I'd like to deny multiple files through htaccess.
<FilesMatch (profile|reg|register|..............|)\.php>
order allow,deny
deny from all
</FilesMatch>
I have lots of files (6 folders with like 30 files each) that I want to deny access to, so using the method above by entering them one by one will take time.
Could I deny access to all files in the folders like this?
<Directory /www/php/login/pages>
Order Allow,Deny
</Directory>
To multiple
<FilesMatch "(foo|bar|doo)\.php$">
Deny from all
</FilesMatch>
or go for rewrite rules (RewriteEngine On)
RewriteRule \.(psd|log)$ - [NC,F]
To deny access to all files in the folders:
rewriteRule ^www/php/login/pages - [NC,F]
or simply place a `Deny from all' directly in that folder...
Update 2015: Using Apache 2.4 or higher, the `Deny from all' would needs adjustment.
You would need to add "deny from all" like your initial approach, but yes you can.
Scroll down in the documentation for the syntax you are looking for: http://httpd.apache.org/docs/2.2/mod/core.html#directory
Related
I need the server to only allow access to three files (index.php, estilo.css and scripts.js), and deny access to any other file type in the directory.
I think the easiest way to do this would be through .htaccess. But if there is another way...
In .htaccess you can deny access to all files and then specifically allow access just to these three files. However, exactly how you do this depends on whether you are using Apache 2.4+ or an earlier version of Apache.
On Apache 2.4+
Require all denied
<FilesMatch "^(index\.php|estilo\.css|scripts\.js)$">
Require all granted
</FilesMatch>
On Apache 2.2
Order Deny,Allow
Deny from all
<FilesMatch "^(index\.php|estilo\.css|scripts\.js)$">
Allow from all
</FilesMatch>
I want to deny direct access to all files, except one: go.php.
I've read this question, but in my case it doesn't work because I send also a GET parameter.
That means that all files should be denied, except when trying to go to www.domain.com/go.php?code=xyz123.
My code now:
Order Allow,Deny
deny from all
allow from [my IP here]
<FilesMatch "go.php">
Allow from all
</FilesMatch>
How can I fix it?
Thanks!
EDIT 1
I updated the code to:
<Files go.php>
Allow from all
</Files>
Now it does allow if the url is domain.com/go.php?code=123. The thing is that I use pretty URLs with this rewrite condition:
RewriteRule ^go/([a-z0-9]+)$ /go.php?code=$1
RewriteRule ^go/([a-z0-9]+)/$ /go.php?code=$1
So, the above Files code does not work if the url is domain.com/go/123. How to fix this?
Since this is just one specific file, you don't need FilesMatch, but can use Files instead
<Files go.php>
...
</Files>
Rewriting from /go/123 to /go.php?code=123 is a classic. You capture the part for the query string and use it in the substitution
RewriteRule ^go/(.+)$ /go.php?code=$1 [L]
I didn't expect <Files go> or <FilesMatch go> to work, because "/go/123" isn't a file in the strict sense.
So despite my ignorance an additional
<Files go>
Allow from all
</Files>
works.
As an alternative, you can use If and check for the requested URL path
<If "%{REQUEST_URI} =~ m,^/go/,">
Allow from all
</If>
Problem solved:
<FilesMatch "go|go.php">
Allow from all
</FilesMatch>
Thank you all!
I've tried to avoid access files on my webspace in general. Only the index.php should be allowed. I don't want to reach this goal without using mod_rewrite. My actual code is the following:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
It works when I'm calling my website like www.example.com/index.php, but it doesn't work when I leave the index.php from the URL like www.example.com/
I thought the Apache webserver would know to use the index.php when no segment to the URL is added.
Can you help me out here to understand it and tell .htaccess to allow a raw domain-call?
i think you better have to use some regular expressions to solve this issue
using <FilesMatch> tag instead of <Files> tag
<FilesMatch "^(index\.php)?$">
Order Allow,Deny
Allow from all
</FilesMatch>
In my site I've some file used by my application where are putted the log information.
For example a log file is "access.log", and i write in by PHP.
If a visitor go to www.mysite.ext/access.log , can see the file and all the information inside it.
How can I disallow this?
thanks a lot
Put this in your .htaccess
<FilesMatch "\.(htaccess|htpasswd|pinc|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Will block .log and other common files you don't want people to access.
If you want to do this in Apache, you can add the following to your .htaccess:
<files access.log>
deny from all
</files>
I am able to disable access to a file with .htaccess, but I don't know how to disallow multiple files to be viewed (directly, not from includes)
They are .php so I can't disable a file type (like the only tutorials online say..)
<FILES ... ?
</FILES>
Or something.. For example "home.php, file.php , test.php" how do I disallow access to all three files with that tag? or similar, help please!
If you want to exclude files based on regular expressions, you could use FilesMatch instead of Files, e.g.:
<FilesMatch ^((home|test|file)\.php$|mysecretfolder|asecretpicture\.jpe?g)$>
...
</FilesMatch>
Looks like you have to exclude those files one by one:
<files home.php>
Deny/Allow/Whatever
</files>
<files file.php>
...
You can use *.gif in <files> or something*, but as home.php, file.php and test.php can't really be grouped with a "*", this is probably the only way to go.
since apache 2.4
<FilesMatch "\.htaccess|config\.php">
Require all denied
</FilesMatch>
instead of
<FilesMatch "\.htaccess|config\.php">
Order allow,deny
Deny from all
</FilesMatch>