This question already has answers here:
Anyway protecting your site from external site scandir
(2 answers)
Closed 6 years ago.
here's my website organization:
index.php includes header, home, and footer files:
How should I set .htaccess so that MyWebSite/ is the only allowed URL?
You could try it this way. Block all php files except from localhost or server IP address.
For Apache < 2.4
<Files ~ "\.php">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files "index.php">
Order Allow,Deny
Allow from all
</Files>
For Apache >= 2.4
<Files ~ "\.php">
Require all denied
Require ip 127.0.0.1
</Files>
<Files "index.php">
Require all granted
</Files>
Mamp should be using Apache 2.4 so the 2nd example should work.
Related
I want to share one of my subdomain to public that anyone can upload and explore any files. I want to it be a simple, so I chose https://github.com/webcdn/File-Explorer project. It is responsive and beautiful. But I need some modifications:
Remove authentication -> I did it.
Prevent execution of any PHP file (for security reasons) except "explore.php".
I did it using .htaccess file as below:
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files explore.php>
Order Allow,Deny
Allow from all
</Files>
DirectoryIndex explore.php
The problem is that "File-Explorer" project still shows "explore.php".
I renamed explore.php to .explore.php and replaced it in .htaccess, but it doesn't work and the website can't be load.
To #All, Nobody is here to answer this question?
I have tried my below problem with following SO question Zend Server Community Edition .htaccess issue but could not get success. That's why posting my details question here as follows:
I am having a very serious issue with Zend Community Server Edition (ZendServer-CE-php-5.3.9-5.6.0-SP1-Windows_x86).
Everything is working fine but not URL Rewrtiting.
I have following things set up in my httpd.conf file of Apache folder on Windows 7
I have enabled mod_rewrite module in httpd.conf file like
LoadModule rewrite_module modules/mod_rewrite.so
Below is my Document Root for my all projects
DocumentRoot "D:/projects/"
and its related <Directory> settings like
<Directory />
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
#Order deny,allow
#Deny from all
</Directory>
<Directory D:/projects>
Options Indexes +FollowSymLinks
AllowOverride All
#Order deny,allow
#Deny from all
Order allow,deny
Allow from all
</Directory>
I have .htaccess setup in httpd.conf is as below
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
Now, I have following path of my test folder for URL Rewriting.
D:/projects/url
D:/projects/url/.htaccess
and content of .htaccess file is as below
RewriteEngine on
RewriteRule ^news news.php
RewriteRule ^news/id/(.*)/article/(.*) news.php?id=$1&article=$2
D:/projects/url/news.php
In news.php file (when I specify it on addressbar like localhost:/url/news.php it does not works and giving below error message
Forbidden
You don't have permission to access /url/news on this server.
code in news.php file is as below
$path = $_SERVER['REQUEST_URI'];
echo $path."<br/>";
//below is for http://localhost:<PORT>/url/news/id/62/article/abc
if(isset($_GET['id']) && isset($_GET['article']))
{
echo $_GET['id']."<br/>";
echo $_GET['article'];
}
Any guidance will be appreciated.
To #All, Nobody is here to answer this question?
I'd like to deny multiple files through htaccess.
<FilesMatch (profile|reg|register|..............|)\.php>
order allow,deny
deny from all
</FilesMatch>
I have lots of files (6 folders with like 30 files each) that I want to deny access to, so using the method above by entering them one by one will take time.
Could I deny access to all files in the folders like this?
<Directory /www/php/login/pages>
Order Allow,Deny
</Directory>
To multiple
<FilesMatch "(foo|bar|doo)\.php$">
Deny from all
</FilesMatch>
or go for rewrite rules (RewriteEngine On)
RewriteRule \.(psd|log)$ - [NC,F]
To deny access to all files in the folders:
rewriteRule ^www/php/login/pages - [NC,F]
or simply place a `Deny from all' directly in that folder...
Update 2015: Using Apache 2.4 or higher, the `Deny from all' would needs adjustment.
