I have a Rackspace Cloud Sites account and I'm trying to enable PHP for a single html file in a specific directory under my root site folder.
I have a .htaccess file in my root folder. And my document root from using $_SERVER['DOCUMENT_ROOT'] is /mnt/stor1-wc2-dfw1/myaccnum/servernum/mydomain.com/web/content(I've obscured a few details but the basic structure is intact).
I then do the following (which I saw on another SO answer):
<Directory "/mnt/stor1-wc2-dfw1/myaccnum/servernum/mydomain.com/web/content/mydir">
<Files "index.html">
AddType application/x-httpd-php .html .htm
</Files>
</Directory>
However, I'm getting error "500 Internal Server Error". If I take away <Directory> and <Files> everything works but for all files.
How can I fix this?!
You cannot add types per directory or location. However, you can manipulate the engine ini setting of PHP. Set it to off globally and enable it only for your index.html.
Related
Using Apache it's easy to enable PHP for all files of any extension:
AddHandler application/x-httpd-php .css .js .txt .xml
How do I enable PHP for only a specific file but not all other files with that same extension?
I have tried AddHandler application/x-httpd-php test.xml and it did not work and the search engines aren't coughing up anything remotely relevant.
AddHandler can be used inside a <Files> container.
AddHandler Directive
Description: Maps the filename extensions to the specified handler
Context: server config, virtual host, directory, .htaccess
... where directory stands for:
directory
A directive marked as being valid in this context may be used inside <Directory>, <Location>, <Files>, <If>,
and <Proxy> containers in the server configuration files,
subject to the restrictions outlined in Configuration Sections.
And <Files> can be used from .htaccess just fine:
<Files> Directive
Description: Contains directives that apply to matched filenames
Context: server config, virtual host, directory, .htaccess
Simply:
<Files hello.html>
AddType application/x-httpd-php .html
</Files>
The file tag selects only hello.html,the AddType then adds php support for all files it can "access". Due to the Files header, it can only "access" hello.html, and so only enable php for this one.
I recently played with a .htaccess file to make one server to parse PHP files. Yesterday I uploaded the same .htaccess file and tried to test a PHP file. But something went wrong: visiting my page the browser offers to download the the html page rather then viewing the page!
On the server the filenames end in .html.
I added the following to my .htaccess file:
AddType application/x-httpd-php .html
I tried to find the htaccess file, but once uploaded it just disappears from the root dir.
I tried to upload other scripts I've found browsing. I even tried to search for some problem on a hosting forum. Nothing helped.
Please help!
Try this
AddType application/x-httpd-php .php .htm .html
OR
AddHandler application/x-httpd-php .php .htm .html
And remove other overriding handlers for application/x-httpd-php after above code.
Right, firstly things first, what host do you use?
Also what ftp client you are using? Some by default won't display files starting with . such as .htaccess and .htpasswd, that's why it may appear that you didn't upload it. Also it might be that you don't have the rights to upload in the very root directory, try to go one directory up.
Also from my experience, hosts won't allow you to modify headers via .htaccess this way, because the allowoverride directive is off; instead have a look at url rewrites (via mod_rewrite), which allow you to do the same thing without modifying headers.
Your rewrite .htaccess file might look something like:
RewriteEngine On
RewriteBase /
RewriteRule ^(\w+)\.html$ $1.php [NC]
(Not tested though)
Using a rewrite will also mean that your files will in fact maintain the php extension, however they will be access via urls that include .html extension.
i have a php project which has a configuration file config.php that stores config information like database info, directories, etc.
normally we would include this config file at the top of every php page like require_once(".../config.php); however, i have found a way to do this by creating a .htaccess file and include this:
php_value auto_prepend_file /home/public_html/..../config.php
this works fine until i transferred it to the shared hosting. apparently, this shared hosting allows us to change the PHP version from 4x to 5x. After changing to 5x, i realised they have created a .htaccess file with the following content:
<FilesMatch "\.php$"> # phpvs v5
AddHandler x-httpd-php5 .php # phpvs v5
</FilesMatch> # phpvs v5
with this, it ignores the include path to the config file.. how can i go about fixing this? i certainly do not wanna include my config.php in every php files.
An htaccess file is not restricted to containing a single directive. You can have both.
normally we would include this config file at the top of every php page like require_once(".../config.php); however, i have found a way to do this by creating a .htaccess file and include this
Probably not the wisest move. It is more stable and portable to do this in your PHP than to rely on .htaccess. Relying on .htaccess means if your web server is changed or reconfigured it's likely to stop working (as you found).
I know it doesn't answer your question but I would consider going back to doing this using require_once() in the appropriate PHP files.
I'm loading my files (pdf, doc, flv, etc) into a buffer and serving them to my users with a script. I need my script to be able to access the file but not allow direct access to it. Whats the best way to achieve this? Should I be doing something with my permissions or locking out the directory with .htaccess?
The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.
However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,
Order deny,allow
Deny from all
Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.
That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccess file on root. (no need to create extra folder)
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
my settings.ini file is on the root, and without this code is accessible www.mydomain.com/settings.ini
in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives.
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
to test your config before restarting apache
service httpd configtest
then (graceful restart)
service httpd graceful
Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.
If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccess file in the specific directory. That is (for example):
ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>
Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.
This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccess files.
