I have various subfolders on my website and I would like for the user not to be able to access them through URL but on the same time my main PHP files to be able to include them or use them as actions on forms or links.
I tried using an .htaccess with
<Files *>
Order Allow,Deny
Deny from All
</Files>
but it denied all access even from within my own scripts. Logical as I found out, but I cannot know how to make it work. Any ideas?
P.S. My main concern is that some of the files are not included in main PHP files BUT they are linked there and their code ends up with a header('Location: ../index.php'); returning to the main page of the project.
I see a lot of answers with Allow,Deny not Deny,Allow
The order of this matters and is causing the problem. You are telling the computer that deny is more important than allow, because it is listed last. To show you... if you say:
<Files .htaccess>
Order Allow,Deny
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
You are saying first Allow anyone Allowed, then Deny All... Which still Denies ALL.
If you reverse to Deny,Allow you are saying Deny All, then Allow anyone Allowed.
<Files .htaccess>
Order Deny,Allow
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
Allow command, being more important, because it is the final command, is therefore allowing those listed after Allow From command.
xxx.xxx.xxx.xxx = Your IP
Do this:
<Files *>
Order Deny,Allow
Allow from 192.168.100.123 127.0.0.1
Deny from all
</Files>
The list of IP's will be specific hosts you allow, like localhost.
This also works with the directive, not just file, if you want only certain directories blocked.
There is an even safer method. Store your include files below the web accessible folders. So if your web files are here...
/var/www/mysite.com/
Store your include files here:
/var/includes/
Then include them with a full path...
include '/var/includes/myincludes.inc.php';
From the web, the myincludes.inc.php file is completely inaccessible.
Usually to protect these logic files from public access you can
put it in protected directory, above htdocs
add a check for public constant.. if(!is_defined(some_root_const)){die();}
change extension to .inc or something.. and deny with .htaccess based on that
put your application code outside of your public html folder. then you can add an include path at the top of your scripts to allow your script to access them as if they were in the same folder.
http://php.net/manual/en/function.set-include-path.php
In you .htaccess you will have to specify which IP's, hosts you want to allow and you can do it per directory as well. for e.g.
<Directory /dir/to/block>
Order Allow,Deny
Allow from 192.168.0.1 4.4.4.4
Deny from All
</Directory>
<Directory /dir/to/allow>
Order Allow, Deny
Allow from All
</Directory>
Related
I want to share one of my subdomain to public that anyone can upload and explore any files. I want to it be a simple, so I chose https://github.com/webcdn/File-Explorer project. It is responsive and beautiful. But I need some modifications:
Remove authentication -> I did it.
Prevent execution of any PHP file (for security reasons) except "explore.php".
I did it using .htaccess file as below:
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files explore.php>
Order Allow,Deny
Allow from all
</Files>
DirectoryIndex explore.php
The problem is that "File-Explorer" project still shows "explore.php".
I renamed explore.php to .explore.php and replaced it in .htaccess, but it doesn't work and the website can't be load.
I want to hide my uploads folder but i want to access it via php . Is this possible with .htaccess ?
I tried something but didn't worked.
<files "/uploads">
order allow,deny
deny from all
</files>
<folders uploads>
Order Allow,Deny
Deny from all
</folders>
You're almost there, but it depends on what version of Apache you're using also.
The above method you're trying is if you want to block access to a specific file, if you want to block a folder, then add your .htaccess file to that folder and just use:
Below 2.4:
deny from all
2.4 or above:
Require all denied
IMPORTANT EDIT
You can just upload a .htaccess to the folder that you want to block with the following:
Deny from all
If there is some issue, add:
Allow from 127.0.0.1
It worked well for me.
Original answer
Try:
<Directory "/uploads">
Order allow,deny
Deny from all
Allow from 127.0.0.1
</Directory>
EDIT:
The code above will deny all except the local ip (of your server).
