I have a webside running on Apache and I want to make some files acceseble only via php. For example: I have a file "secret.html" and I don't want to be user able to do www.example.com/secret.html but he could do www.exapmle.com/verify.php, it would check if he can view it and then the php would do include "secret.html"; and it would be shown.
I found at least 2 ways to do what you want.
By htaccess
Add a special rule that deny access to the "secret" file. In order to simplify, you can just create a "secret" directory and then place into it every secret files. Then, create a .htaccess file in this directory that contains :
Order Allow,Deny
Deny from all
Finally, update "verify.php" and use include for php file :
include "secret/secret.php";
or readfilefor html file :
readfile("secret/secret.html");
By VirtualHost
This one is trickiest.
What you can do is to customize a little bit your vhost in your Apache settings.
Let's say you have 2 folders at the root of your website :
"secret" will contains the files you don't want to be accessible by browsers
"web" will contains your "verifiy.php" file
Then, change your Apache VirtualHost setting "DocumentRoot" to point to the "web" directory.
Finally, update "verify.php" and use include for php file :
include "../secret/secret.php";
or readfilefor html file :
readfile("../secret/secret.html");
create a .htaccess file in your directory.
//set deny all to all request which contain .html extension.
<Files *.html>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
//set allow to all .php file.
<Files *.php>
Order Allow,Deny
Allow from all
</Files>
in your verify.php file include your .html file
include "path/secret.html";
I hope it will be helpful.
Related
I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.
In my application is possible to create a directory, and the user can store files inside that folders. So suppose that I have the following structure:
/public_html
/app
/assets
/documents
/folder_name
-list of files
My goal is to prevent that the user types as URL:
https://myapp.com/assets/documents
or
https://myapp.com/assets/documents/folder_name
and see all the files or directories available in there, is there a way to prevent this via .htaccess?
If you want to simply prevent the directory listing, you can put:
Options -Indexes
inside an .htaccess file in the root directory of your assets. Your vhost/server configuration must have the AllowOverride Options set for this to work though.
If you wish to prevent the files from being accessed you could use the <Files directory which is allowed inside an .htaccess file, but the better solution would be to simply move that directory out of the public root.
Put .htaccess in that folder, and add
Deny from all within
Or if you want to apply the directive dynamically to folder (in case you have access to Apache configuration):
<DirectoryMatch "^/public_html/app/assets/documents/(.+)/" >
Order Allow,Deny
Deny from all
</DirectoryMatch>
or within the folder_name:
<DirectoryMatch "^/public_html/app/assets/documents/folder_name(.+)/" >
Order Allow,Deny
Deny from all
</DirectoryMatch>
One of the approaches is to generate blank index.php within a folder.
I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.
In my site I've some file used by my application where are putted the log information.
For example a log file is "access.log", and i write in by PHP.
If a visitor go to www.mysite.ext/access.log , can see the file and all the information inside it.
How can I disallow this?
thanks a lot
Put this in your .htaccess
<FilesMatch "\.(htaccess|htpasswd|pinc|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Will block .log and other common files you don't want people to access.
If you want to do this in Apache, you can add the following to your .htaccess:
<files access.log>
deny from all
</files>
I am doing PHP web application, with Apache.
There are a few configuration files ( like App.yml) whose content I don't want to expose to users under whatsoever circumstances. Is there anyway that I can tweak my Apache setting so that these files won't be available when hostile users query for them?
The best option would be to place the files outside of your document root.
If that's not possible, you can deny access to them in apache .conf file (or a .htaccess file) with
<Directory /path/to/dir>
Deny from all
</Directory>
You can create a .htaccess file in that directory and place in it
order deny,allow
deny from all
You can also do this if you only want to block one file.
<Files filenamehere>
order deny,allow
deny from all
</Files>