i'm new to stack overflow, and to .htaccess too, so let's come to the point.
I have a file lessons(.php) in my root directory and i want it to appear like it doesn't exists there through .htaccess
So i'm using these directives to achieve one of my goal:
<Files lessons.php>
Order Deny,Allow
Deny from All
</Files>
I only know that i'm denying access to that file in my directory, nothing more
And my second question is that i want this file to be able to access only for certain conditions, means when someone try to access that link
RewriteRule ^library/lessons/([a-z-]+) lessons?lesson=$1 [NC,L]
In other words
library/lessons/ba-blah-blah-whatever/
So how i can do this, accessing file just like an if/else condition, means if someone is on that link mentioned up there can access that file, i know that i can't use if/else in .htaccess but you know what i want to say
I'm pretty sure you don't need anything so complicate. Just write a proper route with mod_rewrite:
RewriteRule ^library/lessons/([a-z-]+) lessons.php?lesson=$1 [NC,L]
... and if you really really can't allow access through the actual file name, prevent access right from PHP filtering $_SERVER['REQUEST_URI'] and aborting with 404 status code.
Related
So I've found many posts here on how to do a similar action, however, I'm still confused. So here is my question. I want to have access to www.mywebsite/folder/index.html but if I were to remove the index.html and just type in www.mywebsite/folder/ I don't want to have access to that. How can I go about doing this? I read that I can use an .htaccess file with deny from all but that restricts me from the whole folder and I can't access the index.html.
Please let me know if there is a solution or another post that I missed that outlines the exact situation.
Thank you!
Which Apache version are you using? In 2.4, you can use DirectoryIndex disabled to stop it from automatically serving up the index.html, and combine that with Options -Indexes.
In lower versions disabled does not exist yet, so using mod_rewrite with a simple RewriteRule that forbids access when the exact folder path (with or without trailing slash) was requested should do it,
RewriteRule ^folder/?$ - [F,L]
To control what error message the user gets to see in each case, specify the ErrorDocument for the 403 Forbidden status code.
I doubt even it is possible or not. I have a strange requirement by client so have to do.
I have a website that allow certain ips(ips are hard coded in .htaccess ). Client has provided me a url that have some ips listed in json format. I want that these ips should be allowed to access the website. (Ips listed on url are dynamic so i can't use them in .htaccess). Do anyone have idea how to achieve this.
I know i can use a php file(index) in htaccess and write code in it to read ips but the priority is to get it done by .htaccess file only.
Thanks in advance.
Need little bit help.
I have created rewriteMap in httpd file.
RewriteMap accessmap "txt:E:\htdocs\myfolder\map.txt"
My map.txt have follwing entries.
127.0.0.11 allow
127.0.0.1 allow
127.0.0.12 deny
These entries i am adding in htacces file
RewriteCond ${accessmap:%{REMOTE_ADDR}} allow [NC]
RewriteRule ^(.*)$ https://www.exampleweb.com/$1 [L,R=302]
Now, for example i have 127.0.0.1 in my map file as allow so it should be allowed to access the site. If i want to access site form any other ip like
130.0.0.11 (not in map file) it should be redirect to this link https://www.exampleweb.com .
I do not have much knowledge about htaccess to can't understand how to write
rewriteRule and rewrite condition for this. Please help.
Note: Ips are just for example, actual ips will be different for these.
Create a RewriteMap. Add below code in Apache configuration file (httpd.conf) or in your virtual host file.
RewriteMap accessmap "txt:file/path/to/map.txt"
NOTE: RewriteMap directive cannot be added in .htaccess file or inside Directory section. [Source: Using rewrite map]
Then in your .htaccess file add below code
RewriteCond ${accessmap:%{REMOTE_ADDR}} !^allow
RewriteRule ^(.)$ - [F,L]*
This will allow IP addresses listed in map.txt file having value allow to access your site. Otherwise, users will see 403 forbidden error.
.htaccess files are constantly read by Apache HTTPD server. You can be changing the specific Authorization directives in it according to your needs by a script or something else and the new auth directives will be applied instantly.
I am currently running a PHP website, and I was wondering if there is any way to deny access to an image, if the directory was entered in the browser bar, but still be able to use said image in my Page with the <img src=""> tag.
