How can I deny access to http://sub.mydomain.com/, but allow for (completely) http://sub.mydomain.com/test (or http://sub.mydomain.com/test/)
There is a magento back-end behind http://sub.mydomain.com/test/
.htaccess directives apply to that directory, and all subdirectories thereof, so you should disallow access in your DocumentRoot,
http://sub.mydomain.com/.htaccess:
Order deny,allow
Deny from all
And override that in any specific subdirectories you would like to allow access to,
http://sub.mydomain.com/test/.htaccess:
Order allow,deny
Allow from all
How about a .htaccess at the root directory, with the following lines?
RewriteEngine On
# check if request is for subdomain
RewriteCond %{HTTP_HOST} ^sub.mydomain.com$ [NC]
# check if 'test' isnt part of request
RewriteCond %{REQUEST_URI} !^/test/?(.*)$ [NC]
# if subdomain and no 'test' part, redirect to main domain...
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R,L]
So if the '/test/' section is present, no redirect takes place...
Try create .htaccess file in sub.mydomain.com for deny, and in sub.mydomain.com/test for allow.
Or you can redirect from http://sub.mydomain.com/ to deny subdir.
I know this is a very old thread, but I've been struceling with exactly this scenario for several days and finally got it to work, thus I thought I'd share my solution for further reference.
As of Apache version 2.4 (I guess), it's possible to use directive <RequireAll> and <RequireAny>.
This can be used to allow access to specific subfolders.
My solution for .htaccess (inspired from this site: https://www.the-art-of-web.com/system/apache-authorization/):
SetEnvIf REQUEST_URI "^/test/.*" PUBLICACCESS
# Use for multiple subfolders:
# SetEnvIf REQUEST_URI "^/(?:test|test2|test3|test4)/.*" PUBLICACCESS
<RequireAny>
<RequireAll>
# Public access
Require env PUBLICACCESS
Require all granted
</RequireAll>
<RequireAll>
# Require user and password
AuthType Basic
AuthName "Secured"
AuthUserFile /var/www/example.com/.htpasswd
Require valid-user
</RequireAll>
</RequireAny>
I'm using a cpanel powered server which will add .htaccess entries like the following:
#----------------------------------------------------------------cp:ppd
# Section managed by cPanel: Password Protected Directories -cp:ppd
# - Do not edit this section of the htaccess file! -cp:ppd
#----------------------------------------------------------------cp:ppd
AuthType Basic
AuthName "Protected"
AuthUserFile "/home/****/.htpasswds/sites/****/passwd"
Require valid-user
#----------------------------------------------------------------cp:ppd
# End section managed by cPanel: Password Protected Directories -cp:ppd
#----------------------------------------------------------------cp:ppd
I wanted to allow access to a specific subfolder, and the solution was creating an .htaccess file within that subfolder and placing the following inside:
Satisfy any
If you have protected your DocumentRoot by Auth, then you can allow your Subfolder by follow:
http://sub.mydomain.com/test/.htaccess:
require all granted
Order allow,deny
Allow from all
Related
I am working on securing my web server.
I do not want people to be able to execute files they shouldn't.
I was told that I should deny all and whitelist files that could be executed.
That works. Problem is when i access my domain.com it wont execute example.com/index.php . if i type example.com/index.php it works.
here is my htaccess file
Options -Indexes
Order deny,allow
Deny from all
<Files /index.php>
Allow from all
</Files>
<Files "index.php">
Allow from all
</Files>
<Files "teacher_login.php">
Allow from all
</Files>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You know what's a better way to prevent people from executing scripts they shouldn't?
Don't put them on the Web at all.
Put these scripts outside of public_html on your server, and suddenly nobody can access them! No need for .htaccess hacks like what you're trying. And better still, they're still accessible for the server itself - eg.
require($_SERVER['DOCUMENT_ROOT']."/../hidden-scripts/something.php");
Much better.
I want to block HTTP access to every file in my project directory except PHP scripts located in the root folder (not subfolders).
My current .htaccess file looks like this :
# Disable Directory Listings in this Directory and Subdirectories
# This will hide the files from the public unless they know direct URLs
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api.php/$1 [QSA,L]
</IfModule>
# Deny all files from being accessed with Apache
Order Deny,Allow
Deny from all
# Allow specific PHP files at root
<FilesMatch "/(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
This mostly works, except for the URL rewriting on the api.php script. I've tried changing the FilesMatch regexp to /(api|cron|status)(\.php)?$, but it keeps on throwing me a 403 response.
Anyone can explain to me what I did wrong here ? I'm usually OK with regexp, but this has got me thinking Apache doesn't process them like everyone else...
