I am using
RewriteEngine On
RewriteRule ^.*$ ./index.php
to redirect all my website traffic through index.php and let my php code get the request_uri and route each request accordingly.
I want to restrict access to all other files/directories except one that will contain the js files, css files, images etc.
I found that to do that I can use:
Order deny,allow
Deny from all
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
and then have another .htaccess file inside the public directory to allow certain file types.
When I navigate to localhost/mysite/index.php it works fine since the index.php file is accessible.
But for any other url I get a 403, for example /mysite/home/ is forbidden even though I expected it to work normally.
What can I do get the expected behavior?
My full .htacces file is:
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^.*$ ./index.php
Order deny,allow
Deny from all
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
EDIT: The /public/.htaccess currently looks like this:
<Files ~ "\.(xml|css|jpe?g|png|gif|js|pdf)$">
Allow from all
</Files>
Try this code in /mysite/.htaccess:
DirectoryIndex index.php
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteRule !^(public/|index\.php) [NC,F]
You can use:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php
That is the .htaccess I use for my applications. In the public directory, I only place index.php and JS, CSS and images file that I need, so there is no need to filter them out. Any other file (such as uploads), are save to a folder outside of the public folder - so they are no accessible directly - only via a php script that reads them. I believe that is "best practice".
Related
When users go to my sub domain, I want them to be redirected to a specific file I have in my subdomain. Or, to be exact, when someone goes here
http://app.example.com/
they should be redirected to here:
http://app.example.com/dashboard/
Everything I have tried doesn't seem to be working and the examples I have found online either don't work or don't do what I need them to do.
I'm also trying to get this to work from my root directory (from public_html). This is my file structue:
/ public_html
/ .htaccess
/ index.php
/ app.example.com
/ dashboard.php
You can see my htaccess file sitting on the top level. This is where I need to keep it.
This is my current file (including my attempt at the redirect):
# --------------------------------------------------------------------------------------------------------------------------------------
# Stops people from being able to see htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
# --------------------------------------------------------------------------------------------------------------------------------------
# Options
Options All -Indexes +MultiViews
# --------------------------------------------------------------------------------------------------------------------------------------
# Redirect app.example.com to /dashboard
RewriteEngine On
RewriteCond %{HTTP_HOST} ^app.example.com
RewriteRule ^$ /dashboard [L,R=301]
# --------------------------------------------------------------------------------------------------------------------------------------
# Makes it so url can have slash at the end instead of .php extension
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}/$1.php -f
RewriteRule ^(.+?)/?$ $1.php [L]
# --------------------------------------------------------------------------------------------------------------------------------------
# Adds wwww to url if it doesnt already have it
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]
rewriting works fine until we add auth to htaccess. Is auth formatted correctly? Why would rewrite work before adding auth?
Request params at the site controller with no auth:
[id] => 433 [type] => city
Params after auth added and the user authenticated:
[site/query]
Sample query url that works without auth:
http://www.website.com/site/query?type=city&id=433
The .htaccess with basic auth at the bottom:
# any visits not coming from this official URL should be rerouted; AJAX cross-domain, www.website.com is not the same as our.company.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.website\.com$ [NC]
RewriteRule ^(.*)$ http://www.website.com/$1 [R=301,L]
# route all requests that are NOT static files, through index.php to make the /nice/urls/ work
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1 [L]
# disable file listings for directories
Options -Indexes
# disable the fetching of .phtm
<Files ~ "\.phtml$">
Order allow,deny
Deny from all
</Files>
# Protect hidden files from being viewed
<Files .*>
Order Deny,Allow
Deny From All
</Files>
# Protect application and system files from being viewed
RewriteRule ^(?:modules|system)\b.* index.php/$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
AuthType Basic
AuthName "Password required"
AuthUserFile /maps/scorp/main/.htpasswd
Require valid-user
I've got no answer to your nice questions but I hope I found a solution. :)
IMHO in your .htaccess the authorisation will take the advantage. It's a kinda tricky but you can break the priority by enclosing the "Require valid-user" directive into block <Files>. E.g.:
<Files "*.phtml">
Require valid-user
</Files>
So I have been looking all over for a while, and cannot seem to find a particular solution I am looking for. I have seen many articles showing how to fix problems with wordpress rewrite, but none fix my problem.
I currently have Wordpress Installed in my / Root directory. the .htaccess looks like this.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^manager - [L,NC] <-- I added this from other examples.
