A short explanation of what I'm doing is: I need to automatically create virtualhosts for each ip address on my machine, make it point to the vsftpd user directory (/home/xxx) and deny any kind of scripts from being executed.
I want to stop any kind of webpages and especially PHP scripts from being executed, because it would post a huge security risk(apache is sudo). The purpose of this virtualhost is purely to serve game resource files, extentions like .wav , .mdl , .tga , .spr and so on.
I searched around and found this
deny from all
<filesmatch "\.(avi¦wmv¦mpg¦mov)$">
Allow from all
</filesmatch>
But this is .htaccess content. How can I implement this functionality of only allowing certain extentions inside my httpd.conf file? It would be a pain to make it use .htaccess, and a risk because users might edit them.
Please refrain from any comments unrelated to my question, such as "sudo apache? you're a dumbass" and so on.
There is no such thing as .htaccess only content. The is a huge misconception. Most of time you do NOT want to use .htaccess and Apache recommends that you not use it unless necessary. Apache rules can always be put in the server config.
When not to use .htaccess
Now you can put that in your VirtualHost directive. The same location where your document root is defined.
The FilesMatch directive can be used in these context.
Context: server config, virtual host, directory, .htaccess
http://httpd.apache.org/docs/current/mod/core.html#filesmatch
So in your vhost file you can add a Directory directive like this example.
<Directory /path/to/documentroot/>
Deny from all
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Allow from all
</FilesMatch>
</Directory>
If you are using Apache 2.4 then you need to use Require.
<Directory /path/to/documentroot/>
Require all denied
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Require all granted
</FilesMatch>
</Directory>
I have a working Magento shop online. I'm trying to make it run locally as a copy for testing purposes. Everything works, except the url rewriting. I've already added the AllowOverride All option to my httpd config file, as everyone here suggested.
<Directory />
Options FollowSymLinks
AllowOverride All
Order deny,allow
Deny from all
</Directory>
I also have RewriteEngine on in my .htaccess file (same htaccess as the online website). Still I'm getting the index.php 404 error on every other page than the homepage. http://www.example.com/index.php/randompage however does work. What's also strange is that the same configuration works for developer, but not for me. So it must be something apache specific I guess.
I've tried a lot of given suggestions in similar topics but nothing worked :(
Running macosx 10.9.5
I'm out of ideas. Thanks in advance!
You must have mod_rewrite enabled for apache.
Run a2enmod rewrite and then /etc/init.d/apache2 restart
You can try setting the RewriteBase parameter which may fix the issue.
In the .htaccess file in your Magento root on your local machine, look for the following:
#RewriteBase /magento/
Change it to
RewriteBase /
I'm trying to deny users from accessing the site/includes folder by manipulating the URL.
I don't know if I have to deny everything and manually make individual exceptions to allow, if I can just deny this one folder, or if there's a rewrite function that can be used.
Specific example: I don't want to see the directory files by typing in localhost/site/includes into the URL.
Create site/includes/.htaccess file and add this line:
Deny from all
You can also deny access to a folder using RedirectMatch
Add the following line to htaccess
RedirectMatch 403 ^/folder/?$
This will return a 403 forbidden error for the folder ie : http://example.com/folder/ but it doest block access to files and folders inside that folder, if you want to block everything inside the folder then just change the regex pattern to ^/folder/.*$ .
Another option is mod-rewrite
If url-rewrting-module is enabled you can use something like the following in root/.htaccss :
RewriteEngine on
RewriteRule ^folder/?$ - [F,L]
This will internally map a request for the folder to forbidden error page.
In an .htaccess file you need to use
Deny from all
Put this in site/includes/.htaccess to make it specific to the includes directory
If you just wish to disallow a listing of directory files you can use
Options -Indexes
We will set the directory to be very secure, denying access for all file types. Below is the code you want to insert into the .htaccess file.
Order Allow,Deny
Deny from all
Since we have now set the security, we now want to allow access to our desired file types. To do that, add the code below to the .htaccess file under the security code you just inserted.
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
your final .htaccess file will look like
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Source from Allow access to specific file types in a protected directory
You can create a .htaccess file for the folder, wich should have denied access with
Deny from all
or you can redirect to a custom 404 page
Redirect /includes/ 404.html
Just put .htaccess into the folder you want to restrict
## no access to this folder
# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Apache 2.2
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
Source: MantisBT sources.
Creating index.php, index.html, index.htm is not secure. Becuse, anyone can get access on your files within specified directory by guessing files name. E.g.: http://yoursite.com/includes/file.dat
So, recommended method is creating a .htaccess file to deny all visitors ;). Have fun !!
You can also put this IndexIgnore * at your root .htaccess file to disable file listing of all of your website directories including sub-dir
On Apache 2.4 you can use an Apache <If> expression in the root .htaccess file to block direct access to this specific subdirectory and everything within it.
For example:
<If "%{REQUEST_URI} =~ m#^/site/includes($|/)#">
Require all denied
</If>
You can do this dynamically that way:
mkdir($dirname);
#touch($dirname . "/.htaccess");
$f = fopen($dirname . "/.htaccess", "w");
fwrite($f, "deny from all");
fclose($f);
For some reasons which I did not understand, creating folder/.htaccess and adding Deny from All failed to work for me. I don't know why, it seemed simple but didn't work, adding RedirectMatch 403 ^/folder/.*$ to the root htaccess worked instead.
How do I disable single option override in specific folder in Apache? I'd like to force DirectoryIndex value in specific folder, so DirectoryIndex option in .htaccess of that folder will be ignored. I'd expect configuration should look somehow similar, but neither works:
<Directory "/home/me/www/symfonyProject1">
DirectoryIndex app_dev.php
AllowOverride -Indexes
</Directory>
or this
<Directory "/home/me/www/symfonyProject1">
DirectoryIndex app_dev.php
AllowOverride Options=-DirectoryIndex
</Directory>
Is this even possible? How could I achieve that?
Using: Apache/2.2.8 (Win32) & Windows 7 x64
The only possiblility, even though it is definitely not kosher, is to let .htaccess be ignored by versioning system locally. Then you can change as you wish to adapt you instance.
In case you need to change original .htaccess, you must do following (for GIT):
backup your modified .htaccess file
Comment out line .htaccess in file .git/info/exclude
do git checkout -- .htaccess to retrieve original file
modifiy and commit changes
Uncomment .htaccess line in .git/info/exclude
Copy modified .htaccess from backup to working tree
I did not get this working with the <Directory> tag in httpd.conf but it was working if I did the following:
In /home/me/www/symfonyProject1 create a .htaccess file and put DirectoryIndex app_dev.php in it.
This should work as long as you AllowOverride All (Or more narrow if needed) in the parent configuration.
I'm wondering how to forbid access to the all directories except one using .htaccess file.
The construction like
<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory /folder>
Order Deny,Allow
Allow from all
</Directory>
raises Error 500. It can be put only in apache conf file, right? Or I'm doing something wrong?
The Directory directive may not be used in a .htaccess file (see the Context section of the Directory docs). From within a .htaccess file you can use Files or FilesMatch as a section container, or mod_rewrite. Assuming you're allowed to use mod_rewrite (and you have a good reason for using a .htaccess file in the first place, like say, you're not the server admin):
RewriteEngine On
RewriteRule !folder [F]
In principal this answers your question. It's more likely though that your situation is more complicated than you're letting on.
http://httpd.apache.org/docs/2.2/mod/core.html#directory
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule
http://httpd.apache.org/docs/2.2/sections.html
BTW, this question probably belongs on serverfault.com