I have a PHP script that is run from cron to send out reminder emails.
To prevent unauthorised use of this script, I have the following .htaccess file which I upgraded to the Require directive after upgrading apache to 2.4 from 2.2.
<Files "reminder.php">
Require all denied
Require host localhost
Require ip 127.0.0.1
Require ip xxx.yyy.zzz.aaa
</Files>
xxx.yyy.zzz.aaa is the address of the webserver, equivalent to localhost.
Whereas the old .htaccess file used to work, this one isn't preventing access from remote browsers. I've read and reread all the directive documentation and can't see what is wrong. Any clues? Is this the best way to protect a PHP script designed to run from cron?
The old .htaccess file was:
<Files "reminder.php">
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 127.0.0.1
Allow from xxx.yyy.zzz.aaa
</Files>
I found the problem. When I set up the 2.4 server, I explictly used
AllowOverride None
and didn't override this in specific directories. BTW AllowOverride defaulted to All in 2.2 and defaults to None in 2.4 so without the directive I would still have had the same problem.
So replacing this with
AllowOverride All
within the <directory> group fixed the problem. The .htaccess file is now allowed to do its job.
Related
I want to hide my uploads folder but i want to access it via php . Is this possible with .htaccess ?
I tried something but didn't worked.
<files "/uploads">
order allow,deny
deny from all
</files>
<folders uploads>
Order Allow,Deny
Deny from all
</folders>
You're almost there, but it depends on what version of Apache you're using also.
The above method you're trying is if you want to block access to a specific file, if you want to block a folder, then add your .htaccess file to that folder and just use:
Below 2.4:
deny from all
2.4 or above:
Require all denied
IMPORTANT EDIT
You can just upload a .htaccess to the folder that you want to block with the following:
Deny from all
If there is some issue, add:
Allow from 127.0.0.1
It worked well for me.
Original answer
Try:
<Directory "/uploads">
Order allow,deny
Deny from all
Allow from 127.0.0.1
</Directory>
EDIT:
The code above will deny all except the local ip (of your server).
As thickguru said, it also depends on your apache version. Here are some other ways to do it:
<Directory "/uploads">
Require local
</Directory>
It will only allow if requested by the server (your script or somewhat on the server).
Or:
<Directory "/uploads">
Require ip 127.0.0.1
</Directory>
The same as above, but using the local adress. You can also add other ips to it. All the ips that you add there will be allowed to access the folder.
I just got a VPS and it's running CentOS 6.8 with WHM 58.0. I really don't want the WHM, I only want to add one site to the server. So I just installed an FTP server and uploaded the files to the Apache root dir at /usr/local/apache/htdocs and gave all files chmod 777.
All works good, but when I go to PHP or ajax to PHP I get "403 Forbidden". I suppose the problem is in the http.config but I really have no idea. Here is my http.conf file and I don't have any .htaccess files.
Among other things, you want to make sure that the Linux user that is running Apache has permission to read and execute the PHP files where they are on the server.
This is a good guide for transferring PHP files and setting the permissions using PHP: https://www.digitalocean.com/community/tutorials/how-to-use-sftp-to-securely-transfer-files-with-a-remote-server
There's also a guide here to setting up the server and checking that PHP is set up correctly here, but I assume you have done this already: https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-16-04
I just replace this
<Directory "/usr/local/apache/htdocs">
Options Includes Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
With this
<Directory "/usr/local/apache/htdocs">
Options Indexes
Order allow,deny
Allow from all </Directory>
I have a home server running on apache at /var/www/html, I also created a self signed SSL at DocumentRoot /var/www/html in /etc/apache2/sites-available/default-ssl.conf
How can I exclude a file within html from SSL, for example, my current server is https://myserver.com, but I want to use http://myserver.com/nossl/api.php
What should I add in .htaccess of that nossl folder?
This is my current .htaccess to exclude authentication
<Files main.php>
AuthType none
Satisfy any
Order Allow,Deny
Allow from all
</Files>
Since I can't find any direct solution to this, I did find a way of free SSL using letsencrypt
Working great on multiple servers
Using Apache 2.4 64 bit VC10 build on my Win 7 machine from Apache Lounge, how do I enable folder file view? I just want to see what files are in every folder that does not have a index file in that folder.
