I have log file that contain all users and their IP addresses,
And I just found out that I can access it directly without any restriction, also I have database.sql file with the same problem.
My website is complicated, I used .htaccess files to restrict some places in my server.
But these two files are in the main root, and It's so hard to move them outside the root.
I used this code to only restrict the access to these two files inside .htaccess
<FilesMatch "log">
Order deny,allow
Deny from all
</FilesMatch>
<FilesMatch "database.sql">
Order deny,allow
Deny from all
</FilesMatch>
But my problem is when I use this code my whole website crash!
Can anyone point out for me what I'm doing wrong?
Related
I am using Apache on my server and I'd like to allow my visitors to download resources free of charge. However, to preserve even a little bit of bandwidth I'd like to deny direct access to the root folder of the resources like this:
www.myhost.com/resources/file.wav
If the visitor removes file.wav from the URL, they have access to all sounds at once and thus I'd have people just downloading like crazy. I don't want that.
How can I stop the users from going into that root directory, and any subfolders?
The dead easiest way to do this, without even messing with .htaccess (though that is a good idea) is to simply put an index.html file in the folder and set its permissions to 700.
If you want to just turn off directory listings you can create an htaccess file with this:
<Directory /path/to/directory>
Options -Indexes
</Directory>
If you want to deny access to sub-directories, you can use this:
<Files subdirectory/*>
deny from all
</Files>
If you want to allow access to just the .wav files, you can do this:
<Files *.wav>
allow from all
</Files>
I want to be able to prevent people from accessing a file on a server, such as a document if they were to directly link to it via the URL. This is for security purposes so that documents on the site just can't be stumbled upon and downloaded...
What is the best approach for this?
I've tried using the .htaccess to deny access to docs and txts for examples, but you can still download the files it just prevents you from accessing the directory...which isn't what I want to do.
<Files ~ "\.(doc|txt)$">
order allow,deny
deny from all
</Files>
put it in a directory outside the public space and provide it via a custom PHP page which requires login or what you prefer
echo file_get_contents(/var/www/example.com/file.txt);
should works I guess
Try putting this in your .htaccess
<FilesMatch "\.(doc|txt)">
Order deny,allow
Deny from all
</FilesMatch>
The best thing to do is to not put it in the web server's document root in the first place.
You can in your .htaccess redirect all requests to files in that folder to a special PHP page that only allows logged in users to download the file but denies those unauthorized to access it.
Also it's a good idea putting the target file itself in a folder above public_html.
In my site I've some file used by my application where are putted the log information.
For example a log file is "access.log", and i write in by PHP.
If a visitor go to www.mysite.ext/access.log , can see the file and all the information inside it.
How can I disallow this?
thanks a lot
Put this in your .htaccess
<FilesMatch "\.(htaccess|htpasswd|pinc|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Will block .log and other common files you don't want people to access.
If you want to do this in Apache, you can add the following to your .htaccess:
<files access.log>
deny from all
</files>
I have various subfolders on my website and I would like for the user not to be able to access them through URL but on the same time my main PHP files to be able to include them or use them as actions on forms or links.
I tried using an .htaccess with
<Files *>
Order Allow,Deny
Deny from All
</Files>
but it denied all access even from within my own scripts. Logical as I found out, but I cannot know how to make it work. Any ideas?
P.S. My main concern is that some of the files are not included in main PHP files BUT they are linked there and their code ends up with a header('Location: ../index.php'); returning to the main page of the project.
I see a lot of answers with Allow,Deny not Deny,Allow
The order of this matters and is causing the problem. You are telling the computer that deny is more important than allow, because it is listed last. To show you... if you say:
<Files .htaccess>
Order Allow,Deny
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
You are saying first Allow anyone Allowed, then Deny All... Which still Denies ALL.
If you reverse to Deny,Allow you are saying Deny All, then Allow anyone Allowed.
<Files .htaccess>
Order Deny,Allow
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
Allow command, being more important, because it is the final command, is therefore allowing those listed after Allow From command.
xxx.xxx.xxx.xxx = Your IP
Do this:
<Files *>
Order Deny,Allow
Allow from 192.168.100.123 127.0.0.1
Deny from all
</Files>
The list of IP's will be specific hosts you allow, like localhost.
This also works with the directive, not just file, if you want only certain directories blocked.
There is an even safer method. Store your include files below the web accessible folders. So if your web files are here...
/var/www/mysite.com/
Store your include files here:
/var/includes/
Then include them with a full path...
include '/var/includes/myincludes.inc.php';
From the web, the myincludes.inc.php file is completely inaccessible.
Usually to protect these logic files from public access you can
put it in protected directory, above htdocs
add a check for public constant.. if(!is_defined(some_root_const)){die();}
change extension to .inc or something.. and deny with .htaccess based on that
put your application code outside of your public html folder. then you can add an include path at the top of your scripts to allow your script to access them as if they were in the same folder.
http://php.net/manual/en/function.set-include-path.php
In you .htaccess you will have to specify which IP's, hosts you want to allow and you can do it per directory as well. for e.g.
<Directory /dir/to/block>
Order Allow,Deny
Allow from 192.168.0.1 4.4.4.4
Deny from All
</Directory>
<Directory /dir/to/allow>
Order Allow, Deny
Allow from All
</Directory>
I am doing PHP web application, with Apache.
There are a few configuration files ( like App.yml) whose content I don't want to expose to users under whatsoever circumstances. Is there anyway that I can tweak my Apache setting so that these files won't be available when hostile users query for them?
The best option would be to place the files outside of your document root.
If that's not possible, you can deny access to them in apache .conf file (or a .htaccess file) with
<Directory /path/to/dir>
Deny from all
</Directory>
You can create a .htaccess file in that directory and place in it
order deny,allow
deny from all
You can also do this if you only want to block one file.
<Files filenamehere>
order deny,allow
deny from all
</Files>