Here is the scenario:
There is a index.php file in root folder
some files are included in index.php which are in the includes folder.
1 other file (submit.php) is in the root folder for form submit action.
I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file.
Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).
I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems.
This is pure mod_rewrite based solution:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains either /includes/ or /submit.php
It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:
<Files ~ "^.*">
Deny from all
</Files>
<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
Allow from all
</Files>
1 liner mod_alias based solution :
RedirectMatch 403 ^/folder/file.php$
This will show forbidden error for /folder/file.php
If I understand correctly you just want to deny access to the includes folder?
An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.
Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.
However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.
If this is true then you can't use anubhava's part II as this will cause your form to fail.
What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:
RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php [NC]
RewriteRule ^submit\.php$ - [F]
And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.
This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.
Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:
Satisfy all
Order deny,allow
Deny from all
I ran into this when the upper directory defined basic authentication including the line:
Satisfy any
This was preventing my deny from all to take effect because the users were authenticated.
You can add the below command to .htaccess file
Deny from all
ErrorDocument 403 "nothing is here"
It will display the "nothing is here" message in case of the unauthorised access.
If you want to redirect by an error code to a certain page then you can define a command as follows:
ErrorDocument 404 "/errors/404.html"
It will redirect to the /errors/404.html and show the custom page not found screen.
Related
So I've found many posts here on how to do a similar action, however, I'm still confused. So here is my question. I want to have access to www.mywebsite/folder/index.html but if I were to remove the index.html and just type in www.mywebsite/folder/ I don't want to have access to that. How can I go about doing this? I read that I can use an .htaccess file with deny from all but that restricts me from the whole folder and I can't access the index.html.
Please let me know if there is a solution or another post that I missed that outlines the exact situation.
Thank you!
Which Apache version are you using? In 2.4, you can use DirectoryIndex disabled to stop it from automatically serving up the index.html, and combine that with Options -Indexes.
In lower versions disabled does not exist yet, so using mod_rewrite with a simple RewriteRule that forbids access when the exact folder path (with or without trailing slash) was requested should do it,
RewriteRule ^folder/?$ - [F,L]
To control what error message the user gets to see in each case, specify the ErrorDocument for the 403 Forbidden status code.
I'm trying to use .htaccess to block external access to my website's /includes/ directory which only includes processing PHP files. Both methods below 'work' but I prefer the latter because it doesn't leave the user with a error page. Can anybody let me know if it is less secure?
Is it better to use this:
<Directory "/includes">
Deny from all
</Directory>
Or this:
RedirectMatch 301 ^/includes/.*$ http://www.mymainurl.com
Or is something else more appropriate?
The website content is dynamically served by an index.php, so files within the /includes/ folder need to remain accessible via PHP's include function.
Alternatively, you can return a 404 to make people think the includes directory doesn't even exist:
RewriteEngine On
RewriteRule ^includes/ - [L,R=404]
I have files to be included (include()) in certain scripts. If someone were to enter the path to the file through the browser as the URL, however, I want the server to serve a 404 error. How would I do this?
# map 403 to 404 error page, prob. not a good idea...
ErrorDocument 403 /error/404.html
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
<Files index.php> # <- allow direct access to index.php only
Order Allow,Deny
Allow from all
</Files>
Perhaps a better way is to define a constant in your index.php file and check if that constant is defined in the other scripts. If not, return 404 status and display a 404 template.
Place the files somewhere outside the document root. Access from the web won't find it but scripts will still be able to use the absolute file path within the local system.
/-- home -- docroot -- index.php
|
+- scripts -- myscript.php
http://www.example.com gets index.php from /home/docroot
index.php includes /home/scripts/myscript.php
There are a number of ways to do this. My first recommendation would be to move all the files that you don't intend to actually be served via web server out of the web server root.
If you can't or won't do that, you can certainly use Apache .conf file or .htaccess to restrict access to certain directories or files that you don't want to be accessed.
If you don't have access to the server config, you can add some simple code at the top of each include file to return a 404 header if the file was not accessed in a proper manner (usually done by setting some flag on page that would include the file and testing that flag within the include file).
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.
I can't figure out how to use .htaccess to redirect when any file is accessed within a directory, or, how to redirect when a specific file type (eg. .txt or .php) is accessed.
I've got a directory called "contents" where I'm storing .txt files, these are pulled into the main page using php. However, I don't want users to be able to access the specific text files where the contents are, eg. going directly to .../contents/textfile.txt. I'd like if a user happened on a .txt file, or any file within the contents directory, to be redirected to the root site.
If this isn't the right approach, please let me know what would be so I can search to attack it from another way.
Thanks in advance!
I would prefer to lock the directory down, so that users are informed that it's an invalid directory. Create a .htaccess file in the contents-directory with the following text:
deny from all
If you want a redirect, you should investigate "mod_rewrite" - a module that is installed on many webhosts. It will probably be something similar to
RewriteEngine on
RewriteRule ^.+ http://www.example.com/ [R,L]
use the Deny Directive
add,
Order Deny,Allow
deny from all
allow from 127.0.0.1
into a .htaccess and place it in contents directory.