I want to limit the access for some pages in my web site. I have some BL pages in PHP and I want to limit thier access to only internal access.
I mean that I want that these pages will be denied if the user type them in the browser, but will be accessible if another PHP page will call them (with POST or GET requests).
Is it possible to do that in the .htaccess file?
If it is, how?
Just to clarify, the php page isn't the one sending POST or GET request, it's the browser, which means you can't block by IP. So you need to be checking against the referer here. Problem with that is the referer can be easily forged so this is no guarantee that you'll be denying access.
You can check the referer using the %{HTTP_REFERER} variable in mod_rewrite and then use the F flag to deny access:
RewriteEngine On
# if the request's referer isn't from a php page on your site
RewriteCond %{HTTP_REFERER} !^https?://your-domain.com/.*\.php
# deny access to the list of php files
RewriteRule ^(path/to/protected.php|path/another_protected.php|images/protected.png)$ - [L,F]
you can restrict by user agent.. but it's not the better way...
RewriteCond %{HTTP_USER_AGENT} (Chrome|Firefox|Webkit)
RewriteRule .* -
if you know from where the request come from just add
Order allow deny
Allow from xx.xx.xxx.xx/xx
deny from all
sorry the poor english
Related
I am running a LAMP server on ubuntu and I want to restrict access to a login page URL to localhost for security reasons at the level of the apache2.conf file. (The login URL looks like /wiki/foo.php?id=start&do=login) without restricting access to the rest wiki.
To reiterate, we are restricting access to the login function only, and NOT restricting access to foo.php?whateverelse&something, etc. - e.g. we only want to restrict access specifically to the ?id=start&do=login part of the URL. How do we do this with a LAMP server?
You could do something like the following using mod_rewrite in the server config to serve a 403 Forbidden if the client making the request for that specific URL does not have the IP address 127.0.0.1 (ie. localhost):
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
RewriteCond %{QUERY_STRING} ^id=start&do=login$
RewriteRule ^/?wiki/foo\.php$ - [F]
Reference:
https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule
I am currently running a PHP website, and I was wondering if there is any way to deny access to an image, if the directory was entered in the browser bar, but still be able to use said image in my Page with the <img src=""> tag.
I store said image in a directory called "images" which is on the same level with my main page "home.php". I am familiar with the .htaccess file and the deny from all command in it, however, as I said, it will not display the 'forbidden' files in the other pages. I hope that somebody can help me. Thanks!
Maybe you can try this:
<Files "./your_directory/yourfile.png">
Order Allow,Deny
Deny from all
</Files>
Basically, I believe that the answer would be "no," because in both cases the user's browser is the party making the request. Apache might not know or be able to distinguish between two "reasons" why the browser is making such a request.
On the other hand, programmatic code within your host-side application possibly could. Either directly or using mod_rewrite tricks, you could direct the incoming request to a server-side script, which can examine the entirety of the HTTP request and determine what sort of response it should produce: image-content, or 404. In this scenario, Apache accepts the request ... does not Deny it ... but instead of serving the image directly itself, it hands-off to a script which makes that decision. (The script can still gulp the data from a file, probably from a directory that Apache will not directly serve at all, so it can be "reasonably fast.")
By the way: you can use directives, at the <Directory> or <Location> level, to force "hand this request off to such-and-such script" behavior, so that, when the user's browser "requests such-and-such image," Apache runs that handler-script instead, passing a URL that includes the name of the requested file. The user won't be able to know what actually happened.)
You can accomplish this many ways, but internet jargon this is called "hotlinking". You can use this tool http://www.htaccesstools.com/hotlink-protection/ to create your own .htaccess file.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
I have an underdeveloped website which is live on the net now (need remote access). This site has both php/html output for human visitors and .json output for the API. Currently I want it this way that if a human visitor visits the site, he/she will be redirect to a coming soon page. but if the request contains .json, it will be delivered. Note: the json requests on the api looks like:
example.com/../..../example.json
example.com/../../example.json/all/etc
Is there any way using .htaccess I can achieve such functionality? Thanks
Not sure if this is what you're looking for, but in order to allow access only to URLs containing ".json", and show a coming_soon.htm page otherwise, use the following .htaccess:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !.json
RewriteRule ^.* coming_soon.htm [L]
I have a file that I don't want users to be able to navigate to on their own accord. However, if they click a link that sends them there, it's okay for the page to work. I currently have my htaccess file set up like so.
<Files "success.php">
Order Allow,Deny
Deny from all
</Files>
success.php is the name of the file, and in the directory of the success.php, I have the following in a htaccess file:
RewriteRule /?\.htaccess$ - [F,L]
RewriteRule ^/?admin/paypal/success\.php$ - [F,L]
Will users still be able to get to success.php if they're directed there, because I know you're shown a 403 error if you just try to navigate there.
If it is the case that they will be blocked from being directed there, is there a way I can fix this?
When I type a URL to "success.php" in my browser's location bar and hit enter, my browser sends a request for success.php.
When I go to your website and click on a link that takes me to "success.php", my browser sends a request for success.php.
It's exactly the same, just because I click on a link on your site vs typing it in my browser, both are requested exactly the same. So when you deny access, you deny all access. What you need to check for the is "Referer" header, which browsers can (optionally) include in a request to let the webserver know what URL it just came from. Referers can be easily forged or sometimes omitted, so checking the referer isn't a guarantee.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://example.com/ [NC]
RewriteRule ^admin/paypal/success\.php$ - [F,L]
So if someone loads any page on the "example.com" site (e.g. your site) and then clicks on a link that goes to the success.php page, they'll be fine. Any other access from anywhere else will be 403.
My PHP app uses 404 Documents to generate HTML files so that multiple queries to the same HTML file only cause the generation to run once.
I'd like to intercept requests to the HTML files so that the user needs to have an established PHP Session in order to pull up the files.
In the best case, SESSION ID would be used in the URL and force it could be used as a further authentication. For example, logging in would issue you a SessionID and make only certain HTML files accessible to you.
I'm aware that by changing my cookies I could spoof a request, but that's fine.
How would I go about doing this?
Something like this could work (I haven't tested it):
RewriteCond %{HTTP_COOKIE} PHPSESSID=([a-zA-Z0-9]+)
RewriteCond %{REQUEST_FILENAME} %{REQUEST_FILENAME}-%1.html
RewriteRule ^ %{REQUEST_FILENAME}-%1.html
It assumes that you append "-$session_id.html" to filenames ($session_id is PHP's session ID).
It should be safe, and the benefit is that files are served by the web server directly without invoking PHP at all.
SetEnvIf HTTP_COOKIE "PHPSESSID" let_me_in
<Directory /www/static/htmls>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>
Of course user can manually create such cookie in his browser (there are extensions which do that for Firefox, and you can always edit your browser's cookie store).
You could use the Apache module mod_rewrite to redirect requests of .html URLs to a PHP script:
RewriteEngine on
RewriteRule \.html$ script.php [L]
The requested URI path and query is then available in the $_SERVER['REQUEST_URI'] variable.
Put you cached files out of your web root, but still in a place where PHP can access them.