htaccess: how to deny complete access to an existing directory? - apache

How can I deny access to a directory in .htaccess?
I don't mean directory listing, I mean everything that is inside the directory along with the directory itself? It should give a 503 or 404 error.
I am talking about /img-sys and /java-sys which apparently do not exist (I did not create them), but still give a white screen when accessed rather than a 404 error.

Put this at the top of your .htaccess file:
RewriteRule ^(img-sys|java-sys) - [R=404]

This will do it. It'll just fail with a 403 Forbidden HTTP response code. Stick that in your VirtualHost block:
<LocationMatch "/(img|java)-sys">
Order allow,deny
Deny from all
</LocationMatch>

Related

HTACCESS, render 404 instead of 403 upon wrong ip

Directory viewing would render 403 upon wrong ip:
order deny,allow
deny from all
allow from 111.222.333.444
Simple and clear, so lets move on...
then tried to gobble up some code to render 404 instead of 403:
order deny,allow
deny from all
allow from 111.222.333.444
RedirectMatch 404 ".*\/\..*"
And the above does not work, what have I missed?
SPECS
1. .htaccess is inside a subdir
2. file is executed by virtualhost
NB
And by rendering, I mean recieving headers vs visual trickery.
Mod_rewrite can solve your problem.
Add the following to your htaccess.
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^1.2.3.5$
RewriteRule ^ - [R=404,L]
Replace 1.2.3.5 with your ip address.

protect private folder htaccess

I recently started to use some MVC patterns
which make it necessary to have some htaccess settings
I need to deny access to the folder where I store some database passwords
I don't want to use just this :
Options -Indexes
because it return a message saying forbidden
but i need to redirect to a 404 page , so no one can know the file exists
as an idea I have this :
Options -MultiViews
RewriteBase /this folder/
RewrireRule ^(.*)$ 404.html [L]
but I dont know if it is safe or not
The easiest, safest and cleanest way to do this is to make a .htaccess file inside the folder you want to protect and write these three beautiful words.
deny from all
Additionally you can make a redirection to a 404 page. The denydirective will throw a 403 error that you can catch like this:
ErrorDocument 403 /404.html

How to allow specific ip to access subdirectory site with htaccess?

I need to allow only specific IPs to access my site (www.domain.com/mysite). In htaccess I put this code:
ErrorDocument 403 /error403.html
order deny,allow
deny from all
allow from 1.1.1.1
But it looks for error403.html in root folder instead of "mysite" folder. I tried with ErrorDocument 403 /mysite/error403.html still doesn't work. I tried with RewriteBase /mysite also doesn't work.
So you're telling apache to not allow access to everything in /mysite, then you're telling apache to send any 403's (which is the result of attempting to access something in /mysite) to load a page in /mysute. So of course this isn't going to work. You're probably going to need to make an exception for /mysite/error403.html:
SetEnvIfNoCase Request_URI ^/mysite/error403.html$ allow_ok
ErrorDocument 403 /mysite/error403.html
order deny,allow
deny from all
allow from 1.1.1.1
allow from env=allow_ok

Requests to .htaccess should return 404 instead of 403

This is sort of a follow-up to Is there a way to force apache to return 404 instead of 403? which suggested RedirectMatch to 404 to accomplish this.
It works perfectly fine for most of anything, however if I request:
http://example.com/.htaccess
I get a 403 and not a 404 if I have (or not) this in my .htaccess file:
RedirectMatch 404 ^/\.htaccess$
Is there a way to override the default 403 - Forbidden behavior of apache from inside the .htaccess file itself?
Just after I posted my question, I came to a solution towards the following:
Mimic the default server configuration's <Files> rules for .ht type of files.
Allow them.
Redirect them to 404.
Works like this:
<Files ~ "^\.ht">
Order Deny,Allow
Allow from all
Satisfy All
Redirect 404 /
</Files>

.htaccess can not/will not access /error/ directory

I'm trying to setup custom error pages.
I put the pages in /error/ in the document root. However, I think this may have a conflict as .htaccess can not access the file I specified.
I did set AllowOverride All in my apache config file.
If I go to /error/, a 403 error appears.
I can confirm that my .htaccess is being read, because if I enter some random text into the .htaccess, it will return a internal server error.
rewriting is enabled.
Here is my .htaccess
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
<Files .htaccess>
order allow,deny
deny from all
</Files>
ErrorDocument 404 /error/noexist.html
If I put the error page in the document root and set it in the htaccess, it will read fine.
The problem is that it can't read the contents of the /error/ directory.
/error/ is a directory, right? The default Apache configuration is to return a 403 Forbidden status when trying to access the root of a directory that does not contain an index page unless Options +Indexes is set, which will cause the server to automatically generate and show a list of files and subdirectories.
If you want the error page to show in this case, you could try adding the same ErrorDocument line with 404 changed to 403.
Did you set directory permissions?
<Directory "C:/path/to/htdocs/error">
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
I think this requires access to Apache's httpd.conf, though. Do you have access to that?