I want my application to allow pages to be accessed / referenced only from the application pages rather than from external addresses. with the exception of the main(index.php) page that will serve as access to the application. So for example if i build an html file in my desktop with a link or form to the destination of the application pages i want it to redirect to index.php.
How can i do this?
I tried to add this rows .htaccess
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch ".*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
But this didn't work because the desktop file was still in my server .
Edit 2:
I edited the .htaccess file to this and now it works
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ http://localhost/website/index.php [R,L]
If you mean that you don't want your pages like config.php, x.php, etc. to be accessed directly through browser then you can simply define a constant on index.php page and check its existence on any other PHP file.
In case you want your forms to submitted only through index.php, then the only solution is to use a changeable CSRF token, generated by index.php and valid only for one time usage. That way you'll make sure that no-one can just clone the form inputs and spam you with requests from another server.
Still it's very difficult to totally prevent anyone from sending you requests from outside your server. A go-around techniques can be used to bypass token validation. Attackers can simply send a CURL request to fetch a new token then placing it automatically into the form and sending the request from outside
the server.
Related
I've been searching and testing as many different ways to do this as I can but nothing seems to be working. In a nut shell, I'm streaming audio, but the path is obfuscated via a rewritecond rule. I don't want direct access via the browser to the streaming file, but PHP still needs access to the file to stream it. Here is the streaming URL:
www.test.com/audio/32478576
The "audio" directory doesn't exist. I'm using .htaccess to redirect it to the streaming script. Here are the .htaccess bits:
RewriteRule ^/?audio/([\d]+)/?$ serve.php?id=$1 [L,QSA]
All that works great. So, I figured that all that would be needed to deny access to the file would be to add the following to my .htaccss file:
<Files ~ "audio/">
order allow,deny
deny from all
</Files>
That didn't work. I was still able to get the audio to stream directly from the browser.
Perhaps this is not possible - trying to do what I want it to do. What am I missing? .htaccess is not my strength by any means, but I still think it's possible. I just don't have the right code or things in the right order, perhaps. Any help is greatly appreciated. Thanks.
UPDATE:
There may be something wrong with my server setup. I did a basic test with the following Rewrite:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)test.com/.*$ [NC]
RewriteRule test\.php$ - [F]
But I still had direct access to the test.php file. But - I shouldn't, right? Perhaps something is incorrectly set on my server?
<directory> and <files> directives apply to the filesystem. Since /audio directory does not exist, the <Files ~ "audio/"> has no effect.
<Location> directive applies to Urls, and may work.
In a different approach, if Apache version is 2.4, it can be done as it is described in this documentation page http://httpd.apache.org/docs/current/howto/access.html.
As I understand you want to prevent serve.php from being accessed outside your domain test.com. If so then, the HTTP_REFERRER should be a url containing test.com.
The HTTP_REFERRER can be checked from htaccess using code that prevents hot linking of media files. This link: https://mediatemple.net/community/products/dv/204644230/prevent-hotlinking-with-a-htaccess-file describes how to prevent hot linking of media files. The code given in the link can be modified to prevent hot linking of your serve.php file. The following code should work:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)test.com/.*$ [NC]
RewriteRule audio/.+$ - [F]
I'm having a problem with .htaccess and PHP-files in a sub folder. What I'm trying to achieve is to prevent anyone from being able to access any file in my sub folder - BUT I want my index.php to be able to access those files.
DOCROOT/subfolder -> www.somewebsite.com/subfolder/somefile.php
-> Access Denied
BUT
[index.php]
<form action="/subfolder/somefile.php">
...
</form>
-> Success!
I would love to solve this by just using .htaccess. I tried deny from alland also some RewriteRules but those Rules also kill any request from index.php.
I tried
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from somewebsite.com
Satisfy Any
but the request from index.php is being denied. Can anyone help, please?
This is a misconception that people have. Just because you're linking to PHP files from another PHP file doesn't mean the index.php file is accessing them. The end-user/browser is still accessing them, it's just it's being told where to go by your index.php file. Has absolutely nothing to do with how it's being accessed. In both of your cases, they're being accessed by the browser.
The best you can do is to look at the referer field. It can be easily forged to get around this, but it's the only thing you can do.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(example.com|127\.0\.0\.1) [NC]
RewriteRule ^subfolder/ - [L,F]
where "example.com" is your site.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.hello.com/index.php
RewriteRule .*subfolder/somefile\.php - [NC,F]
The second line checks whether the visitor is not coming from a certain url. The 3rd line blocks them from accessing somefile.php
In your .htaccess you could redirect any requests to files inside that directory other than index.php as follows:
<directory "DOCROOT/subfolder">
RewriteCond %{REQUEST_FILENAME} !=/DOCROOT/subfolder/index.php
RewriteRule ^/(.+)$ redirect.php [L]
</directory>
I have mp3's in a directory called /mp3/ and I want to be able to access them only from another page.php in another directory /main/ on the site.
No direct linking from outside.
