I have a question regarding the web application security. I would like to ask you how can I hide a specific folder of my website (in this case the admin) from the public. The admin should be accessible only from two or three IPs.
The admin will be visible as following:
www.mysite.com /admin
Thanks
You can create an .htaccess file and write
order deny,allow
deny from all
allow from YOUR_IP #Replace YOUR_IP with the IP you want to allow
allow from YOUR_IP
That's about accessing, if you want to hide the file structure, than use
IndexIgnore *
Combine a Directory directive with standard access control.
<Directory /var/www/admin>
Order deny,allow
Deny from all
Allow from 10.10.10.10
Allow from 10.10.10.11
</Directory>
Related
I want to hide my uploads folder but i want to access it via php . Is this possible with .htaccess ?
I tried something but didn't worked.
<files "/uploads">
order allow,deny
deny from all
</files>
<folders uploads>
Order Allow,Deny
Deny from all
</folders>
You're almost there, but it depends on what version of Apache you're using also.
The above method you're trying is if you want to block access to a specific file, if you want to block a folder, then add your .htaccess file to that folder and just use:
Below 2.4:
deny from all
2.4 or above:
Require all denied
IMPORTANT EDIT
You can just upload a .htaccess to the folder that you want to block with the following:
Deny from all
If there is some issue, add:
Allow from 127.0.0.1
It worked well for me.
Original answer
Try:
<Directory "/uploads">
Order allow,deny
Deny from all
Allow from 127.0.0.1
</Directory>
EDIT:
The code above will deny all except the local ip (of your server).
As thickguru said, it also depends on your apache version. Here are some other ways to do it:
<Directory "/uploads">
Require local
</Directory>
It will only allow if requested by the server (your script or somewhat on the server).
Or:
<Directory "/uploads">
Require ip 127.0.0.1
</Directory>
The same as above, but using the local adress. You can also add other ips to it. All the ips that you add there will be allowed to access the folder.
I am new in php i want to restrict user for folder access user can not access my images folder and i have one thumb folder in that images folder what should i do for that.
exammple :- i have one folder _cat_img and in that i have one more folder that name is thumb. i want to restrict user for both folders
i am try to use code with .htaccess but it's not working.
i am using this in htaccess
**Deny from All**
but it is restrict all folders what should i do to to restrict user for particular folder access any one help me for this
Use Directory apache directive for specifying a particular directory. Then give access directives (allow or deny) inside it.
<Directory "fullpath/_cat_img">
Order Deny,allow
Deny from all
</Directory>
<Directory "full_path/thumb">
Order Deny,allow
Deny from all
</Directory>
Edit
To activate .htaccess edit your apache conf and inside virtual host section of your website add these.
<Directory documnet_root>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Restart apache.
I have a webserver with apache, say ip is 12.345.678.90. In my www directory there are a few sites, say, site1 and site2. Both belong to the same ip address - I created virtual hosts. Websites are on cakephp framework and there are a lots of directories, for example, app, app/tmp, lib, lib/Cake etc. When accessing the website like http://site1.com or http://site2.com everything is all right, and no way these directories can be viewed or accessed, but through ip I can see everything.
http://12.345.678.90/
http://12.345.678.90/site1/lib
http://12.345.678.90/site1/app
http://12.345.678.90/site1/app/tmp
etc - all this directories with containing files for each site are visible. So, how I can prevent any kind of access through ip address ? Actually when opening just the ip http://12.345.678.90 it just shows nothing, as I had created empty index.html file, but I cant do that for all the folders,(or create htaccess for each directory). Can this be handled through single htaccess, or maybe better, by apache config, or by some other way ?
Thanks
Try this
To disable Directory Listing
In your Apache configuration file (httpd.conf) file locate the directory section eg: /var/www/html
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Remove the word Indexes or change Indexes to -Indexes
Then restart your Apache server service httpd restart
To Restrict Access: Directory Level
You can restrict access to certain directories by adding the following
<Directory "/var/www/html/site1/mydirectory">
Order allow,deny
Deny from all
</Directory>
By adding the above configuration to apache conf file the mydirectory will be blocked/restricted from access.
To Restrict Access: File Level
If you want to restrict a certain file in a directory. Add -
<Directory "/var/www/html/site1/mydirectory">
Order allow,deny
Allow from all
<Files myfile.php>
Order allow,deny
</Files>
</Directory>
To prevent access of all files by IP Address
<Files ~ ".+">
Order allow,deny
Deny from all
</Files>
this should work(add it to you main .htaccess file)
Options All -Indexes
this wont't allow other to see the files in your folder
I have various subfolders on my website and I would like for the user not to be able to access them through URL but on the same time my main PHP files to be able to include them or use them as actions on forms or links.
I tried using an .htaccess with
<Files *>
Order Allow,Deny
Deny from All
</Files>
but it denied all access even from within my own scripts. Logical as I found out, but I cannot know how to make it work. Any ideas?
P.S. My main concern is that some of the files are not included in main PHP files BUT they are linked there and their code ends up with a header('Location: ../index.php'); returning to the main page of the project.
I see a lot of answers with Allow,Deny not Deny,Allow
The order of this matters and is causing the problem. You are telling the computer that deny is more important than allow, because it is listed last. To show you... if you say:
<Files .htaccess>
Order Allow,Deny
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
You are saying first Allow anyone Allowed, then Deny All... Which still Denies ALL.
If you reverse to Deny,Allow you are saying Deny All, then Allow anyone Allowed.
<Files .htaccess>
Order Deny,Allow
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
Allow command, being more important, because it is the final command, is therefore allowing those listed after Allow From command.
xxx.xxx.xxx.xxx = Your IP
Do this:
<Files *>
Order Deny,Allow
Allow from 192.168.100.123 127.0.0.1
Deny from all
</Files>
The list of IP's will be specific hosts you allow, like localhost.
This also works with the directive, not just file, if you want only certain directories blocked.
There is an even safer method. Store your include files below the web accessible folders. So if your web files are here...
/var/www/mysite.com/
Store your include files here:
/var/includes/
Then include them with a full path...
include '/var/includes/myincludes.inc.php';
From the web, the myincludes.inc.php file is completely inaccessible.
Usually to protect these logic files from public access you can
put it in protected directory, above htdocs
add a check for public constant.. if(!is_defined(some_root_const)){die();}
change extension to .inc or something.. and deny with .htaccess based on that
put your application code outside of your public html folder. then you can add an include path at the top of your scripts to allow your script to access them as if they were in the same folder.
http://php.net/manual/en/function.set-include-path.php
In you .htaccess you will have to specify which IP's, hosts you want to allow and you can do it per directory as well. for e.g.
<Directory /dir/to/block>
Order Allow,Deny
Allow from 192.168.0.1 4.4.4.4
Deny from All
</Directory>
<Directory /dir/to/allow>
Order Allow, Deny
Allow from All
</Directory>
I am doing PHP web application, with Apache.
There are a few configuration files ( like App.yml) whose content I don't want to expose to users under whatsoever circumstances. Is there anyway that I can tweak my Apache setting so that these files won't be available when hostile users query for them?
The best option would be to place the files outside of your document root.
If that's not possible, you can deny access to them in apache .conf file (or a .htaccess file) with
<Directory /path/to/dir>
Deny from all
</Directory>
You can create a .htaccess file in that directory and place in it
order deny,allow
deny from all
You can also do this if you only want to block one file.
<Files filenamehere>
order deny,allow
deny from all
</Files>