I store said image in a directory called "images" which is on the same level with my main page "home.php". I am familiar with the .htaccess file and the deny from all command in it, however, as I said, it will not display the 'forbidden' files in the other pages. I hope that somebody can help me. Thanks!
Maybe you can try this:
<Files "./your_directory/yourfile.png">
Order Allow,Deny
Deny from all
</Files>
Basically, I believe that the answer would be "no," because in both cases the user's browser is the party making the request. Apache might not know or be able to distinguish between two "reasons" why the browser is making such a request.
On the other hand, programmatic code within your host-side application possibly could. Either directly or using mod_rewrite tricks, you could direct the incoming request to a server-side script, which can examine the entirety of the HTTP request and determine what sort of response it should produce: image-content, or 404. In this scenario, Apache accepts the request ... does not Deny it ... but instead of serving the image directly itself, it hands-off to a script which makes that decision. (The script can still gulp the data from a file, probably from a directory that Apache will not directly serve at all, so it can be "reasonably fast.")
By the way: you can use directives, at the <Directory> or <Location> level, to force "hand this request off to such-and-such script" behavior, so that, when the user's browser "requests such-and-such image," Apache runs that handler-script instead, passing a URL that includes the name of the requested file. The user won't be able to know what actually happened.)
You can accomplish this many ways, but internet jargon this is called "hotlinking". You can use this tool http://www.htaccesstools.com/hotlink-protection/ to create your own .htaccess file.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
I researched for this quite a long time, but could not find proper answer.
I am using Free PHP Hosting website which is provided by 000webhost.com.
I have a .htaccess in public_html folder given by them.
directory structure has sub-directory such as includes which I dont want the users to if they directly go to URL, It should say Forbidden - 403.
I do not want .htaccess in every sub-directory where I do not want allow access.
I read somewhere that .htaccess can change behavior of all the subdirectories and itself.
I know performance wise it is not a good option, but I do not have access to httpd.conf.
I think on SO there are some answers which tells me this :
1. move those subdirectories outsides the public_html (do not want to do that)
2. create .htaccess for every subdirectories and denying access (which is pain and not a scalable solution)
3. Use rewrite rules (Could be a solution not sure)
I hope someone can understand and help me out.
Thanks a lot.
Really, the most secure solution is to move those directories outside the DocumentRoot. However, you can easily add rewrite rules in your one .htaccess to forbid access:
RewriteEngine On
# Group many forbidden directories as (a|b|c|d)
RewriteRule ^(include|otherforbidden|someotherone) - [F]
Unless you have dozens of directories downstream to manage though, I don't see a big problem with dropping a directory-specific .htaccess in each.
add RedirectMatch 403 ^/includes/.*$ to your root .htaccess file to redirect any calls to the /includes directory to force a 403 Forbidden error.
However, it would be safer to use RedirectMatch 404 ^/includes/.*$ instead because attackers will get a 404 File Not Found error instead. This is considered safer because the 403 error let's attackers know that there is a file to attack.
Here is the scenario:
There is a index.php file in root folder
some files are included in index.php which are in the includes folder.
1 other file (submit.php) is in the root folder for form submit action.
I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file.
Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).
I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems.
This is pure mod_rewrite based solution:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains either /includes/ or /submit.php
It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:
<Files ~ "^.*">
Deny from all
</Files>
<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
Allow from all
</Files>
1 liner mod_alias based solution :
RedirectMatch 403 ^/folder/file.php$
This will show forbidden error for /folder/file.php
If I understand correctly you just want to deny access to the includes folder?
An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.
Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.
However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.
If this is true then you can't use anubhava's part II as this will cause your form to fail.
What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:
RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php [NC]
RewriteRule ^submit\.php$ - [F]
And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.
This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.
Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:
Satisfy all
Order deny,allow
Deny from all
I ran into this when the upper directory defined basic authentication including the line:
Satisfy any
This was preventing my deny from all to take effect because the users were authenticated.
You can add the below command to .htaccess file
Deny from all
ErrorDocument 403 "nothing is here"
It will display the "nothing is here" message in case of the unauthorised access.
If you want to redirect by an error code to a certain page then you can define a command as follows:
ErrorDocument 404 "/errors/404.html"
It will redirect to the /errors/404.html and show the custom page not found screen.