I'm trying to deny users from accessing the site/includes folder by manipulating the URL.
I don't know if I have to deny everything and manually make individual exceptions to allow, if I can just deny this one folder, or if there's a rewrite function that can be used.
Specific example: I don't want to see the directory files by typing in localhost/site/includes into the URL.
Create site/includes/.htaccess file and add this line:
Deny from all
You can also deny access to a folder using RedirectMatch
Add the following line to htaccess
RedirectMatch 403 ^/folder/?$
This will return a 403 forbidden error for the folder ie : http://example.com/folder/ but it doest block access to files and folders inside that folder, if you want to block everything inside the folder then just change the regex pattern to ^/folder/.*$ .
Another option is mod-rewrite
If url-rewrting-module is enabled you can use something like the following in root/.htaccss :
RewriteEngine on
RewriteRule ^folder/?$ - [F,L]
This will internally map a request for the folder to forbidden error page.
In an .htaccess file you need to use
Deny from all
Put this in site/includes/.htaccess to make it specific to the includes directory
If you just wish to disallow a listing of directory files you can use
Options -Indexes
We will set the directory to be very secure, denying access for all file types. Below is the code you want to insert into the .htaccess file.
Order Allow,Deny
Deny from all
Since we have now set the security, we now want to allow access to our desired file types. To do that, add the code below to the .htaccess file under the security code you just inserted.
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
your final .htaccess file will look like
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Source from Allow access to specific file types in a protected directory
You can create a .htaccess file for the folder, wich should have denied access with
Deny from all
or you can redirect to a custom 404 page
Redirect /includes/ 404.html
Just put .htaccess into the folder you want to restrict
## no access to this folder
# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Apache 2.2
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
Source: MantisBT sources.
Creating index.php, index.html, index.htm is not secure. Becuse, anyone can get access on your files within specified directory by guessing files name. E.g.: http://yoursite.com/includes/file.dat
So, recommended method is creating a .htaccess file to deny all visitors ;). Have fun !!
You can also put this IndexIgnore * at your root .htaccess file to disable file listing of all of your website directories including sub-dir
On Apache 2.4 you can use an Apache <If> expression in the root .htaccess file to block direct access to this specific subdirectory and everything within it.
For example:
<If "%{REQUEST_URI} =~ m#^/site/includes($|/)#">
Require all denied
</If>
You can do this dynamically that way:
mkdir($dirname);
#touch($dirname . "/.htaccess");
$f = fopen($dirname . "/.htaccess", "w");
fwrite($f, "deny from all");
fclose($f);
For some reasons which I did not understand, creating folder/.htaccess and adding Deny from All failed to work for me. I don't know why, it seemed simple but didn't work, adding RedirectMatch 403 ^/folder/.*$ to the root htaccess worked instead.
Related
I need to upload a public accessible file in yii installation which I can access from url. This is domain verification file. I've uploaded it in /frontend/web folder but it's not accessible directly via url mydomain.com/file.txt
As pointed out below, .htaccess file may be preventing this file to be accessible. Can anyone let me know how to write rule in .htaccess file to allow it?
This might help
<Files *.*>
Order Deny,Allow
Deny from all
</Files>
<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif|.*\.jpeg|.*\.ttf">
Allow from all
</Files>
If you get the following error.
You don't have permission to access /frontend/web/ on this server.
Then, add the following rule in your .htaccess
<Directory "/path/to/frontend/web/">
Options +Indexes
Allow from all
</Directory>
Here the documentation about Apache .htaccess permissions
A short explanation of what I'm doing is: I need to automatically create virtualhosts for each ip address on my machine, make it point to the vsftpd user directory (/home/xxx) and deny any kind of scripts from being executed.
I want to stop any kind of webpages and especially PHP scripts from being executed, because it would post a huge security risk(apache is sudo). The purpose of this virtualhost is purely to serve game resource files, extentions like .wav , .mdl , .tga , .spr and so on.
