I have below directory structure in my website,
/public_html
/public_html/admin/
/public_html/admin/js/
/public_html/admin/css/ ....
Basically I want to disallow all direct access to files inside sub folders of /admin, like not allow to access js inside /js/ folder directly but allow it to access from my php page
I added .htaccess file with below code inside /js/ folder,
Order deny,allow
Deny from all
so it is good that it won't allow me to access via browser directly !
BUT when I try to access index.php page in which files of /js/ folder are included using tag, it is not loading up.
So can anyone help me out !
Thanks in advance.
You are not accessing it "from your PHP page". The web server is either serving a request or it isn't. When you load your "PHP page" in a browser, the browser will then go out and request all the Javascript, CSS and image assets linked to from your page. Each of these will be a separate HTTP request to the web server. The web server has no context that this HTTP request is because the asset is linked to from "your PHP page", that's completely irrelevant to it. You can either get the file from the server using an HTTP request, or you can't. And by setting Deny from all, you can't.
You'd have to funnel all requests through a PHP file which checks the login information and only serves the file if the user is properly logged in. E.g. link to scripts.php?file=js/myscript.js and have authentication checking code in scripts.php.
When you restrict a folder like this, you can not include the files that are in it inside your HTML page. It is basically the same request as if the person is accessign directly to the JS by URL.
Usually cpanel tools like
Hotlink Protection
Hotlink protection prevents other websites from directly linking to files (as specified below) on your website. Other sites will still be able to link to any file type that you don't specify below (i.e., HTML files). An example of hotlinking would be using an <img> tag to display an image from your site somewhere else on the Web. The end result is that the other site is stealing your bandwidth.
Index Manager
The Index Manager allows you to customize the way a directory will be viewed on the web. You can select between a default style, no indexes, or two types of indexing. If you do not wish for people to be able to see the files in your directory, choose "No Indexing".
1&2 are tools from usual hosting cpanel. Probably it writes over apache conf files(not sure which ones)
However, you should also be aware of HTTP referer. You could based on this decide when not to show your respurce.
`HTTP referer is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested`
Related
I am working in a website that requires blocking access to internauts via URL to a directory that holds different type of content (images, css files, js files, etc). This content will be used in the website in certain occasions when it is required and only for a few seconds (advertising), therefore the website will require to access this directory, however the client does not want the content of that directory to be available via URL.
I have tried doing it through htaccess, by validating the user with a password. This forbids internauts entering this directory if they don’t have the password, however this method also block the website when it needs to use some of the content within this directory.
Thanks for reading.
You might want to put an appropriate .htaccess file inside of any folder you want to restrict and avoid mod_rewrite
#
# Restrict access by IP address
#
Order Allow,Deny
Allow from 127. # localhost
Be sure to confirm your host IP and update accordingly if it's not the default localhost
I have Apache+Nginx Hybrid server setup running a website with php/mysql backend.
And for security reasons, I am trying to restrict access to my website's internal folders/directories like css, Js and other included php files from direct access of users.
For example if user types https://mywebsite.com/css or https://mywebsite.com/included-php-files/ in the browser url
then it should give him 403 forbidden directory access error.
But when those directories have to be accessed via internal files like index.php in it's Ajax request or Internal inclusions then those directories should be allowed to have access.
I have tried many solutions but they are permanently blocking access even to my website internal files.
/css
/Js
/admin
/sitemap/sitemap files/
These are example of my directories inside my website, I need to hide them from direct access of users from abusing their use.
Last thing I have tried is I added an empty index.php file to each of those folders where I want to stop direct external access, this way when users try to access those folder or directories, It will show them empty page.
But I am hoping if there is some other and better way of doing so, like with nginx or apache ?
Please help me..
I will update if need more clarity about the question..
just use .htaccess file
Put the following line into your .htaccess file
Options -Indexes
Since a week I cant access files in a WordPress sub-folder through a php curl function. Interestingly it works when accessing the file with a browser. When adding a 'fake' user agent header it works with the php curl function too. But I need other users to be able to retrieve the file without this hack.
I believe a WordPress update made those sub-folders more secure by restricting access to only valid user agents (Browsers). Also I believe that a specific htaccess configuration for this sub-folder will open it up again for all user agents, but I have no idea how to write such a htaccess config.
Does anyone have a clue?
Thanks
Aleks
My website deals with images. Whenever a user uploads an image it will be stored in "imagefiles" folder, but the problem is users can see all the images of that folder on web through http. To prevent it I made changes to .htaccess of the folder to be forbidden, but by doing that I am unable to read the images to show it on webpage myself.
So how can I make this folder such that only I can use to read it and when users try to access it through http it should say forbidden?
You could disable the index for that folder, by creating a dummy index.html page, or disabling the default index in your .htaccess with:
<Directory /path/to/image/folder>
Options -Indexes
</Directory>
That will stop people from browsing a directory listing of all images, but not stop them from accessing images directly.
If you want more fine control you should Rewrite all requests to that folder to a PHP script which will check the $_REQUEST['REQUEST_URI'] to determine what image they were trying to load, then if they are allowed to view it by whatever logic you choose, you send out the appropriate headers for the type of image it is, and readfile('/path/to/image');
Probably the most flexible way to do what you want is to get the folder with images out of reach of webserver. Then show them on your page via readfile() (as Paulpro mentioned). There is nice example of how to do that in php manual:
http://www.php.net/manual/en/function.readfile.php
Using this way you will be able very easily control users access to images on your website.
Or you can use mod_rewrite to disable access to directory listing as:
RewriteEngine On
RewriteBase /
RewriteRule ^imagefiles/?$ - [F,L,NC]
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
Might be slow
No Download Resume support (I guess)
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it
to Options -Indexes or else add
Options -Indexes as a new line
The directory browsing feature should be disable by now
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his
files in that folder. The file paths
are stored in the database with the
logged in user id, so that when the
user logs in, he can view or download
only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
thanks for your replies, between i found a code snippet that is working just fine.
I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all