I want to block HTTP access to every file in my project directory except PHP scripts located in the root folder (not subfolders).
My current .htaccess file looks like this :
# Disable Directory Listings in this Directory and Subdirectories
# This will hide the files from the public unless they know direct URLs
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api.php/$1 [QSA,L]
</IfModule>
# Deny all files from being accessed with Apache
Order Deny,Allow
Deny from all
# Allow specific PHP files at root
<FilesMatch "/(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
This mostly works, except for the URL rewriting on the api.php script. I've tried changing the FilesMatch regexp to /(api|cron|status)(\.php)?$, but it keeps on throwing me a 403 response.
Anyone can explain to me what I did wrong here ? I'm usually OK with regexp, but this has got me thinking Apache doesn't process them like everyone else...
Deny from all
<FilesMatch "^(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
And I guess make sure your .htaccess is on the root level.
Related
I'm trying to block all calls to php files in a specific folder and subfolders except for one specific folder and its subfolders.
I've tried a number of different regex permutations and I can get the regex to match properly, it's implementing in htaccess where I have a problem.
This is the htaccess file as it is now:
<FilesMatch "\.(?i:php)$">
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
and this is the regex expression that matches properly outside of htaccess:
^(?!.*(thedirectory)).*(?i:php)$
When I check that regex against index.php it matches. When I check against /thedirectory/index.php it does not match. When I check against /someotherdirectory/style.css it does not match.
How I'd like it to work is:
domain.com/folder/index.php -> 404 Error
domain.com/folder/thedirectory/index.php -> resolves
domain.com/folder/someotherdirectory/index.php -> 404 Error
domain.com/folder/someotherdirectory/afunction.php -> 404 Error
domain.com/folder/someotherdirectory/style.css -> resolves
Turned out to be a lot more straightforward than I thought it would be:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} ^(?!.*(thedirectory)).*(?i:php)$ [NC]
RewriteRule "(.*)" /404.php
</IfModule>
The <Files> and <FilesMatch> sections match just the filename, not the directory path. So attempting to do so will naturally fail.
An alternative approach is to simply create an additional .htaccess file in the directory you want to allow access, which will override the parent:
Require all granted
I need to create a .htaccess rewrite. All requests need to redirect to /public/index.php. except for assets. (public/images/, public/css/ etc...). My css and js files have version (style.20180523.css). So the numbers need to get remove from the file name.
Example link:
domain.com/users/123 -> to index.php
domain.com/public/images/logo.png -> All requests which start with public, will remain unchanged If css or js remove a number
Here is my htaccess:
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(?!\/public) public/index.php [L,QSA]
</IfModule>
You need to add a rewrite condition like
RewriteCond %{REQUEST_URI} !^/public/(css|js)/
before your RewriteRule.
This will rewrite everything that is not starting with /public/css or /public/js
I'm new in SS and I need to moved one website from one web hosting into Godaddy.
Ir order to do that I have installed SS in my local environment in the root folder and everything works smoothly. Then I went to the subdomain and almost everything works well except the detail page. For example:
Home page: http://subdomain.domain.com.au/subdomain/index.php/ - IT WORKS
Product - Tools page: http://subdomain.domain.com.au/subdomain/index.php/products/tools/ - IT WORKS
Tools details page: http://subdomain.domain.com.au/tools/show/slp20xp IT DOESN'T WORK.
If I go to this URL : http://subdomain.domain.com.au/subdomain/index.php/products/tools//show/slp20xp The page is there and working fine. Somehow, on the detail page is trying to go one step backward to the root folder. If I moved this page to the root folder everything works fine.
Any idea what I might be missing? I tried different htacces configuration but none of them seems to work.