This is for dev purposes only. I have tried using Options Indexes / All options and restarted my server a few times. All I get is 403 Forbidden.
For Apache 2.4, if you have enabled Directory Indexes such as index.html or index.php you must first disable that before you can get folders and files to show in a web browser.
<Directory "/vhost/www/htdocs/path/to/folder">
DirectoryIndex disabled
Options Indexes
</Directory>
The directive in Apache has changed from version 2.2 to 2.4 and up.
I am running version 2.4.7 and a basic vhost file looks like this:
<VirtualHost 192.168.1.5:80>
DocumentRoot /srv/html/
ServerName some.placeoverthe.rainbow
<Directory /srv/html/>
Options Indexes ## Allows directory browsing.
Require all granted ## Allow all request
</Directory>
</VirtualHost>
Taken form the Apache website: https://httpd.apache.org/docs/2.4/upgrading.html
Here are some examples of old and new ways to do the same access control.
In this example, all requests are denied.
2.2 configuration:
Order deny,allow
Deny from all
2.4 configuration:
Require all denied
In this example, all requests are allowed.
2.2 configuration:
Order allow,deny
Allow from all
2.4 configuration:
Require all granted
In the following example, all hosts in the example.org domain are allowed access; all other hosts are denied access.
2.2 configuration:
Order Deny,Allow
Deny from all
Allow from example.org
2.4 configuration:
Require host example.org
Directory Indexing
Taken form the Apache website: http://httpd.apache.org/docs/2.4/mod/core.html
The Options directive controls which server features are available in a particular directory.
option can be set to None, in which case none of the extra features are enabled, or one or more of the following:
All
All options except for MultiViews.
ExecCGI
Execution of CGI scripts using mod_cgi is permitted.
FollowSymLinks
The server will follow symbolic links in this directory. This is the default setting.
Even though the server follows the symlink it does not change the pathname used to match against sections.
The FollowSymLinks and SymLinksIfOwnerMatch Options work only in sections or .htaccess files.
Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.
Includes
Server-side includes provided by mod_include are permitted.
IncludesNOEXEC
Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories.
Indexes
If a URL which maps to a directory is requested and there is no
DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory.
MultiViews
Content negotiated "MultiViews" are allowed using mod_negotiation.
Note:
This option gets ignored if set anywhere other than , as
mod_negotiation needs real resources to compare against and evaluate from.
SymLinksIfOwnerMatch
The server will only follow symbolic links for
which the target file or directory is owned by
the same user id as the link.
As a side note: You might want to check and make sure that the user that apache is running under has permission to read from that directory. On windows this may not be an issue but on Linux it very well can be an issue. On most Linux distros the default user is typically :
www-data
So you would need to change permissions for that directory to allow apache access if the directory is owned by someone other than the user apache runs under.
<Directory "/srv/www/htdocs">
Options +Indexes
################
Order allow,deny
Allow from all
</Directory>
I have a production server with apache2, php, mysql.
I have just one site right now (mysite.com) as a virtual host. I want to put phpmyadmin, webalizer, and maybe webmin on there. So far, I installed phpmyadmin, and it works but the whole internet can go to mysite.com/phpmyadmin
How can I reduce the visibility to say 192.168.0.0/16 so it's just accessible to machines behind my firewall?
1) You can do it at the Webserver level.
Use allow/deny rules for apache. If you don't have direct access to your apache configuration file, you may use a .htaccess file.
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from 10.1.2.3
</Directory>
2) You can do it at the application level using the phpmyadmin config file.
The configuration parameter is: $cfg['Servers'][$i]['AllowDeny']['rules']
Examples of rules are:
'all' -> 0.0.0.0/0
'localhost' -> 127.0.0.1/8
'localnetA' -> SERVER_ADDRESS/8
'localnetB' -> SERVER_ADDRESS/16
'localnetC' -> SERVER_ADDRESS/24
You can see this on the official phpMyAdmin configuration documentation.
http://www.phpmyadmin.net/documentation/#servers_allowdeny_order
You would use a module in Apache called mod_access
You can either configure it in your apache config file or within a .htaccess file in the directory's root.
Here's a short example
<Directory /your_folder/location>
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
</Directory>
Use the <Location> directive (either in server configuration or if it is allowed, in .htaccess). In there, you can use Allow from to deny access to everyone else except some certain source.