I have a folder with a lot of .php files. I would like to deny access to them (using .htaccess). I know an option is to move this folder outside public_html, but this is not possible in this situation.
Is is possible to block access to a whole folder?
Add this to the .htaccess file:
order deny,allow
deny from all
Apache 2.4 now uses a different way to do this so the method that works for Apache 2.2 will not work. See below for the method that will work for Apache 2.4. Place this in your Apache .htaccess file or better yet in a <Directory> directive in the Apache .conf file for your site.
Using .htaccess:
If using Apache 2.2:
order deny,allow
deny from all
If using Apache 2.4 use:
Require all denied
Using Apache Configuration files:
Instead of using a .htaccess file, it is usually preferred to place the configuration directly in your Apache .conf file as follows:
<Directory "/var/www/mysite">
Require all denied
</Directory>
Or if using a virtual host:
<VirtualHost *:80>
### Other configuration here ###
<Directory "/var/www/mysite">
Require all denied
</Directory>
### Other configuration here ###
</VirtualHost>
Of course the above configurations are examples, and you will need to adjust according to your requirements.
Create .htaccess file inside the desired folder with the following contents:
Deny from all
Edit apache2.conf or httpd.conf, whatever you find in Apache2 directory (probably located in /etc/apache2). You'll need to edit/check the following:
AllowOverride ALL (in the related <Directory> tag)
AccessFileName .htaccess
Edit your site's configuration file only in case you have a <Directory> tag specified inside it and add the following line:
AllowOverride ALL
Restart your Apache2 server
service apache2 restart
The above steps are all meant for Linux environments. The same instructions would work well for Windows environments except for the paths and the server restart command.
Reference: http://www.cyberciti.biz/faq/apache-htaccess/
Just add a .htaccess file with the code Deny from all to the folder.
More info at http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
Related
I'm running Apache 2.2 (on OS 10.9 Mavericks) and have a directory on my NAS (My Cloud EX2100) that I would like to set up with as an aliased web site.
To do so, I've created a .conf file (I called it aliases.conf) in /private/etc/apache2/other (Note that the httpd.conf has Include /private/etc/apache2/other/*.conf added to it).
In my aliases.conf I have
Alias /foo /Volumes/bar/
<Directory "/Volumes/bar">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
I then restart apache and open a browser to go to http://localhost/foo, but I get the error message
Forbidden
You don't have permission to access /foo on this server.
How do I give Apache access to the shared/aliased directory that is on the NAS?
Make sure that the apache user has read permissions to your NAS folder.
Furthermore switch the order of allow and deny to Order deny,allow
I don't know if you have any index files. But if you would like to browse through your directories you have to modify your options entry to: Options FollowSymLinks Idexes
Then restart your apache and try again.
I have a problem in configuring my Apache. This litte indian is something headstrong.
My Application is located under /var/www/myapp/
There are 3 Elements:
./index.cgi - a python cgi script correctly working
./Application/ - a directory, which should be not public. contains include packages for index.cgi
./Public/ - a directory, public. contains javascripts, css files, images e.q.
My current VirtualHost configuration looks like:
DocumentRoot /var/www/myapp/
Alias /Public/* "/var/www/myapp/Public/*"
<Location "/myapp/*">
Options FollowSymLinks
Order allow,deny
Allow from all
</Location>
ScriptAlias "/index.cgi" "/var/www/myapp/index.cgi"
So /Public is public as wished, index.cgi runs. But: /Application is accessible. How do I lock this directory?
Second thing is: index.cgi should run, when I call www.mydomain.com/ or www.mydomain.com/index.cgi. Nothing else but URI parameters. How do I do that?
Thanks in advance,
BigM
You can verify the permissions in the files, but I think that the problem is that you don't have an alias for the Application folder in your Apache Configuration File.
Here is my directory structure
root
private
public
Using .htaccess and/or httpd.conf, I want to limit access to the private folder to only code executed from the root folder. So, no external access to anything in the private folder. Honestly, I have tried a lot of options, but nothing seems to work.
My test environment is XAMPP - installed on my local machine.
EDIT
One of the issues I encountered was using the wrong directory path. I created a simple PHP page with just phpinfo()
<?php
phpinfo();
?>
In the PHP Variables section, I looked for _SERVER["CONTEXT_DOCUMENT_ROOT"]. I used this for the directory path and then added private (the folder in the root that I wanted to limit access to). Thus, my completed code in the httpd.conf is below:
<Directory "E:/xampp/htdocs/home/private">
Order deny,allow
Deny from all
</Directory>
Using Order deny,allow and Deny from all should be already sufficient
Order deny,allow
Deny from all
If you put this in a .htaccess in the private folder, all access from outside will be prohibited.
Alternatively, you can put it in a <Directory /path/to/root/private> in httpd.conf, which has the same effect
<Directory /path/to/root/private>
Order deny,allow
Deny from all
</Directory>
Update:
According to Apache HTTP Server Tutorial: .htaccess files you should prefer httpd.conf over .htaccess files
You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.
I wish to set up an apache server running php. I want all the files in a particular folder (say /site/ ) to be accessible from www.example.com/ . However I wish the files in /site/data/ to be not visible through www.example.com/data/ . I want www.example.com/fun.php script to be able to read/write to /site/data/ . What is the best way to do this through premissions and the apache defalt file?
You need to set up your directory structure slightly differently to what you have proposed. Rather run your site under a directory like:
/site/html
and store your data under a directory like:
/site/data
configuring Apache to only serve files from /site/html and not /site/data
or if you are using a more traditional apache directory structure then put the files you want publicly accessible through the web server in:
/var/www/html
and the private data files you only want your application to have access to in something like:
/var/www/data
Your Apache conf file will then contain something like:
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
This way the files in /var/www/data will not be publicly accessible but these files can still be accessed by php scripts in /var/www/html/
Disable Apache directory listings by putting this in your .htaccess file under /site/data
Options -Indexes
I want my htaccess code to work only on my live machine and not the local,
What code can I write in the HTaccess to differentiate?
In your local apache VirtualHost add this instruction:
<Directory /my/directory/where/the/htaccess/is >
# prevent reads of .htaccess files
AllowOverride None
</Directory>
Then you local Apache will never read any .htaccess in this directory (and subdirectories)