Deny from all
<FilesMatch "^(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
And I guess make sure your .htaccess is on the root level.
I have a page in Wordpress theme_directory/page-rsvp.php that i need password protected by .htaccess. I'm developing this locally using MAMP PRO.
I have an .htaccess and .htpasswd file in the theme_directory. I have the following in the .htaccess file but it's not working. Whenever I go to localhost:8888/site/rsvp the authentication prompt doesn't show up.
<Files “page-rsvp.php”>
AuthName "Username and password required"
AuthUserFile ./.htpasswd
Require valid-user
AuthType Basic
</Files>
There is of course the .htaccess file in the root of the wordpress install that looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /thepowerfulnow/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /thepowerfulnow/index.php [L]
</IfModule>
# END WordPress
How do I get this to work using only the first .htaccess file (the one in the theme_directory)? I need to have this theme be modular. I'm very new to .htaccess files. Thank you all!
You've added the authentication to your theme directory, so it'll work only if you access your theme file directly, using a URL like this:
http://localhost:8888/site/wp-content/themes/theme_directory/page-rsvp.php
If you want to restrict the access to your page URL (e.g. /site/rsvp), you need to use a different rule. You can add the following lines to the end of your main .htaccess file, that in the WordPress root dir.
# Set an env variable "auth" if the URI starts with "/site/rsvp"
SetEnvIf Request_URI ^/site/rsvp auth=1
AuthName "User and password required"
AuthType Basic
AuthUserFile "./.htpasswd"
# First, allow anyone
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# Then, deny only if auth is required
Deny from env=auth
Remember to keep a copy of .htpasswd file into the same directory or set the path to that file using the AuthUserFile directive.
Alternative solution
My original answer used a <Location> directive to filter the URL to restrict, but it do not work in .htaccess files. Only under server config or a virtual host. Check the Context here: http://httpd.apache.org/docs/2.2/mod/core.html#location
If you want to use the restriction rule as below, and you have access in the server to do so, you need to add it to some of those contexts (server config or virtual host). Apache's config files are usually in the /etc/httpd or /etc/apache2 directories.
<Location "/site/rsvp"> # Where /site/rsvp is the URL you want to restrict
AuthName "Username and password required"
AuthUserFile /path/to/.htpasswd
Require valid-user
AuthType Basic
</Location>
I am trying to allow user to wordpress wp-admin index page if query string contains parameter. I am setting env variable to allow them access. This is how my htaccess file looks like
RewriteEngine on
RewriteCond %{QUERY_STRING} !^author=1
RewriteRule ^ - [E=NO_AUTH:1]
AuthName "Staff Authorization Required"
AuthType Basic
AuthUserFile /usr/bin/.htpasswd
<Files "index.php">
Order Deny,Allow
Deny from all
Require user newagenumber
Allow from env=NO_AUTH
</Files>
Options -Indexes
As of yet, authorization dialog box appears for everyone. Please help :|
This is not working because Apache executed mod_auth module before mod_rewrite hence NO_AUTH is not set when basic authentication directives run.
Unfortunately this behavior is not that simple to change.
Here is a workaround solution that combines mod_rewrite, mod_setenvif and mod_auth:
RewriteEngine On
RewriteBase /wp-admin/
RewriteCond %{QUERY_STRING} (?:^|&)(author=1)(?:&|$) [NC]
RewriteRule ^(index\.php)?$ index.php/%1 [NC]
# set SECURED var to 1 if URI is /index.php/200
SetEnvIfNoCase Request_URI "/index\.php/(author=1)" NO_AUTH
AuthType Basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require user newagenumber
Order Deny,Allow
Deny from all
Allow from env=NO_AUTH
Satisfy any
I need to block access to my entire site via IP Address except the url /api which should be open to all.
I am currently using ...
<LocationMatch /admin>
Order Deny,Allow
Deny from all
Allow from [MY IP]
</LocationMatch>
this blocks access urls starting with /admin. But I want to block all urls except the ones that start /api.
Chris
RewriteEngine On # (only needs to happen once in .htaccess files.
RewriteBase /
RewriteCond %{REMOTE_ADDR} !^10\.103\.18\.104 # <--YOUR IP HERE
RewriteCond %{REQUEST_URI} !^/api # page or directory to ignore
RewriteRule ^(.*)$ http://example.com/no_access.html [R=401] # where to send blocked requests
Well you can first block the whole site, then simply allow /api.
<LocationMatch />
Order Deny,Allow
Deny from all
Allow from [MY IP]
</LocationMatch>
<LocationMatch /api>
Order Deny,Allow
Allow from all
</LocationMatch>
Sorry I couldn't test it due to the way XAMPP is configured on my PC. Pray it works.