In my .htaccess file, I am using the below to prevent direct access to folders:
Options -Indexes
I am using the below to prevent access to a critical file of ours:
<Files admin.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from (my ipaddress)
</Files>
So, now users cant go to www.domain.com/scripts as it throw 404 error, nor can they access admin.php
But how do I prevent direct access to all?
For example, if someone knew the filename, they can still get to it, such as: www.domain.com/scripts/process.php
What to do?
Using mod_rewrite:
Put this rule on top of all other rules:
RewriteRule ^scripts(/.*|)$ - [F,NC]
Without using mod_rewrite:
Put this code in scripts/.htaccess:
Order Deny,Allow
Deny from all
UPDATE: To block direct access to all files:
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{THE_REQUEST} \..+[\s?]
# return forbidden error if not static files
RewriteRule (?!^.+\.(?:jpe?g|gif|bmp|png|tiff|css|js)$)^.*$ - [F]
Related
I have a website where the main directory contains a few files i don't want to be directly accessed using urls like this:
http://website.com/somefile1.ext1
http://website.com/somefile2.ext1
http://website.com/somefile1.ext2
http://website.com/somefile2.ext2
Currently they download if you enter the urls in a browser. Instead i would like to redirect them to a error page like this:
http://website.com/404
I found this snippet online but it doesn't work, it also doesn't redirect:
<Files ~ "\.(ext1)$">
Order allow,deny
Deny from all
</Files>
What would the correct .htaccess code be to do this task?
Edit:
I redirect site.com/script.php etc to site.com/script with this code:
RewriteEngine On
# turn on the mod_rewrite engine
RewriteCond %{REQUEST_FILENAME}.php -f
# IF the request filename with .php extension is a file which exists
RewriteCond %{REQUEST_URI} !/$
# AND the request is not for a directory
RewriteRule (.*) $1\.php [L]
# redirect to the php script with the requested filename
Try it like this I didn't tried it for now,
RewriteEngine On
RewriteCond %{REQUEST_URI} \.ext\d$
RewriteRule ^ 404 [R=301]
Try
<FilesMatch "somefile\.ext$">
Deny from all
</FilesMatch>
You don't need to use the Order directive if you want to deny access from all.
I want to add a htaccess to allow visits from a specific ip.
The tree goes like this
domain
/abc/
/def/
I want to restrict the folder /abc/ but whitelist the folder /def/
Also, on the /abc/ there is a specific file called ghi.php. Can I allow access to that specific file ?
How can I do this?
This is what i have in /abc/ that redirects everyone who is not into the specified ip. However, I want to allow access to the ghi.php inside that dir.
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^125\.17\.119\.16$
RewriteRule ^ http://www.domain.com/ [R]
I would not use mod_rewrite for content protection, use the modules that are created for this:
# Default: deny all
Order Allow,Deny
# Allow the IP for everything
Allow from 125.17.119.16
# Allow access to this one PHP file
<Files /abc/ghi.php>
Allow from all
</Files>
# Allow access to everything inside that folder
<FilesMatch "^/def/">
Allow from all
</FilesMatch>
Try :
RewriteEngine on
#Allow access to the file
RewriteRule ^abc/ghi\.php$ - [L]
#forbid the request for /abc/* if ip not=1.2.3.4.5
RewriteCond %{REMOTE_ADDR} !^1\.2\.3\.4\.5$
RewriteRule ^abc - [F,L]
If you want to redirect the request to homepage, just change the line
RewriteRule ^abc - [F,L]
to
RewriteRule ^abc http://example.com/ [L,R]
I'm having a problem with .htaccess and PHP-files in a sub folder. What I'm trying to achieve is to prevent anyone from being able to access any file in my sub folder - BUT I want my index.php to be able to access those files.
DOCROOT/subfolder -> www.somewebsite.com/subfolder/somefile.php
-> Access Denied
BUT
[index.php]
<form action="/subfolder/somefile.php">
...
</form>
-> Success!
I would love to solve this by just using .htaccess. I tried deny from alland also some RewriteRules but those Rules also kill any request from index.php.
I tried
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from somewebsite.com
Satisfy Any
but the request from index.php is being denied. Can anyone help, please?