To prevent .ini files from web access put the following into apache2.conf
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
How about custom module based .htaccess script (like its used in CodeIgniter)? I tried and it worked good in CodeIgniter apps. Any ideas to use it on other apps?
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>
I'm making a website which allows people to upload files, html pages, etc... Now I'm having a problem. I have a directory structure like this:
-/USERS
-/DEMO1
-/DEMO2
-/DEMO3
-/etc... (every user has his own direcory here)
-index.php
-control_panel.php
-.htaccess
Now I want to disable PHP, but enable Server-side includes in the direcories and subdirectories inside /USERS
Can this be done (and if so, how)?
I use WAMP server
Try to disable the engine option in your .htaccess file:
php_flag engine off
To disable all access to sub dirs (safest) use:
<Directory full-path-to/USERS>
Order Deny,Allow
Deny from All
</Directory>
If you want to block only PHP files from being served directly, then do:
1 - Make sure you know what file extensions the server recognizes as PHP (and dont' allow people to override in htaccess). One of my servers is set to:
# Example of existing recognized extenstions:
AddType application/x-httpd-php .php .phtml .php3
2 - Based on the extensions add a Regular Expression to FilesMatch (or LocationMatch)
<Directory full-path-to/USERS>
<FilesMatch "(?i)\.(php|php3?|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>
Or use Location to match php files (I prefer the above files approach)
<LocationMatch "/USERS/.*(?i)\.(php3?|phtml)$">
Order Deny,Allow
Deny from All
</LocationMatch>
If you're using mod_php, you could put (either in a .htaccess in /USERS or in your httpd.conf for the USERS directory)
RemoveHandler .php
or
RemoveType .php
(depending on whether PHP is enabled using AddHandler or AddType)
PHP files run from another directory will be still able to include files in /USERS (assuming that there is no open_basedir restriction), because this does not go through Apache. If a php file is accessed using apache it will be serverd as plain text.
Edit
Lance Rushing's solution of just denying access to the files is probably better
<Directory /your/directorypath/>
php_admin_value engine Off
</Directory>
This will display the source code instead of executing it:
<VirtualHost *>
ServerName sourcecode.testserver.me
DocumentRoot /var/www/example
AddType text/plain php
</VirtualHost>
I used it once to enable other co-worker to have read access to the source code from the local network (just a quick and dirty alternative).
WARNING !:
As Dan pointed it out sometime ago, this method should never be used in production. Please follow the accepted answer as it blocks any attempt to execute or display php files.
If you want users to share php files (and let others to display the source code), there are better ways to do it, like git, wiki, etc.
This method should be avoided! (you have been warned. Left it here for educational purposes)
None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.
But this worked for me :
RewriteRule ^.*\.php$ - [F,L]
This line will generate a 403 Forbidden error for any URL that ends with .php and ends up in this subdirectory.
#Oussama lead me to the right direction here, thanks to him.
If you use php-fpm, the php_admin_value will NOT work and gives an Internal Server Error.
Instead use this in your .htaccess. It disables the parser in that folder and all subfolders:
<FilesMatch ".+\.*$">
SetHandler !
</FilesMatch>
This might be overkill - but be careful doing anything which relies on the extension of PHP files being .php - what if someone comes along later and adds handlers for .php4 or even .html so they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.
On production I prefer to redirect the requests to .php files under the directories where PHP processing should be disabled to a home page or to 404 page. This won't reveal any source code (why search engines should index uploaded malicious code?) and will look more friendly for visitors and even for evil hackers trying to exploit the stuff.
Also it can be implemented in mostly in any context - vhost or .htaccess.
Something like this:
<DirectoryMatch "^${docroot}/(image|cache|upload)/">
<FilesMatch "\.php$">
# use one of the redirections
#RedirectMatch temp "(.*)" "http://${servername}/404/"
RedirectMatch temp "(.*)" "http://${servername}"
</FilesMatch>
</DirectoryMatch>
Adjust the directives as you need.
I use in Centos 6.10 for multiple folders in virtual host .conf definitioin file:
<DirectoryMatch ^/var/www/mysite/htdocs/(nophpexecutefolder1|nophpexecutefolder2)>
php_admin_value engine Off
</DirectoryMatch>
However, even though it doesn't parse php code the usual way it still outputs from a .php things such as variable declarations and text when doing echo e.g.
<?php
echo "<strong>PHP CODE EXECUTED!!";
$a=1;
$b=2;
echo $a+$b;
The above produces in web browser?
PHP CODE EXECUTED!!"; $a=1; $b=2; echo $a+$b;
This could potentially expose some code to users which isn't ideal.
Therefore, it's probably best to use the above in combination with the following in .htaccess:
<FilesMatch ".*.(php|php3|php4|php5|php6|php7|php8|phps|pl|py|pyc|pyo|jsp|asp|htm|html|shtml|phtml|sh|cgi)$">
Order Deny,Allow
Deny from all
#IPs to allow access to the above extensions in current folder
# Allow from XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/32
</FilesMatch>
The above will prevent access to any of the above file extensions but will allow other extensions such as images, css etc. to be accessed the usual way. The error when accessing .php:
Forbidden
You don't have permission to access /nophpexecutefolder1/somefile.php on this server.
<Files *.php>
Order deny,Allow
Deny from all
</Files>