i have almost 20 pages on server, but i want only a file named abc.php, which users can watch. i want if user forcefully open the other files like //example.com/some.php .htaccess shows 403 error.
<Files ~ "^(?!(changepwd|login|register|remind|securitycode|registersuggest)\.php$).*(\.php)$">
AuthName "Reserved Area"
AuthType Basic
AuthUserFile path_to/.htpasswd
AuthGroupFile path_to/.htgroup
Order Deny,allow
Require group allowed_groups
</Files>
this is the way i am currently using, but i think there can be more elegant solutions.
This .htaccess-file will only allow users to open index.php. Attempts to access any other files will result in a 403-error.
Order deny,allow
Deny from all
<Files "index.php">
Allow from all
</Files>
If you also want to use authentication for some of the files, you may simply add the content from your current file at the end of my example.
Its safest to move the files you don't want the users to access to a directory which is not in the root directory of the web server.
Like if the root directory of my site is this:
/var/www/html/my_web_site/public/index.php
I can put the non-public files in another directory like this:
/var/www/html/my_web_site/config.php
/var/www/html/my_web_site/auth.php
/var/www/html/my_web_site/db.php
And include the files like this in index.php:
include("../config.php");
include("../auth.php");
include("../db.php");
Whit this, you don't have to risk to accidentally delete or forget to copy the .htaccess file.
Related
Via htaccess, I would like to:
1 - Disallow everyone to access the site.
2 - Allow only 3 ips to pass through the ip ban.
3 - Leave 1 directory accessible fully to the public.
I understand the the rule number 3 goes against rule number 1, and this is where I am confused.
Currently I have this code:
<Files 403.shtml>
order deny,allow
deny from all
</Files>
allow from xxx.xxx.xxx.xx #Fred
allow from xxx.xxx.xxx.xxx #Ben
The above code works fine in not letting anyone in apart from my 3 coworkers.
<Directory /printing/>
Order Allow, Deny
Allow from All
</Directory>
The above code (when added) give me a 500 internal server error.
How to have a mix of both code so people can still access my directory publicly while blocking access to any other parts of the website?
You can't add a <Directory> container inside an htaccess file, since htaccess is already per-directory.
What you need to do is create an htaccess file in the printing directory with just:
Order Allow, Deny
Allow from All
We have enabled spelling mod by default on our server to avoid linking problems with html code done on Windows. Recently we added protection to our image folder to allow only images and documents of certain type to be accesible through htaccess by simple deny,allow and list of allowed types:
Order deny,allow
Deny from all
<Files ~ ".(jpe?g|png|gif|pdf)$">
Allow from all
</Files>
Problem is, that now images with wrong case in url, which are supposed to be corrected with mod-spelling, shows error (Forbidden access) instead of actual image. Any ideas how to correct this?
I hanv a htaccess file I block directories by
Options -Indexes
but I would like to allow admin directory. above code block admin directory too.
Second thing is some of hacker get all directory name of our site by search engine. if I disallow search engine for all secure directories in robots.txt file then hacker can read directories from robots.txt.
If I block .txt extention by
<FilesMatch "\.(htaccess|htpasswd|ini|txt|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
this htaccess code can search engine read my robots.txt file for other directories?
conclusion:
I would like to disallow all directories but allow admin directory. and also like to block secure directory from search engine.
I got answer for allow directory but second question not confirm that google can read or not.
You will need to password protect your /admin folder and turn on indexes in that folder. Add your protected files inside that folder. Google nor anyone else will be able to read them without the password you made and stored in .htpass.
For example /admin/.htaccess
AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpass
AuthType Basic
AuthName "Administration"
require valid-user
Options +Indexes
Read more about Apache Module mod_authn_file
I have a directory on my website that I need to make sure no one but myself can get into. From the reading I've done, it looks like there are two ways to protect a directory:
Password protect the directory using the .htaccess file
Deny access to all IP addresses but my own from accessing the directory, also using the .htaccess file
I need to protect the files in the directory as securely as possible, so I figured I'd use both of those methods for double protection.
Question 1: Am I missing anything? (i.e. is there another layer of protection I can add?)
Question 2: What would I need to put in a .htaccess file to get the above to work?
Your .htaccess file would contain:
AuthUserFile /usr/local/nate/safe_place/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Files"
AuthType Basic
require user nate
order deny, allow
deny from all
allow from 127.0.0.1
The .htaccess file goes in the directory you're trying to protect.
You also need a .htpasswd file (shown above as /usr/local/nate/safe_place/.htpasswd) which contains the text username:password_hash. So if we use "nate" as an example and "secret" as the password (please don't use that) you get:
nate:XmN6pwFyy3Il2
You can use this tool to generate your own password file: http://www.tools.dynamicdrive.com/password/
Just make sure that no one can read your .htpasswd file. Also note that basic authentication does no encryption by itself. If you're on an open network, anyone can see your password and all the secret data going over the network. Make sure you visit your site via https if it's really that secret.
You can read more about .htaccess files here:
http://www.javascriptkit.com/howto/htaccess.shtml
Assuming you're running Apache and have an AllowOverride directive permitting .htaccess files to use <Limit>, the following should be a good starting place for you:
<Limit GET>
Order deny,allow
Deny from all
Allow from IP_ADDRESS_HERE
</Limit>
More documentation on <Limit>: http://httpd.apache.org/docs/current/mod/core.html#limit
and for access control: http://httpd.apache.org/docs/2.2/howto/access.html
I have a directory on my webserver. It does not have an index page. so when u access the directory via a web browser it lists the files in it. Now i want to create a htaccess file that can block the directory listing so that when you access it via the web browser, the files in the directory would not be listed but would be able to access the files by appending the name of the file you wish to access to the url making it a full part to the file. Also the htaccess file should be able to restrict access from all but files with a particular extention. Thanks.
Options -Indexes
Order allow,deny
Deny from all
<Files "*.gif">
Allow from all
Deny from none
</Files>
You can turn off the file listing for a particular directory in the directory's .htaccess with
Options -Indexes
OR
You could just put an empty index.html file in the directory you want to protect.
In the .htaccess file in your directory just put
Options -Indexes
As stated before.
Edited to remove the wrong htaccess setting. Again sorry