Since a week I cant access files in a WordPress sub-folder through a php curl function. Interestingly it works when accessing the file with a browser. When adding a 'fake' user agent header it works with the php curl function too. But I need other users to be able to retrieve the file without this hack.
I believe a WordPress update made those sub-folders more secure by restricting access to only valid user agents (Browsers). Also I believe that a specific htaccess configuration for this sub-folder will open it up again for all user agents, but I have no idea how to write such a htaccess config.
Does anyone have a clue?
Thanks
Aleks
Related
I have Apache+Nginx Hybrid server setup running a website with php/mysql backend.
And for security reasons, I am trying to restrict access to my website's internal folders/directories like css, Js and other included php files from direct access of users.
For example if user types https://mywebsite.com/css or https://mywebsite.com/included-php-files/ in the browser url
then it should give him 403 forbidden directory access error.
But when those directories have to be accessed via internal files like index.php in it's Ajax request or Internal inclusions then those directories should be allowed to have access.
I have tried many solutions but they are permanently blocking access even to my website internal files.
/css
/Js
/admin
/sitemap/sitemap files/
These are example of my directories inside my website, I need to hide them from direct access of users from abusing their use.
Last thing I have tried is I added an empty index.php file to each of those folders where I want to stop direct external access, this way when users try to access those folder or directories, It will show them empty page.
But I am hoping if there is some other and better way of doing so, like with nginx or apache ?
Please help me..
I will update if need more clarity about the question..
just use .htaccess file
Put the following line into your .htaccess file
Options -Indexes
I have below directory structure in my website,
/public_html
/public_html/admin/
/public_html/admin/js/
/public_html/admin/css/ ....
Basically I want to disallow all direct access to files inside sub folders of /admin, like not allow to access js inside /js/ folder directly but allow it to access from my php page
I added .htaccess file with below code inside /js/ folder,
Order deny,allow
Deny from all
so it is good that it won't allow me to access via browser directly !
BUT when I try to access index.php page in which files of /js/ folder are included using tag, it is not loading up.
So can anyone help me out !
Thanks in advance.
You are not accessing it "from your PHP page". The web server is either serving a request or it isn't. When you load your "PHP page" in a browser, the browser will then go out and request all the Javascript, CSS and image assets linked to from your page. Each of these will be a separate HTTP request to the web server. The web server has no context that this HTTP request is because the asset is linked to from "your PHP page", that's completely irrelevant to it. You can either get the file from the server using an HTTP request, or you can't. And by setting Deny from all, you can't.
You'd have to funnel all requests through a PHP file which checks the login information and only serves the file if the user is properly logged in. E.g. link to scripts.php?file=js/myscript.js and have authentication checking code in scripts.php.
When you restrict a folder like this, you can not include the files that are in it inside your HTML page. It is basically the same request as if the person is accessign directly to the JS by URL.
Usually cpanel tools like
Hotlink Protection
Hotlink protection prevents other websites from directly linking to files (as specified below) on your website. Other sites will still be able to link to any file type that you don't specify below (i.e., HTML files). An example of hotlinking would be using an <img> tag to display an image from your site somewhere else on the Web. The end result is that the other site is stealing your bandwidth.
Index Manager
The Index Manager allows you to customize the way a directory will be viewed on the web. You can select between a default style, no indexes, or two types of indexing. If you do not wish for people to be able to see the files in your directory, choose "No Indexing".
1&2 are tools from usual hosting cpanel. Probably it writes over apache conf files(not sure which ones)
However, you should also be aware of HTTP referer. You could based on this decide when not to show your respurce.
`HTTP referer is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested`
I'm looking to create an admin backend for a website and I'd like each administrator to have their own personal URL to their admin folder which they can specify upon registration, the folder name they type will then be saved in a MySQL database.
I'd then like a .htaccess file to be able to read the URL a user enters and if it's in a users 'admin folder' field in the database it'll rewrite a folder name (for this examplpe we'll call it 'admin') so the user can use their own URL from the database but redirect them to /admin.
For example..
Username - Folder name
richard - myhiddenfolder
A .htaccess file should then grab the current logged in users folder name (set by something like $_SESSION['folder_name']) and load /admin, still displaying the users folder name in the browsers address bar.
Edit
Sorry, my overall question is, how can I grab the session var 'folder_name' and parse it in the .htaccess file to rewrite a folder called 'admin'.
Technically something like that is possible using either mod_rewrite or just plain ol' symlinks (if you got the permissions to do so).
If you go with mod_rewrite, you'll find RewriteMap convinient. However, declarations of RewriteMaps cannot be made in a per-directory Context (this includes .htaccess files), so you need to change the http servers configuration, which is probably not what you want.
You could still change the .htaccess from within your php script each time a user changes his custom folder name. You would then generate rules like:
RewriteCond %{HTTP_COOKIE} (^|;|\s)custom_folder=custom/path(;|$)
RewriteRule /custom/path /admin
This requires the custom path to be set as a cookie. Sadly, there is no way to refer to the cookies value in the RewriteRule test (only in the substitition which is not what we want).
Also make sure that the custom paths do not conflict with any real paths, as that would break the site for the corresponding user.
For symlinks, every time a user changes his admin folders name, you create/remove/update the symlink for him. Of course you still had to check for admin permissions in the admin scripts, as the symlinks are global.
Independent from which method you choose, make sure you check for admin privilegues in your admin scripts.
Edit:
My reply was a little too early for the edited question, so an answer to that would be: It's not possible to directly access php session data from within an .htaccess. You could try to play around with prg: RewriteMaps though.
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
Might be slow
No Download Resume support (I guess)
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it
to Options -Indexes or else add
Options -Indexes as a new line
The directory browsing feature should be disable by now
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his
files in that folder. The file paths
are stored in the database with the
logged in user id, so that when the
user logs in, he can view or download
only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
thanks for your replies, between i found a code snippet that is working just fine.
I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all
I just moved a develoment site onto a test production server and I'm testing some things out.
When you go to the root URL (ie rooturl.com), the browser is correctly rendering rooturl.com/index.php without showing the index.php in the address bar.
However, I also have a directory at rooturl.com/admin that also has an index file of index.php, but when I go to rooturl.com/admin I'm getting a 404 not found error. But if I type out rooturl.com/admin/index.php, it loads the page.
Is there a common reason for this?
The last piece of relevant information is that since my client won't switch their domain name to the new host until they are ready with migrating email, etc., I'm currently not able to view the site on the registered URL, I can only access it using the IP address directly which I got from the host.
My gut feeling is that the direct IP address is screwing with how it would normally work, but it's just a guess and I have no idea why that would be the case.
Sounds like it could be an .htaccess rewriting issue. Be sure to check any .htaccess file (hidden, by default) in those directories for any screwy rewrite-rules.
If you're running a MVC project, then the url /admin may be confused for a call to a controller rather than a directory.
My first shoot is that you have .htaccess file and it is redirecting everythind to your root index.php file.