You would need to add "deny from all" like your initial approach, but yes you can.
Scroll down in the documentation for the syntax you are looking for: http://httpd.apache.org/docs/2.2/mod/core.html#directory
This question already has answers here:
.htaccess deny access to specific files? more than one
(3 answers)
Closed 8 years ago.
I want to deny access to multiple PHP files in directory /all/cstl/.
My .htaccess is also stored in this directory.
This is my current code and it's not working.
<Files "\ (config.php|function.php|include.php)">
Order allow,deny
Deny from all
</Files>
I have tried to deny the directory and allow specific files but it denies the directory and does not allow the requested .php files. My code for this is:
<Directory />
Order deny,allow
Deny from all
<Directory>
<Files "index.php|post.php">
Order deny,allow
Deny from all
</Files>
Please give me some example of blocking access to multiple specific files within a directory.
There are several problems with the .htaccess you have there.
As BSen linked in the comment above, you should use FilesMatch.
Also, your regular expression is wrong.
The problem with the regular expression is that you have an escaped space at the start, so all files must start with a space character (followed by one of config.php, function.php etc)
Also a small explaination of the Order allow,deny directive:
http://www.maxi-pedia.com/Order+allow+deny
Try this:
<FilesMatch "config\.php|function\.php|include\.php">
Order allow,deny
Deny from all
</FilesMatch>
If you'd like to deny all but a few files, this would read as
Order deny,allow
Deny from all
<FilesMatch "index\.php|index\.html">
Allow from all
</FilesMatch>
I have various subfolders on my website and I would like for the user not to be able to access them through URL but on the same time my main PHP files to be able to include them or use them as actions on forms or links.
I tried using an .htaccess with
<Files *>
Order Allow,Deny
Deny from All
</Files>
but it denied all access even from within my own scripts. Logical as I found out, but I cannot know how to make it work. Any ideas?
P.S. My main concern is that some of the files are not included in main PHP files BUT they are linked there and their code ends up with a header('Location: ../index.php'); returning to the main page of the project.
I see a lot of answers with Allow,Deny not Deny,Allow
The order of this matters and is causing the problem. You are telling the computer that deny is more important than allow, because it is listed last. To show you... if you say:
<Files .htaccess>
Order Allow,Deny
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
You are saying first Allow anyone Allowed, then Deny All... Which still Denies ALL.
If you reverse to Deny,Allow you are saying Deny All, then Allow anyone Allowed.
<Files .htaccess>
Order Deny,Allow
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
Allow command, being more important, because it is the final command, is therefore allowing those listed after Allow From command.
xxx.xxx.xxx.xxx = Your IP
Do this:
<Files *>
Order Deny,Allow
Allow from 192.168.100.123 127.0.0.1
Deny from all
</Files>
The list of IP's will be specific hosts you allow, like localhost.
This also works with the directive, not just file, if you want only certain directories blocked.
There is an even safer method. Store your include files below the web accessible folders. So if your web files are here...
/var/www/mysite.com/
Store your include files here:
/var/includes/
Then include them with a full path...
include '/var/includes/myincludes.inc.php';
From the web, the myincludes.inc.php file is completely inaccessible.
Usually to protect these logic files from public access you can
put it in protected directory, above htdocs
add a check for public constant.. if(!is_defined(some_root_const)){die();}
change extension to .inc or something.. and deny with .htaccess based on that
put your application code outside of your public html folder. then you can add an include path at the top of your scripts to allow your script to access them as if they were in the same folder.
http://php.net/manual/en/function.set-include-path.php
In you .htaccess you will have to specify which IP's, hosts you want to allow and you can do it per directory as well. for e.g.
<Directory /dir/to/block>
Order Allow,Deny
Allow from 192.168.0.1 4.4.4.4
Deny from All
</Directory>
<Directory /dir/to/allow>
Order Allow, Deny
Allow from All
</Directory>