How do you write rules to redirect all requests to *.php and *.html files in upload/ folder to a text file name forbidden.txt in root www folder. What I'm trying to do exactly is preventing script execution in this dir by redirecting those requests to the text file
Note: The upload/ folder is accessibly by ftp used by a group of people to upload files so I cannot place htaccess inside this folder.
Create an .htaccess file at the root level of your site containing
RedirectMatch ^/upload/.+(html|php)$ http://www.yoursite.com/forbidden.txt
You could also try switching off the PHP engine in that directory by creating an .htaccess file in /upload/ containing:
php_value engine off
although you would need to ensure that people cannot upload files with the name .htaccess
Put your htaccess rules in httpd.conf instead.
If you can't edit httpd.conf, then your best bet is to not allow web access to that directory at all. Let FTP users access a folder outside of your web directory and then provide a mechanism for retrieving the file contents.
You could name that directory "upload". Then you could have your .htaccess file make requests to /upload/myfile execute upload.php, which finds ../upload/myfile and spits backs its contents. This way it would appear to users that they are accessing the "upload" folder directly, but you would the level of control you want through the PHP script.
Related
I want to restrict access to some folders and files but only when a user tries to access to it through the url, not when the website access to these files. For example restrict the folders images, javascript,...
I tried in different ways but I always got error 500.
Basically, I don't want external users to list my website directory and open their files, if it is possible to accomplish.
Thanks in advance
This is pure mod_rewrite based solution:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains certain paths.
You are getting a 500 error because the container cannot be used in an htaccess file (which is essentially all inside a directory container for the directory that it's in). What you need to do is remove the container from your htaccess file, and leave the Deny from all bit:
htaccess file in your document root:
Refuse direct access to all files
Order deny,allow
Deny from all
Allow from 127.0.0.1
Then create an htaccess file in the uploads/files/, uploads/images/pages/ and uploads/images/store/ (and whatever other directories that you want to allow access to):
Allow from all
put .htaccess and edit with "Deny from all".
That's it.
Is it possible to disable lookup for .htaccess file in subdirectories, when I know I will only need my .htaccess in root directory?
I know it can be done with "AllowOverride None" when you have access to the server configuration file. But can I do this with my .htaccess file in root as well?
No. It must be done inside a <Directory> directive, which can only exist inside core configuration files.
Consider I have a file 'fg' and a folder 'fg' in the same directory. Now when user visit, he/she get content of file rather than content of directory. How to do this using .htaccess
Add the following code to .htaccess
DirectorySlash Off
This answer should be what you're after.
It is using the .htaccess file to rewrite directories to a file if both exist.
My web root is /var/www/test/public, eg:http://www.test.local is rewrite to here,
but there's a folder /var/www/test/documents/ where I store some pictures to let others download. How can I config my apache rewrite mod to allow users to download pictures in this documents folder by a url?
Can anyone help me? Thanks!
You don't need mod_rewrite for that. You can use an Alias directive to map that images directory into your document root:
Alias /images /var/www/test/documents
^--web path ^---file system path
That'd make any request for example.com/images be internally redirected to /var/www/test/documents, even though that documents dir is not within your site's webroot.
I have to add a password protected zone to a site I am working on (using the .htpasswd file). The thing is the whole directory structure it's being pointed at doesn't exist and is created through mod_rewrite.
Will it still work, or does the directory actually have to physically exist on the server?
Clarification:
While I may need to password protect the directory:
http://sitename/category/protected/
mod_rewrite translates this to:
index.php?category=category&directory=protected
So the actual directory does not exist. Is it still protectable?
You can add the access rules to the apache config file (httpd.conf or similar) in a Directory or Location tag instead of adding it in the .htaccess file.
Your rewrite rules will ultimately point to some files in a directory on your system (unless they redirect users to some external location). The authentication setup should be on the underlying directory that will be accessed.