This is a misconception that people have. Just because you're linking to PHP files from another PHP file doesn't mean the index.php file is accessing them. The end-user/browser is still accessing them, it's just it's being told where to go by your index.php file. Has absolutely nothing to do with how it's being accessed. In both of your cases, they're being accessed by the browser.
The best you can do is to look at the referer field. It can be easily forged to get around this, but it's the only thing you can do.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(example.com|127\.0\.0\.1) [NC]
RewriteRule ^subfolder/ - [L,F]
where "example.com" is your site.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.hello.com/index.php
RewriteRule .*subfolder/somefile\.php - [NC,F]
The second line checks whether the visitor is not coming from a certain url. The 3rd line blocks them from accessing somefile.php
In your .htaccess you could redirect any requests to files inside that directory other than index.php as follows:
<directory "DOCROOT/subfolder">
RewriteCond %{REQUEST_FILENAME} !=/DOCROOT/subfolder/index.php
RewriteRule ^/(.+)$ redirect.php [L]
</directory>
I have mp3's in a directory called /mp3/ and I want to be able to access them only from another page.php in another directory /main/ on the site.
No direct linking from outside.
All of the pages are written in php
I put this code in the .htaccess file inside the /mp3/ directory...
Order deny,allow
deny from all
allow from 127.0.0.1
allow from localhost
allow from mydomain.com
allow from 123.45.678.90 # that's myserver's IP address (real one used in code)
Satisfy Any
But none of those work.
It does work however if I use the IP address of were I am.
allow from 1.2.3.4 # my internet connection (real one used in code)
But that means it would work for anyone and their IP address.
What am I missing here? Does this work only on certain servers?
How do I make it use the server's IP address and not my IP address?
Look into "hotlink protection" added to your .htaccess file. You can set it up for just .mp3 file extension, and forbid access by any foreign site or directly from browsers. You might even be able to restrict access from within your own site, but I can't see that being terribly useful.
Something like
RewriteEngine on
Options +FollowSymlinks
# hotlink protection and allowed list
# don't forget to add https: to allow accesss for any with SSL
## uncomment following line to PERMIT direct browser access of mp3 files
#RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com(/)?.*$ [NC]
RewriteRule .*\.mp3$ - [F,NC]
Place the files you want to protect out of the public folder. This way they are only accessible via your scripts.
-root
--mp3s
--public_html
---main
----index.php
----page.php
You are trying to limit a "referral" and not direct access?
Denying from an IP limits all access, whether referred to by your page.php or by typing it into the browser's URL location bar. If you're trying to limit referrals, you can try using something like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain.com/ [NC]
RewriteRule ^mp3/ - [L,F]
but be warned that referers can be spoofed.
What about something like this, in your .htaccess
<Files ~ ".mp3$">
Order allow,deny
Deny from all
</Files>
This will not allow direct access to any files with .mp3 from your web server.
Place this code in your mp3/.htaccess file:
RewriteEngine on
RewriteBase /mp3/
RewriteCond %{HTTP_REFERER} !^https?://(localhost|(www\.)?mydomain\.com)/ [NC]
RewriteRule ^ - [F]
I have nearly 30 php files, 4 sub directories in my directory. I want to block some php files and sub directories from user in direct viewing like http://bhavani.com/hai.php
My currect htaccess file
## Enable Mod Rewrite, this is only required once in each .htaccess file
RewriteEngine On
RewriteBase /
## Test for access to includes directory
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /includes/ .*$ [NC]
## Test that file requested has php extension
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
## Forbid Access
RewriteRule .* - [F,NS,L]
How to do it?
You can filter the files like this
<Files ~ "\.php$">
Deny from all
</Files>
And directory like this
<Directory "/subdirectory">
Deny from all
</Directory>
You don't need mod_rewrite to accomplish this. A much simpler way of doing this would be with RedirectMatch directive from mod_alias:
RedirectMatch 403 ^.*/include/*\.php$
This will automatically respond with 403 Forbidden to a direct request for any PHP file inside include subdirectory, however you would still be able to include them from inside other php files.
I think you can use only RewriteRule without RewriteCond
For example:
RewriteRule ^/hai\.php - [F, NS, L]
This rule forbid access to file hai.php
For other files you can use other Rule or use mask.