I'm in a situation wherein I have file includes but I don't want other people going on the "includes" directory and viewing the pages individually via browser.
I'm quite familiar with how to approach it via inside the PHP files themselves but I want to use the .htaccess for preventing it this time.
So how do I configure .htaccess to prevent users NOT coming from a certain referrer from viewing the PHP files inside the "includes" folder?
.htaccess will work, but just to suggest an alternative - why not move your include directory outside the webroot? Your scripts can still access it, and there's no need to configure apache to deny access.
Put a .htaccess file in the directory you would like to not be viewed and put this in there:
order allow, deny
deny from all
This is the simple block all approach. More info on how to block by referer can be found here.
Hope this helps.
As lot of web hosting solutions explicitly limit you to working within the a public_html (or equiv) hierarchy. So I use a simple convention: if I don't want a file or directory to be private -- that is not accessible through a URI -- then I prefix its name with either a "_" or a ".", for example my PHP includes directory is called "_includes".
I use this pattern in my .htaccess files to enforce this:
SetEnvIf Request_URI "(^_|/_|^\.|/\.)" forbidden
<Files *>
Order allow,deny
Allow from all
Deny from env=forbidden
</Files>
You can use this approach, but modify the regexp to whatever suits your personal convention. One advantage is that it works with this template in your DOCROOT .htaccess file. You don't need to have .htaccess files in the restricted subdirectories.
:-)
Related
My Directory structure is like this.
Root
|
assets
|-js
|-css
|-img
action
|a.php
|-b.php
include
|-inc1.php
|-inc2.php
I'm using Option Options -Indexes in .htaccess file but i have to put this file in every directory. Is there a way i can use only one hraccess file and put rule on directories? Also i wanted to know .If i use htaccess will it stop my php file from accessing the resources from these directories?
Drupal uses this in the root directory to prevent client access to some files. "profile" and "module" are directories. [Correction: profile and module are directories, but in the Drupal expression below it is checked as an extension.]
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|LICENSE.txt)$">
Order allow,deny
</FilesMatch>
For you you'd want to change the matching rule to something like this:
<FilesMatch "^(assets|action|include)$">
It's normal to use just one .htacces file in the root directory. If you want to apply rules to particular directories without adding another .htaccess file, you may be able to apply rules based on the url if the url maps with the folders. It would be easier to help you if you provided a concrete example
I want to be able to prevent people from accessing a file on a server, such as a document if they were to directly link to it via the URL. This is for security purposes so that documents on the site just can't be stumbled upon and downloaded...
What is the best approach for this?
I've tried using the .htaccess to deny access to docs and txts for examples, but you can still download the files it just prevents you from accessing the directory...which isn't what I want to do.
<Files ~ "\.(doc|txt)$">
order allow,deny
deny from all
</Files>
put it in a directory outside the public space and provide it via a custom PHP page which requires login or what you prefer
echo file_get_contents(/var/www/example.com/file.txt);
should works I guess
Try putting this in your .htaccess
<FilesMatch "\.(doc|txt)">
Order deny,allow
Deny from all
</FilesMatch>
The best thing to do is to not put it in the web server's document root in the first place.
You can in your .htaccess redirect all requests to files in that folder to a special PHP page that only allows logged in users to download the file but denies those unauthorized to access it.
Also it's a good idea putting the target file itself in a folder above public_html.
I have several folders in my website directory which contains textfiles called "secure.txt".
For security reasons the URL of these files are never shown in the webbrowser but my website searches for these files (PHP code), which contains sensitive information.
How can I make the PHP code allowed to read these files but restrain access through the url, so a potential hacker wouldn't be able to read the content of these files?
put them out side your document root folder and place the following .htaccess file in the folder you want to protect. Also if you don't want to access it through a particular IP remove the last line.
order deny, allow
deny from all
allow from 192.168.0
[EDIT:]
To allow php scripts, etc. allow localhost (127.0.0.1)
order deny, allow
deny from all
allow from 127.0.0.1
You should put them in another folder and make the .htaccess deny from all, allow from 127.0.0.1
Old trick for that: Prefix the files with <?php die("I'm a fraid I can't do that, Jim"); ?>, and call them *.php. On parsing, ignore the prefix.
Edit
Why do this? The rationale behind it is, that you avoid a dependency on some special webserver configuration, which acn be forgotten (on moving to a new server), unavailable (many cheap hosts don't give you .htaccess), not applicable to some webserver software (IIS) etc.
So the reasoning is to trade some computational overhead against flexibility, portability and platform independence.
Can you move them out of your website directory altogether? If so, then make sure PHP has access to that directory! (The open_basedir value will need to include it.)
I'd suggest moving the files out of the webroot to be on the safe side
If you use Apache, deny access to all files named secure.txt from within httpd.conf:
<Files secure.txt>
deny from all
</Files>
You may do the same via .htaccess files as well (if your server is configured to allow override access rights from htaccess).
But a better solution would be to include the sensitive information into your PHP scripts themselves, or to store it in a database.
On my site i use a lot of includes, the most of the includes should only be accessible for the webserver and not for the rest of the world. So if i include "../include_map/file.php" in a page on my site, it should not be possible to request with an URL by other users in the world ("website.com/include_map/file.php"). Is there a possibility to protect the map with the include files so that only the webserver can include the files?
PHP can include files from everywhere (also non public directories) on the servers harddrive.
for example, if your htdocs is located in /var/www/domain/htdocs/ you can also include files located in /var/www/domain/include_map while the webserver wont be allowed to read from there (if configured properly).
you can then test to access the file with www.yourdomain.com/../include_map/file.php.
if you can still access it like this, your webservers configuration needs some attention to prevent others from reading your logs and other things.
another way is to deny access to the directory via .htaccess or apache config. php can still include the files, while users cant access them from the internet.
in the apache config you would do something like:
<Directory /inlcude_map>
Order Deny,Allow
Deny from all
</Directory>
in a .htaccess file you could write
Order Deny,Allow
Deny from all
the .htaccess file should be located in the directory you want to secure. Consult your server provider to find out which way is best for you. As stated in the comment you have to find out if .htaccess is an option for you first.
You could do as zuloo said. If you want this to work under any condition you could use a constant for this.
The file including:
define('IS_APP', true);
require_once('some/file/to/include.php');
// your code here
The included file:
if(!defined('IS_APP')) {
die('No direct access');
}
// your code here
On .htaccess how would I be able to disallow PHP files from accessing anything outside their directory, without using open_basebdir()?
Basically I'm going to generate .htaccess files into some dynamically created sub directories that cannot interact outside of themselves.
EDIT: Sorry I meant accessing, not moving.
.htaccess files are for Apache, not PHP.
What you want to do sounds more like the job of a VirtualHost.
php doesn't even know about the existence of your .htaccess files, so they can't avoid any script from moving any file
Something like this?
<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow
Deny from All
Allow from #Root dir of your php file
</FilesMatch>