Here's my current situation:
I'm rewriting /api to api.php.
RewriteRule ^apidir/url/new?$ api.php [QSA,NC,L]
Now, I am whitelisting IP's for it. However, when I try and use the Files directive to block access, I can't because it is being rewritten.
<Files "\api.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
so, I tried just using it to block the rewritten directory
<Files "\apimashape2013/url/new">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
None of these have worked out.
If you have access to the virtualhost you can use this:
RewriteEngine on
RewriteMap hosts-deny txt:/home/youraccount/deny_list.txt
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteCond %{REQUEST_URI} ^/api [NC]
RewriteRule ^ - [F]
And have the deny_list.txt with the list of IP's or HOST you wish to blacklist:
193.102.180.41 -
bsdti1.sdm.de -
192.76.162.40 -
Read more here.
Alternatively if you don't have access to the virtualhost, you can change the name of your php file to something unique for example thisismyapi.php and use it like this:
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
<Files "thisismyapi.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !thisismyapi.php
RewriteRule ^api/?(.*)$ /api/thisismyapi.php [L]
Why do I change it to other name?
Because this way it will match it anywhere it is so it should work just fine for your needs and will not conflict with other files.
For example in this way it the file was named index.php it would conflict with index.php in other folders.
Not sure why the first <Files> container isn't working. The \ shouldn't have any effect. But the container needs to be in the directory or parent directory of where the api.php file is.
Alternatively, you can include this in your htaccess:
RewriteCond %{REMOTE_ADDR} ^24\.11\.95\.151$
RewriteRule ^/?api.php$ - [L,F]
Related
I like to block all ".php" requests for my site except the "index.php" how can I achieve this with .htacess and the rewrite mod?
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*(.php) [NC]
RewriteRule ^(.*)$ - [F,L]
You can use a negated condition patter in RewriteRule:
RewriteEngine On
RewriteCond %{REQUEST_URI} \.php$ [NC]
RewriteRule !^index\.php$ - [F,NC,L]
I used this for years and it works perfectly. You can add multiple files to allow list separated by |
#PROTECT FILES
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
#ALLOW FILES
<FilesMatch index.php|captcha.php>
Allow from all
</FilesMatch>
rewriting works fine until we add auth to htaccess. Is auth formatted correctly? Why would rewrite work before adding auth?
Request params at the site controller with no auth:
[id] => 433 [type] => city
Params after auth added and the user authenticated:
[site/query]
Sample query url that works without auth:
http://www.website.com/site/query?type=city&id=433
The .htaccess with basic auth at the bottom:
# any visits not coming from this official URL should be rerouted; AJAX cross-domain, www.website.com is not the same as our.company.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.website\.com$ [NC]
RewriteRule ^(.*)$ http://www.website.com/$1 [R=301,L]
# route all requests that are NOT static files, through index.php to make the /nice/urls/ work
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1 [L]
# disable file listings for directories
Options -Indexes
# disable the fetching of .phtm
<Files ~ "\.phtml$">
Order allow,deny
Deny from all
</Files>
# Protect hidden files from being viewed
<Files .*>
Order Deny,Allow
Deny From All
</Files>
# Protect application and system files from being viewed
RewriteRule ^(?:modules|system)\b.* index.php/$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
AuthType Basic
AuthName "Password required"
AuthUserFile /maps/scorp/main/.htpasswd
Require valid-user
I've got no answer to your nice questions but I hope I found a solution. :)
IMHO in your .htaccess the authorisation will take the advantage. It's a kinda tricky but you can break the priority by enclosing the "Require valid-user" directive into block <Files>. E.g.:
<Files "*.phtml">
Require valid-user
</Files>
I am using
RewriteEngine On
RewriteRule ^.*$ ./index.php
to redirect all my website traffic through index.php and let my php code get the request_uri and route each request accordingly.
I want to restrict access to all other files/directories except one that will contain the js files, css files, images etc.
I found that to do that I can use:
Order deny,allow
Deny from all
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
and then have another .htaccess file inside the public directory to allow certain file types.
When I navigate to localhost/mysite/index.php it works fine since the index.php file is accessible.
But for any other url I get a 403, for example /mysite/home/ is forbidden even though I expected it to work normally.
What can I do get the expected behavior?
My full .htacces file is:
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^.*$ ./index.php
Order deny,allow
Deny from all
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
EDIT: The /public/.htaccess currently looks like this:
<Files ~ "\.(xml|css|jpe?g|png|gif|js|pdf)$">
Allow from all
</Files>
Try this code in /mysite/.htaccess:
DirectoryIndex index.php
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteRule !^(public/|index\.php) [NC,F]
You can use:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php
That is the .htaccess I use for my applications. In the public directory, I only place index.php and JS, CSS and images file that I need, so there is no need to filter them out. Any other file (such as uploads), are save to a folder outside of the public folder - so they are no accessible directly - only via a php script that reads them. I believe that is "best practice".
I have some directories (let's say engine/) that should be accessed only by specific php codes sitting in public directories, so no external access needed at all.
How to restrict every access beside requests from the same domain (where the code deployed at without hardcoding a domain name)?
Can a .htaccess guru help me out here?
It turned out that beside referer based access I have to deny direct access as well somehow.
Here is an example from Using mod_rewrite to control access
SetEnvIf Referer example\.com localreferer
<FilesMatch \.(jpg|png|gif)$>
Order deny,allow
Deny from all
Allow from env=localreferer
</FilesMatch>
UPDATE:
To protect directories with a single .htaccess file at root directory, something like this should work:
Options +FollowSymlinks -MultiViews
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !mydomain\.com [NC]
# Add/Remove directories in next line
RewriteCond %{REQUEST_URI} /(dir1|dir2|dir3) [NC]
RewriteRule .* - [F,NC]
I am trying to use fuelcms in my arch linux lamp server. But I cant make htaccess to work. My home folder is ytsejam/fuel_cms/..
This is my .htaccess file :
Options +FollowSymLinks
<IfModule mod_rewrite.c>
RewriteEngine On
<Files .*>
Order deny, allow
Deny From All
</Files>
# Allow asset folders through
RewriteRule ^(fuel/modules/(.+)?/assets/(.+)) - [L]
# Protect application and system files from being viewed
RewriteRule ^(fuel/install/.+|fuel/crons/.+|fuel/data_backup/.+|fuel/codeigniter/.+|fuel/modules/.+|fuel/application/.+|\.git.+) - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php?/$0 [L]
</IfModule>
Options -Indexes
/var/log/httpd/error_logs show that
/home/ytsejam/public_html/fuel_cms/.htaccess: order takes one argument, 'allow,deny', 'deny,allow', or 'mutual-failure'
can anyone help me ?
You have just inserted additional space after the comma
"deny, allow" must be "deny,allow"