I searched around and found this
deny from all
<filesmatch "\.(avi¦wmv¦mpg¦mov)$">
Allow from all
</filesmatch>
But this is .htaccess content. How can I implement this functionality of only allowing certain extentions inside my httpd.conf file? It would be a pain to make it use .htaccess, and a risk because users might edit them.
Please refrain from any comments unrelated to my question, such as "sudo apache? you're a dumbass" and so on.
There is no such thing as .htaccess only content. The is a huge misconception. Most of time you do NOT want to use .htaccess and Apache recommends that you not use it unless necessary. Apache rules can always be put in the server config.
When not to use .htaccess
Now you can put that in your VirtualHost directive. The same location where your document root is defined.
The FilesMatch directive can be used in these context.
Context: server config, virtual host, directory, .htaccess
http://httpd.apache.org/docs/current/mod/core.html#filesmatch
So in your vhost file you can add a Directory directive like this example.
<Directory /path/to/documentroot/>
Deny from all
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Allow from all
</FilesMatch>
</Directory>
If you are using Apache 2.4 then you need to use Require.
<Directory /path/to/documentroot/>
Require all denied
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Require all granted
</FilesMatch>
</Directory>
Hi im trying to get some basic rules in htaccess working but not having much luck.
At the top of my file I want to block certain IP's and certain user agents so I have
## block specific IPs
Order Deny,Allow
Deny from 62.210.122.209
Deny from 109.184.114.247
## stop requests with user agent that includes these texts
BrowserMatchNoCase "xyz" bad_bot
Deny from env=bad_bot
this works fine on its own however I also need to stop all php scripts being accessed except for index.php and index2.php
## stop all php files from being accessed
<Files *.php>
deny from all
</Files>
## except for index and index2
<Files ~ "^index(2)?\.php$">
allow from all
</Files>
but once I add this I get partial access to the site even with my user agent containing xyz
/index.php is blocked
but
/administrator/index.php is still open to me
Found the answer .. simply use the environment variable setup in the first part to deny access under the files directive for index.php in the second.
I have a Debian web-server with Apache2 installed and need to set in one directory DirectoryIndex to .html file (exactly this name - .html). But when I try to open page from browser it send 403 error.
I've changed apache2.conf (set to allow .ht files), I placed .htacess file in directory and set in it:
DirectoryIndex .html index.php index.html
AllowOverride All
Order Deny,Allow
Allow from all
But it still not work and displays 403 error. What i doing wrong and what i forget to do?
The correct answer is:
<FilesMatch "^\.html">
Order deny,allow
</FilesMatch>
DirectoryIndex .html
Sounds like you have a rule somewhere in your apache file that denys access to files starting with a .. This is generally a Good Thing, as a lot of sensitive files start with dots (ie: .htaccess, .svn, .git, .htpasswd, etc etc).
You might be able to get around the issue with something like this:
<FilesMatch "^\.html">
Order allow,deny
Allow from all
</Files>
Disclaimer: This seems like a hack. I don't know what you're trying to do, but there's probably a cleaner, less error prone way to do it.
I'm wondering how to forbid access to the all directories except one using .htaccess file.
The construction like
<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory /folder>
Order Deny,Allow
Allow from all
</Directory>
raises Error 500. It can be put only in apache conf file, right? Or I'm doing something wrong?
The Directory directive may not be used in a .htaccess file (see the Context section of the Directory docs). From within a .htaccess file you can use Files or FilesMatch as a section container, or mod_rewrite. Assuming you're allowed to use mod_rewrite (and you have a good reason for using a .htaccess file in the first place, like say, you're not the server admin):
RewriteEngine On
RewriteRule !folder [F]
In principal this answers your question. It's more likely though that your situation is more complicated than you're letting on.
http://httpd.apache.org/docs/2.2/mod/core.html#directory
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule
http://httpd.apache.org/docs/2.2/sections.html
BTW, this question probably belongs on serverfault.com