protect private folder htaccess - apache

I recently started to use some MVC patterns
which make it necessary to have some htaccess settings
I need to deny access to the folder where I store some database passwords
I don't want to use just this :
Options -Indexes
because it return a message saying forbidden
but i need to redirect to a 404 page , so no one can know the file exists
as an idea I have this :
Options -MultiViews
RewriteBase /this folder/
RewrireRule ^(.*)$ 404.html [L]
but I dont know if it is safe or not

The easiest, safest and cleanest way to do this is to make a .htaccess file inside the folder you want to protect and write these three beautiful words.
deny from all
Additionally you can make a redirection to a 404 page. The denydirective will throw a 403 error that you can catch like this:
ErrorDocument 403 /404.html

Related

Want empty folder to return 404 instead of 403

I use the following code in my httpd.conf file to block unwanted bots and visitors (e.g. hitting non existing wp-login pages):
SetEnvIf User-Agent BadBot GoAway=1
Order allow,deny
Allow from all
Deny from env=GoAway
This will give them a 403 Forbidden error. On my custom 403 page I save the IP's to a database for permanent blocking / disabling them from using contact forms etc.
This is working very well. However I noticed that some users are being blocked because they visited an empty folder. This is unwanted.
Using Options -Indexes I have prevented directory viewing but this will also output a 403 Forbidden error.
Question: How to serve and display a 404 error when visiting an empty folder instead of a 403?
Since you appear to have access to httpd.conf then you can do something like the following in a server config or virtualhost context:
RewriteEngine On
RewriteCond %{LA-U:REQUEST_FILENAME} -d
RewriteRule /. - [R=404]
Alternatively, near the top of your .htaccess file (since you've tagged your question .htaccess), include the following (this will also work in a directory context):
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [R=404]
The purpose of the pattern /. (or .) is to prevent a 404 being served for the document root.
Depending on where you define your custom ErrorDocument, you may get a different 404 response for each method.
Alternatively, in your custom 403, perform the same check for the "BadBot" and only log the entry if there is a match. Or, only log the entry when the request does not map to a directory.

.htaccess prevent folder access that are subdomains

in my webhost every time I create a new subdomain it creates a public-access folder in my html_public folder, and I want to block the access to those folders with a fake 404 error (using the default one if it's possible, I'm using this to set the default 404 error: ErrorDocument 404 /404.php) but allowing to access if it is the subdomain.
For example:
http://www.mydomain.com/blog/ -> Should show a 404 Not found error
http://blog.mydomain.com -> Should allow the user to access
Both of them are the same folder html_public/blog
I tried to add a .htaccess file in blog folder with this code:
order deny,allow
deny from all
But it does not allow the access (logic), it does not matters if it is folder or subdomain.
And this one:
RewriteRule ^blog/* /404.php
But like other, it redirects all to a 404 error, instead of only the direct access to the folder and allowing the access to the subdomain.
Note: I saw other questions that redirects from folder to subdomain, I need to show a 404 error.
Can someone help me?
Thanks in advanced.
Try:
RewriteCond %{HTTP_HOST} ^(www\.)?mydomain\.com$ [NC]
RewriteRule ^blog/ /404.php [L,R=404]

Sending access is denied error using htaccess on apache for all files but a certain one

I have a folder containing various .php files, and I want to prevent direct access to them, BUT to index.php.
This is what I got so far, and it appears working:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ /403.php/$1 [R=403]
</IfModule>
Is this the correct way to do it? Also note that 403.php doesn't actually exist among the files I have in the folder.
EDIT: to better clarify what I'm trying to do -- I have a folder (we can assume named "includes") containing an index.php file, and various other files which are included by index.php.
I don't want users / malicious bots / whoever to be able to directly access anything in "includes" other than index.php.
In case they reach anything else (regardless whether the file exists or not), I want to send to the browser a 403 - Access Denied HTTP response code.
The correct way is to use the F flag, which simply returns a 403 forbidden and you can use - as the target which just means "do nothing and let the URI pass through unchanged":
RewriteEngine on
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ - [L,F]
Or you can try combining the condition with the rule:
RewriteEngine on
RewriteRule !index\.php$ - [L,F]
You can either create an error page. Actually, some control panels have an application that will allow their user to create an SSI-enabled 403 (Forbidden) page with .shtml file extension. In cPanel that app. is entitled with "Error Pages" which were found in the "Advanced" section, and the 403 page will be going to saved in 403.shtml basename. If you didn't found such kind of app., you can manually create an SSI-enabled HTML file, only if your server is configured to allow this. If it's not possible, you can still use another extension.
So, the more correct way is to remap the existed error page, such like this:
RewriteCond %{REQUEST_URI} !^/index\.php
RewriteRule ^(.*) /403.shtml
But anyway, what are you trying to do?

Rewrite url rules in .htaccess inside a directory

I'm trying to use rewrite url rules using a .htaccess file. This seems to work fine in my main .htaccess file (only works for php pages which exist in same directory), but when I want to use another .htaccess for php file inside a subdirectory the rules don't apply at all and I get a 404 error page.
The file I want to point to is /news/story.php. story.php requests an integer variable called 'article' to fetch the article from database and display it.
So basically what I want to do is replace http://www.mydomain.com/news/story.php?article=1
with http://www.mydomain.com/news/story/article/1/
I'm using the following rules in the .htaccess file which is inside the 'news' directory.
# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks
Options +SymLinksIfOwnerMatch
RewriteEngine on
RewriteRule story/article/(.*)/ story.php?article=$1
RewriteRule story/article/(.*) story.php?article=$1
Thanks for your help
RewriteRule story/article/(.*)/ news/story.php?article=$1
RewriteRule story/article/(.*) news/story.php?article=$1

htaccess: how to deny complete access to an existing directory?

How can I deny access to a directory in .htaccess?
I don't mean directory listing, I mean everything that is inside the directory along with the directory itself? It should give a 503 or 404 error.
I am talking about /img-sys and /java-sys which apparently do not exist (I did not create them), but still give a white screen when accessed rather than a 404 error.
Put this at the top of your .htaccess file:
RewriteRule ^(img-sys|java-sys) - [R=404]
This will do it. It'll just fail with a 403 Forbidden HTTP response code. Stick that in your VirtualHost block:
<LocationMatch "/(img|java)-sys">
Order allow,deny
Deny from all
</LocationMatch>