All of the pages are written in php
I put this code in the .htaccess file inside the /mp3/ directory...
Order deny,allow
deny from all
allow from 127.0.0.1
allow from localhost
allow from mydomain.com
allow from 123.45.678.90 # that's myserver's IP address (real one used in code)
Satisfy Any
But none of those work.
It does work however if I use the IP address of were I am.
allow from 1.2.3.4 # my internet connection (real one used in code)
But that means it would work for anyone and their IP address.
What am I missing here? Does this work only on certain servers?
How do I make it use the server's IP address and not my IP address?
Look into "hotlink protection" added to your .htaccess file. You can set it up for just .mp3 file extension, and forbid access by any foreign site or directly from browsers. You might even be able to restrict access from within your own site, but I can't see that being terribly useful.
Something like
RewriteEngine on
Options +FollowSymlinks
# hotlink protection and allowed list
# don't forget to add https: to allow accesss for any with SSL
## uncomment following line to PERMIT direct browser access of mp3 files
#RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com(/)?.*$ [NC]
RewriteRule .*\.mp3$ - [F,NC]
Place the files you want to protect out of the public folder. This way they are only accessible via your scripts.
-root
--mp3s
--public_html
---main
----index.php
----page.php
You are trying to limit a "referral" and not direct access?
Denying from an IP limits all access, whether referred to by your page.php or by typing it into the browser's URL location bar. If you're trying to limit referrals, you can try using something like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain.com/ [NC]
RewriteRule ^mp3/ - [L,F]
but be warned that referers can be spoofed.
What about something like this, in your .htaccess
<Files ~ ".mp3$">
Order allow,deny
Deny from all
</Files>
This will not allow direct access to any files with .mp3 from your web server.
Place this code in your mp3/.htaccess file:
RewriteEngine on
RewriteBase /mp3/
RewriteCond %{HTTP_REFERER} !^https?://(localhost|(www\.)?mydomain\.com)/ [NC]
RewriteRule ^ - [F]
In my .htaccess file, I am using the below to prevent direct access to folders:
Options -Indexes
I am using the below to prevent access to a critical file of ours:
<Files admin.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from (my ipaddress)
</Files>
So, now users cant go to www.domain.com/scripts as it throw 404 error, nor can they access admin.php
But how do I prevent direct access to all?
For example, if someone knew the filename, they can still get to it, such as: www.domain.com/scripts/process.php
What to do?
Using mod_rewrite:
Put this rule on top of all other rules:
RewriteRule ^scripts(/.*|)$ - [F,NC]
Without using mod_rewrite:
Put this code in scripts/.htaccess:
Order Deny,Allow
Deny from all
UPDATE: To block direct access to all files:
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{THE_REQUEST} \..+[\s?]
# return forbidden error if not static files
RewriteRule (?!^.+\.(?:jpe?g|gif|bmp|png|tiff|css|js)$)^.*$ - [F]
I am using a PHP application I downloaded, and it is half working on my server, however I am having what I believe is a re-write error.
The application is a "job board" where people will be able to browse available positions, and apply online.
Currently it is "technically" working. A person can view the site, and postings, and they can fill out the application form. The message is sent properly.
The problem is that once the submit button is pressed the browser shows that the page is loading, but nothing ever loads. So the message is sent, but the following page is not loaded.
The application uses htaccess rewrites, and I believe this is where the problem is.
The application is supposed to work out-of-the-box on a top level domain, however I am trying to use it on a subdomain. Am I correct in assuming that technically there is not much difference when using a subdomain? After all, the pages all load fine until the form is submitted.
The application is running at http://volunteer.essentialtransit.com
What you see is the application after initially being set up, and I added one sample "job".
You can try applying to see the problem I am referring to. It is a very simple application form that only takes a few seconds to complete.
Here is the htaccess file:
# AddType x-mapp-php5 .php
# AddHandler x-mapp-php5 .php
RewriteEngine on
Options +FollowSymlinks
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
ErrorDocument 404 /page-unavailable/
<files ~ "\.tpl$">
order deny,allow
allow from none
deny from all
</files>
Perhaps if someone can explain what the htaccess rules are doing I can figure out the problem.
EDIT: So the page actually does load, but only after a very long time. The browser shows that the form is sent, and then following page starts to load, but then it takes minutes to actually load. All other pages on the site load quicker than that. The other strange things is that when a "job" page is initially opened it loads quick, after applying it just redirects back to the same "job" page, however this time it takes forever to load.
Rules are self explanatory:
RewriteEngine on # Enables rewrite engine (obviously)
Options +FollowSymlinks # Tells Apache to follow symbolic links
RewriteCond %{REQUEST_FILENAME} !-f # Here it redirects non-files
RewriteCond %{REQUEST_FILENAME} !-d # and non directories
RewriteRule . index.php [L] # to index.php
ErrorDocument 404 /page-unavailable/ # Sets 404 page address
<files ~ "\.tpl$"> # Denies access to templates
order deny,allow
allow from none
deny from all
</files>
I doubt your issues have something to do with these rules.