As thickguru said, it also depends on your apache version. Here are some other ways to do it:
<Directory "/uploads">
Require local
</Directory>
It will only allow if requested by the server (your script or somewhat on the server).
Or:
<Directory "/uploads">
Require ip 127.0.0.1
</Directory>
The same as above, but using the local adress. You can also add other ips to it. All the ips that you add there will be allowed to access the folder.
I have a webserver with apache, say ip is 12.345.678.90. In my www directory there are a few sites, say, site1 and site2. Both belong to the same ip address - I created virtual hosts. Websites are on cakephp framework and there are a lots of directories, for example, app, app/tmp, lib, lib/Cake etc. When accessing the website like http://site1.com or http://site2.com everything is all right, and no way these directories can be viewed or accessed, but through ip I can see everything.
http://12.345.678.90/
http://12.345.678.90/site1/lib
http://12.345.678.90/site1/app
http://12.345.678.90/site1/app/tmp
etc - all this directories with containing files for each site are visible. So, how I can prevent any kind of access through ip address ? Actually when opening just the ip http://12.345.678.90 it just shows nothing, as I had created empty index.html file, but I cant do that for all the folders,(or create htaccess for each directory). Can this be handled through single htaccess, or maybe better, by apache config, or by some other way ?
Thanks
Try this
To disable Directory Listing
In your Apache configuration file (httpd.conf) file locate the directory section eg: /var/www/html
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Remove the word Indexes or change Indexes to -Indexes
Then restart your Apache server service httpd restart
To Restrict Access: Directory Level
You can restrict access to certain directories by adding the following
<Directory "/var/www/html/site1/mydirectory">
Order allow,deny
Deny from all
</Directory>
By adding the above configuration to apache conf file the mydirectory will be blocked/restricted from access.
To Restrict Access: File Level
If you want to restrict a certain file in a directory. Add -
<Directory "/var/www/html/site1/mydirectory">
Order allow,deny
Allow from all
<Files myfile.php>
Order allow,deny
</Files>
</Directory>
To prevent access of all files by IP Address
<Files ~ ".+">
Order allow,deny
Deny from all
</Files>
this should work(add it to you main .htaccess file)
Options All -Indexes
this wont't allow other to see the files in your folder
1) My wp-content is hardened with a .htaccess file containing this code:
<Files *.php>
deny from all
</Files>
2) I want (need) to authorize xml-sitemap-xsl.php Otherwise I get this error in my error log: client denied by server configuration: /home/user/mysite.net/wp-content/plugins/wordpress-seo/css/xml-sitemap-xsl.php, referer: http://mysite.net/sitemap_index.xml
3) I think I should add the following code but I’m not sure if it’s the right code nor where to place it:
<Files "xml-sitemap-xsl.php">
Allow from all
</Files>
The thing I want to avoid is a conflict between the deny and allow commands.
Thanks,
P.
This has not much to do with Wordpress and I am not an expert regarding .htaccess, but I believe that what your file is doing is not denying access to your directory by all .php files, rather, denying access to all the .php files inside the directory.
The <Files> directive is used to add specific rules to specific files and, as far as I know, it cascades.
Considering your comment, this should do the trick
<Files *.php>
deny from all
</Files>
<Files "xml-sitemap-xsl.php">
Order Allow,Deny
Allow from all
</Files>
see: Deny direct access to all .php files except index.php
I am doing PHP web application, with Apache.
There are a few configuration files ( like App.yml) whose content I don't want to expose to users under whatsoever circumstances. Is there anyway that I can tweak my Apache setting so that these files won't be available when hostile users query for them?
The best option would be to place the files outside of your document root.
If that's not possible, you can deny access to them in apache .conf file (or a .htaccess file) with
<Directory /path/to/dir>
Deny from all
</Directory>
You can create a .htaccess file in that directory and place in it
order deny,allow
deny from all
You can also do this if you only want to block one file.
<Files filenamehere>
order deny,allow
deny from all
</Files>