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
So from what I can tell this tells wordpress, hey you will handle all the urls, for everything. forever. Seriously. For ever and everywhere :P
So the problem comes when I have a sub directory site.com/manager
Here I would like to build a similar URL capturing method to manage what the user gets to see/access/etc. The line I added to the root .htaccess file (from what I have read) is suppose to tell wordpress, hey don't touch my damn /manager folder.
Wordpress being the sneaky greedy caregiver that it is fails to listen. ill go to test my site.com/manager/test (grabbing test and pulling info from sql with it) and wordpress takes over and throws me to the wordpress 404 page.
my .htaccess in /manager is as follows for refrence, I am thinking I will need to do some rewrite stuffs here too, but for now just trying to prevent wordpress from being over bearing :).
DirectoryIndex index.php
<FilesMatch "\.(php|inc)$">
Order allow,deny
deny from all
</FilesMatch>
<FilesMatch "(index.php|logout.php)$">
Order allow,deny
allow from all
</FilesMatch>
Any ideas, thoughts, comments, concerns would be much appreciated.
Thank you.
SO after digging deeper and looking into this further I found a fix. Not sure it is the BEST solution but its working.
Root (/) .htaccess
#Manager - A customer content manager
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/manager/(.*)$ [OR]
RewriteRule ^.*$ - [L]
</IfModule>
#end Manager
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
This appears to over ride wordpress like needed.
Manager (/manager) .htaccess
DirectoryIndex index.php
<FilesMatch "\.(php|inc)$">
Order allow,deny
deny from all
</FilesMatch>
<FilesMatch "(index.php|logout.php|install.php)$">
Order allow,deny
allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /manager/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
The top portion isn't required but I added this for file protection/security.
Summary:
I used the %{REQUEST_URI} to selectively remove a sub-folder, to apply this to more sub-folders I would add another
RewriteCond %{REQUEST_URI} ^/manager/(.*)$ [OR]
I then input the information in the sub-directory's .htaccess file for url rewriting. From here I can manipulate the URL converting it into a Array list for further sorting and database calling.
Here's my current situation:
I'm rewriting /api to api.php.
RewriteRule ^apidir/url/new?$ api.php [QSA,NC,L]
Now, I am whitelisting IP's for it. However, when I try and use the Files directive to block access, I can't because it is being rewritten.
<Files "\api.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
so, I tried just using it to block the rewritten directory
<Files "\apimashape2013/url/new">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
None of these have worked out.
If you have access to the virtualhost you can use this:
RewriteEngine on
RewriteMap hosts-deny txt:/home/youraccount/deny_list.txt
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteCond %{REQUEST_URI} ^/api [NC]
RewriteRule ^ - [F]
And have the deny_list.txt with the list of IP's or HOST you wish to blacklist:
193.102.180.41 -
bsdti1.sdm.de -
192.76.162.40 -
Read more here.
Alternatively if you don't have access to the virtualhost, you can change the name of your php file to something unique for example thisismyapi.php and use it like this:
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
<Files "thisismyapi.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !thisismyapi.php
RewriteRule ^api/?(.*)$ /api/thisismyapi.php [L]
Why do I change it to other name?
Because this way it will match it anywhere it is so it should work just fine for your needs and will not conflict with other files.
For example in this way it the file was named index.php it would conflict with index.php in other folders.
Not sure why the first <Files> container isn't working. The \ shouldn't have any effect. But the container needs to be in the directory or parent directory of where the api.php file is.
Alternatively, you can include this in your htaccess:
RewriteCond %{REMOTE_ADDR} ^24\.11\.95\.151$
RewriteRule ^/?api.php$ - [L,F]
I am trying to use fuelcms in my arch linux lamp server. But I cant make htaccess to work. My home folder is ytsejam/fuel_cms/..
This is my .htaccess file :
Options +FollowSymLinks
<IfModule mod_rewrite.c>
RewriteEngine On
<Files .*>
Order deny, allow
Deny From All
</Files>
# Allow asset folders through
RewriteRule ^(fuel/modules/(.+)?/assets/(.+)) - [L]
# Protect application and system files from being viewed
RewriteRule ^(fuel/install/.+|fuel/crons/.+|fuel/data_backup/.+|fuel/codeigniter/.+|fuel/modules/.+|fuel/application/.+|\.git.+) - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php?/$0 [L]
</IfModule>
Options -Indexes
/var/log/httpd/error_logs show that
/home/ytsejam/public_html/fuel_cms/.htaccess: order takes one argument, 'allow,deny', 'deny,allow', or 'mutual-failure'
can anyone help me ?
You have just inserted additional space after the comma
"deny, allow" must be "deny,allow"