I want to restrict access to certain web directories in my website using .htaccess file. I know one way using
order allow,deny
deny from all
But it restricts only the first directory. It doesn't work for the remaining ones. Please help
You are wrong, using deny from all also applies to subdirectories.
i.e. unless there is another .htaccess inside the other sub directories that allows the access
Options -Indexes add this line at the top of the .htaccess file
Related
i got folder called recordings on my server and i want to block access from anyone to it and its content and at the same time i want the ability to call the files inside the folder from other pages
i tried htaccess rule
Options -Indexes
its just block access to the folder but when i write specific file inside the folder the browser open it and i do not want that
and i tried another htaccess rule :
deny from all
but it make me not able to call the files on other pages and i want to be able to call them
so can anyone help me ?
Use below rule,
<Files ~ "*.php">
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
My Directory structure is like this.
Root
|
assets
|-js
|-css
|-img
action
|a.php
|-b.php
include
|-inc1.php
|-inc2.php
I'm using Option Options -Indexes in .htaccess file but i have to put this file in every directory. Is there a way i can use only one hraccess file and put rule on directories? Also i wanted to know .If i use htaccess will it stop my php file from accessing the resources from these directories?
Drupal uses this in the root directory to prevent client access to some files. "profile" and "module" are directories. [Correction: profile and module are directories, but in the Drupal expression below it is checked as an extension.]
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|LICENSE.txt)$">
Order allow,deny
</FilesMatch>
For you you'd want to change the matching rule to something like this:
<FilesMatch "^(assets|action|include)$">
It's normal to use just one .htacces file in the root directory. If you want to apply rules to particular directories without adding another .htaccess file, you may be able to apply rules based on the url if the url maps with the folders. It would be easier to help you if you provided a concrete example
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.
I'm in a situation wherein I have file includes but I don't want other people going on the "includes" directory and viewing the pages individually via browser.
I'm quite familiar with how to approach it via inside the PHP files themselves but I want to use the .htaccess for preventing it this time.
So how do I configure .htaccess to prevent users NOT coming from a certain referrer from viewing the PHP files inside the "includes" folder?
.htaccess will work, but just to suggest an alternative - why not move your include directory outside the webroot? Your scripts can still access it, and there's no need to configure apache to deny access.
Put a .htaccess file in the directory you would like to not be viewed and put this in there:
order allow, deny
deny from all
This is the simple block all approach. More info on how to block by referer can be found here.
Hope this helps.
As lot of web hosting solutions explicitly limit you to working within the a public_html (or equiv) hierarchy. So I use a simple convention: if I don't want a file or directory to be private -- that is not accessible through a URI -- then I prefix its name with either a "_" or a ".", for example my PHP includes directory is called "_includes".
I use this pattern in my .htaccess files to enforce this:
SetEnvIf Request_URI "(^_|/_|^\.|/\.)" forbidden
<Files *>
Order allow,deny
Allow from all
Deny from env=forbidden
</Files>
You can use this approach, but modify the regexp to whatever suits your personal convention. One advantage is that it works with this template in your DOCROOT .htaccess file. You don't need to have .htaccess files in the restricted subdirectories.
:-)
On .htaccess how would I be able to disallow PHP files from accessing anything outside their directory, without using open_basebdir()?
Basically I'm going to generate .htaccess files into some dynamically created sub directories that cannot interact outside of themselves.
EDIT: Sorry I meant accessing, not moving.
.htaccess files are for Apache, not PHP.
What you want to do sounds more like the job of a VirtualHost.
php doesn't even know about the existence of your .htaccess files, so they can't avoid any script from moving any file
Something like this?
<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow
Deny from All
Allow from #Root dir of your php file
</FilesMatch>