### SILVERSTRIPE START ###
<Files *.ss>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files web.config>
Order deny,allow
Deny from all
</Files>
# This denies access to all yml files, since developers might include sensitive
# information in them. See the docs for work-arounds to serve some yaml files
<Files *.yml>
Order allow,deny
Deny from all
</Files>
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
<IfModule mod_alias.c>
RedirectMatch 403 /silverstripe-cache(/|$)
RedirectMatch 403 /vendor(/|$)
RedirectMatch 403 /composer\.(json|lock)
</IfModule>
<IfModule mod_rewrite.c>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
RewriteBase '/'
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !\.php$
RewriteRule .* framework/main.php?url=%1&%{QUERY_STRING} [L]
</IfModule>
### SILVERSTRIPE END ###
In the htaccess of the subdomain, try changing RewriteBase '/' to RewriteBase '/subdomain'
desired:
user calls domain.tld/download/file_01.zip
htaccess calls private/download.php
file_01.zip starts to download
Note: file_01.zip must be protected from direct access.
Simplified folder structure:
root/
public/
.htaccess
index.php
private/ <<< this area is blocked from direct access >>>
files/
file_01.zip
file_02.zip
.htaccess
download.php
public/.htaccess
RewriteRule ^download/(.*)?$ ./../private/download.php?file=$1 [NC,L]
private/.htaccess (Edit)
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
download.php
$file = 'files/'.$_GET['file'];
// check: user allowed to download?
// check: more stuff (security, etc.) ...
forceDownload($file);
The RewriteRule works, but I'm getting the error Forbidden: You don't have permission to access [...] on this server, probably because the user calls the request, not the server.
Any idea?
Thanks in advance!
There is one more approach. Rename particular directory (add a single dot before it's current name, .private for example) and place this inside .htaccess file.
RewriteRule (^\.|/\.) - [F]
After adding this rule, each and every file and directory that begins with one . will be forbidden/protected, just like .htaccess it self is. :)
This will prevent access to anyone but PHP to open, view, modify file/dir contents.
Here is sample of (very common I believe) basic .htaccess *(sitting in DOCUMENT_ROOT directory) mod_rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule (^\.|/\.) - [F]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+)$ /$1.php [QSA,L]
</IfModule>
Once that this is being done, You don't serve direct links to .zip or whichever file ext. You have in mind, but do that in some other fashion with favorite PHP 'tricks' of Yours. :)
If You feel that this will give You a lot of code refactoring, just because one directory, You can add those dots to zip files, and move them elsewhere, direct access to dotted files, still won't be possible.
As RiggsFolly stated in their comment.
You need to modify that private/ .htaccess file to something like:
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
Allow from 127.0.0.1 #or your server address/etc
</IfModule>
Here is another solution, giving that your Apache version is >=2.4. (via using Require)
<IfModule !mod_authz_core.c>
Require all granted
Require ip 127.0.0.1
</IfModule>
I am having a problem , I am a great supporter of .htaccess , but I have taken a yahoo small business hosting for one of my Project, which currently dont supports .htaccess rewrite, so I am looking for some best option to mimic the same functionality with php instead of .htaccess
So , I can redirect all request to index.php with the following code, Reference
if(basename($_SERVER['REQUEST_URI']) !== 'index.php'){
header("location:index.php");
exit();
}
Now I want to implement other functionality in php too, like denial of directory access, and allowing only css , jss , image file etc direct access.So please suggest me some optimised and feasilble way to achieve this. Here is .htaccess for reference
RewriteEngine on
RewriteBase /
SetEnv APPLICATION_ENV development
#SetEnv FACEBOOK_APP_ID 4343434343
#SetEnv FACEBOOK_APP_SECRET d00b24f1344334833c90f0795ebe
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?url=$1 [L,QSA]
# This denies all web access to your .ini file.
<Files ~ "\.(php|ini|log|htm)$">
Order allow,deny
Deny from all
</Files>
<FilesMatch "^(index\.php)?$">
Allow from All
</FilesMatch>
<files config.base.ini>
order deny,allow
deny from all
</files>
<files errorlogs.log>
order deny,allow
deny from all
</files>
PS :FB SECRET ID AND CREDENTIALS ARE DUMMY