripts from being executed.
I want to stop any kind of webpages and especially PHP scripts from being executed, because it would post a huge security risk(apache is sudo). The purpose of this virtualhost is purely to serve game resource files, extentions like .wav , .mdl , .tga , .spr and so on.
I searched around and found this
deny from all
<filesmatch "\.(avi¦wmv¦mpg¦mov)$">
Allow from all
</filesmatch>
But this is .htaccess content. How can I implement this functionality of only allowing certain extentions inside my httpd.conf file? It would be a pain to make it use .htaccess, and a risk because users might edit them.
Please refrain from any comments unrelated to my question, such as "sudo apache? you're a dumbass" and so on.
There is no such thing as .htaccess only content. The is a huge misconception. Most of time you do NOT want to use .htaccess and Apache recommends that you not use it unless necessary. Apache rules can always be put in the server config.
When not to use .htaccess
Now you can put that in your VirtualHost directive. The same location where your document root is defined.
The FilesMatch directive can be used in these context.
Context: server config, virtual host, directory, .htaccess
http://httpd.apache.org/docs/current/mod/core.html#filesmatch
So in your vhost file you can add a Directory directive like this example.
<Directory /path/to/documentroot/>
Deny from all
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Allow from all
</FilesMatch>
</Directory>
If you are using Apache 2.4 then you need to use Require.
<Directory /path/to/documentroot/>
Require all denied
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Require all granted
</FilesMatch>
</Directory>
I am using following syntax to block some IPs from my .htaccess file:
DirectoryIndex index.php
order allow,deny
deny from 17.18.19.0
deny from 18.17.19.1
allow from all
and now I am not sure if I can even use this:
DirectoryIndex index.php
order allow,deny
deny from 18.17.19.1
allow from all
deny from 18.15.19.1
allow from all
deny from 18.18.19.1
allow from all
so can I just repeate this structure?
deny from x.x.x.x
allow from all
why I am asking? Because I found php script that just Append deny from at the end of file and I am not sure if I need " allow from all" line.
can it be just like this?
DirectoryIndex index.php
order allow,deny
allow from all
deny from 17.18.19.0
deny from 18.17.19.1
deny from ... etc.
First of all, this documentation page does a good job explaining things.
The following quote comes from mod_authz_host's documentation
The Order directive, along with the Allow and Deny directives,
controls a three-pass access control system. The first pass processes
either all Allow or all Deny directives, as specified by the Order
directive. The second pass parses the rest of the directives (Deny or
Allow). The third pass applies to all requests which do not match
either of the first two.
Note that all Allow and Deny directives are processed, unlike a
typical firewall, where only the first match is used. The last match
is effective (also unlike a typical firewall). Additionally, the order
in which lines appear in the configuration files is not significant --
all Allow lines are processed as one group, all Deny lines are
considered as another, and the default state is considered by itself.
In other words, if you have Order Allow,Deny, it will first process all Allow directives, then all Deny directives. You can probably figure out that it doesn't matter if you have 1 Allow from all or 100 Allow from all directives. The final result is the same, but with 100 of those directives your server will need more time processing. It will then process all deny directives and overwrite the permission you just gave if needed.
Therefore, you just need one Order Allow,Deny directive and only one Allow from all directive. Whatever script you are using can then just append Deny directives as it sees fit and all will work as expected.
I'm trying to deny users from accessing the site/includes folder by manipulating the URL.
I don't know if I have to deny everything and manually make individual exceptions to allow, if I can just deny this one folder, or if there's a rewrite function that can be used.
Specific example: I don't want to see the directory files by typing in localhost/site/includes into the URL.
Create site/includes/.htaccess file and add this line:
Deny from all
You can also deny access to a folder using RedirectMatch
Add the following line to htaccess
RedirectMatch 403 ^/folder/?$
This will return a 403 forbidden error for the folder ie : http://example.com/folder/ but it doest block access to files and folders inside that folder, if you want to block everything inside the folder then just change the regex pattern to ^/folder/.*$ .
Another option is mod-rewrite
If url-rewrting-module is enabled you can use something like the following in root/.htaccss :
RewriteEngine on
RewriteRule ^folder/?$ - [F,L]
This will internally map a request for the folder to forbidden error page.
In an .htaccess file you need to use
Deny from all
Put this in site/includes/.htaccess to make it specific to the includes directory
If you just wish to disallow a listing of directory files you can use
Options -Indexes
We will set the directory to be very secure, denying access for all file types. Below is the code you want to insert into the .htaccess file.
Order Allow,Deny
Deny from all
Since we have now set the security, we now want to allow access to our desired file types. To do that, add the code below to the .htaccess file under the security code you just inserted.
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
your final .htaccess file will look like
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Source from Allow access to specific file types in a protected directory
You can create a .htaccess file for the folder, wich should have denied access with
Deny from all
or you can redirect to a custom 404 page
Redirect /includes/ 404.html
Just put .htaccess into the folder you want to restrict
## no access to this folder
# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Apache 2.2
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
Source: MantisBT sources.
Creating index.php, index.html, index.htm is not secure. Becuse, anyone can get access on your files within specified directory by guessing files name. E.g.: http://yoursite.com/includes/file.dat
So, recommended method is creating a .htaccess file to deny all visitors ;). Have fun !!
You can also put this IndexIgnore * at your root .htaccess file to disable file listing of all of your website directories including sub-dir
On Apache 2.4 you can use an Apache <If> expression in the root .htaccess file to block direct access to this specific subdirectory and everything within it.
For example:
<If "%{REQUEST_URI} =~ m#^/site/includes($|/)#">
Require all denied
</If>
You can do this dynamically that way:
mkdir($dirname);
#touch($dirname . "/.htaccess");
$f = fopen($dirname . "/.htaccess", "w");
fwrite($f, "deny from all");
fclose($f);
For some reasons which I did not understand, creating folder/.htaccess and adding Deny from All failed to work for me. I don't know why, it seemed simple but didn't work, adding RedirectMatch 403 ^/folder/.*$ to the root htaccess worked instead.