I'm triyng to blobk access to certain files.
I have on my server many files like this
filename_sql.php
Basically i need to disallow user to access directly to sql.php files:
http://url.com/filename_sql.php <<<
I have created an htaccess with this code, but i can access files direcly calling url.
What do I wrong?
<Files ~ "\.sql(.php)?$">
Order allow,deny
Deny from all
</Files>
Thanks all.
Your regex expression is matching filenames that end in ".sql.php", but the example filename you listed ends with "_sql.php"
If you remove the first period, it should match requests like "filename_sql.php" (or anything ending with "sql.php"):
<Files ~ "sql(\.php)?$">
Order allow,deny
Deny from all
</Files>
But, an even better method for keeping these files from being directly accessed, would be to move them outside of the root/public directory.
I think this will do the trick
<Files ~ "\.sql(\.php)?$">
Order allow,deny
Deny from all
</Files>
You forgot to put \ before .php.
Related
For example.
I have this file in this link:
http://www.anothersite.com.br/example/product.view_bkp_20052020
And in my .htaccess file I have this rule:
<Files ~ "\.view$">
Order allow,deny
Deny from all
</Files>
But, I can access the file when used characters together.
I've tried to avoid access files on my webspace in general. Only the index.php should be allowed. I don't want to reach this goal without using mod_rewrite. My actual code is the following:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
It works when I'm calling my website like www.example.com/index.php, but it doesn't work when I leave the index.php from the URL like www.example.com/
I thought the Apache webserver would know to use the index.php when no segment to the URL is added.
Can you help me out here to understand it and tell .htaccess to allow a raw domain-call?
i think you better have to use some regular expressions to solve this issue
using <FilesMatch> tag instead of <Files> tag
<FilesMatch "^(index\.php)?$">
Order Allow,Deny
Allow from all
</FilesMatch>
1) My wp-content is hardened with a .htaccess file containing this code:
<Files *.php>
deny from all
</Files>
2) I want (need) to authorize xml-sitemap-xsl.php Otherwise I get this error in my error log: client denied by server configuration: /home/user/mysite.net/wp-content/plugins/wordpress-seo/css/xml-sitemap-xsl.php, referer: http://mysite.net/sitemap_index.xml
3) I think I should add the following code but I’m not sure if it’s the right code nor where to place it:
<Files "xml-sitemap-xsl.php">
Allow from all
</Files>
The thing I want to avoid is a conflict between the deny and allow commands.
Thanks,
P.
This has not much to do with Wordpress and I am not an expert regarding .htaccess, but I believe that what your file is doing is not denying access to your directory by all .php files, rather, denying access to all the .php files inside the directory.
The <Files> directive is used to add specific rules to specific files and, as far as I know, it cascades.
Considering your comment, this should do the trick
<Files *.php>
deny from all
</Files>
<Files "xml-sitemap-xsl.php">
Order Allow,Deny
Allow from all
</Files>
see: Deny direct access to all .php files except index.php
I have various subfolders on my website and I would like for the user not to be able to access them through URL but on the same time my main PHP files to be able to include them or use them as actions on forms or links.
I tried using an .htaccess with
<Files *>
Order Allow,Deny
Deny from All
</Files>
but it denied all access even from within my own scripts. Logical as I found out, but I cannot know how to make it work. Any ideas?
P.S. My main concern is that some of the files are not included in main PHP files BUT they are linked there and their code ends up with a header('Location: ../index.php'); returning to the main page of the project.
I see a lot of answers with Allow,Deny not Deny,Allow
The order of this matters and is causing the problem. You are telling the computer that deny is more important than allow, because it is listed last. To show you... if you say:
<Files .htaccess>
Order Allow,Deny
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
You are saying first Allow anyone Allowed, then Deny All... Which still Denies ALL.
If you reverse to Deny,Allow you are saying Deny All, then Allow anyone Allowed.
<Files .htaccess>
Order Deny,Allow
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
Allow command, being more important, because it is the final command, is therefore allowing those listed after Allow From command.
xxx.xxx.xxx.xxx = Your IP
Do this:
<Files *>
Order Deny,Allow
Allow from 192.168.100.123 127.0.0.1
Deny from all
</Files>
The list of IP's will be specific hosts you allow, like localhost.
This also works with the directive, not just file, if you want only certain directories blocked.
There is an even safer method. Store your include files below the web accessible folders. So if your web files are here...
/var/www/mysite.com/
Store your include files here:
/var/includes/
Then include them with a full path...
include '/var/includes/myincludes.inc.php';
From the web, the myincludes.inc.php file is completely inaccessible.
Usually to protect these logic files from public access you can
put it in protected directory, above htdocs
add a check for public constant.. if(!is_defined(some_root_const)){die();}
change extension to .inc or something.. and deny with .htaccess based on that
put your application code outside of your public html folder. then you can add an include path at the top of your scripts to allow your script to access them as if they were in the same folder.
http://php.net/manual/en/function.set-include-path.php
In you .htaccess you will have to specify which IP's, hosts you want to allow and you can do it per directory as well. for e.g.
<Directory /dir/to/block>
Order Allow,Deny
Allow from 192.168.0.1 4.4.4.4
Deny from All
</Directory>
<Directory /dir/to/allow>
Order Allow, Deny
Allow from All
</Directory>
Here's my .htaccess
<Files *>
Order Deny,Allow
Deny from all
</Files>
<Files index.php>
Order Deny,Allow
Allow from all
</Files>
This is not working, cause if I type the hostname in my browser, it serves the index.php but apache doesn't seem to apply the Files instructions and instead returns a non-allowed file access page, I need typing the fullname document (e.g. 'index.php') to make it work. which is not really convenient...
how to proceed if I want users only access index files of each folder in my website ?
all the other files are just script inclusions so i believe i'm doing right trying to make them inaccessible from the web (or maybe not, if only you have one reason to prove the other case).
Regardless the question above, is it the right way to do the job ? (I think the two directives here are not neat but it's the only way, well almost the only way that I know to avoid accesses to files).
Not exactly sure why you need to do this, but you can use mod_setenvif (no need to wrap this inside a <Files>)
SetEnvIf Request_URI ^/index.php$ index
Order Allow,Deny
Allow from env=index
This will cause access to hostname.com/ to 403 but allow hostname.com/index.php. If you want to allow / as well, just add
SetEnvIf Request_URI ^/$ index
to the top. Of course, all this will make it so anything that index.php links to will also return a 403.
<Files *?>
Order deny,allow
Deny from all
</Files>
You just need to add a question mark to match at least one character.