Looking some frameworks like Code Igniter I see they use a "defined" check on the syspath to prevent users opening the files from the subfolders, and also an index.html placed on every folder.
Can't I just use a mod_rewrite and get rid of these checks?
Is the mod_rewrite enough to let the users access only the index.php of the entire application?
You can move all the files for your application out of the web root and only have those files there that should be accessible by users.
Place all non-accessible files in folders and then put a new .htaccess file in each folder containing:
order deny,allow
deny from all
This will prevent HTTP access to those folders in Apache (other servers will have equiv. options). We use this to prevent access to incldue/, which contains the libs, static config etc.
Related
How to deny direct access to website files if a user from out side want to open them with url but allow website files to access each other by include 'file.php' in php files.
I have a .htaccess file.Can I do this with this ?
You do this by having the PHP files outside of your webroot. Your scripts that actually need to be accessible need to be in or beneath your webroot. You typically see PHP projects these days that have a structure like this:
/projectname
/app
/src
/web
The use of composer for dependency/component library management is the state of the art these days and if you are using it it will create other directories like vendor.
So your front controller or other web accessible scripts go into projectname/web and this is what you set your webroot to.
Your other scripts go into the /projectname/src.
Your include/require statements need a filesystem path, so you can reference them either via relative addressing or using a full path.
Typically people will have a bootstrapping include or use a front controller (everything goes through index.php) where include paths are setup. With component libraries you also want your class loader to be instantiated to resolve any libraries you might be using in your project.
Again the use of composer is highly recommended and will generate your class loader for you, and then it's just a matter of making sure it is included.
This .htaccess-file will only allow users to open index.php. Attempts to access any other files will result in a 403-error.
Order deny,allow
Deny from all
<Files "index.php">
Allow from all
</Files>
If you also want to use authentication for some of the files, you may simply add the content from your current file at the end of my example.
I am using codeigniter and have put the assets folder in the root of the application that contains a .htaccess file having the content
Deny from all
This is causing problems when I want to connect to the assets folder to get the stylesheets etc. So my question here is is there any way that I can allow the access just to that assets folder, that I have?
I have never used .htacces files so have a very basic knowlege of it. I did some research on my own as well but I wasn't able to find the solution.
In your assets directory add another .htaccess file with the following:
# /assets/.htaccess
Allow from all
And I am assuming in your root directory you have the following (which you will leave):
# /.htaccess
Deny from all
Update: Based on your comment, what you are looking to do is not really possible. The browser needs to have access to your CSS file in order to use it on your page.
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.
I have a website that has an include folder which contains php templates and functions. If a user tries to access that folder. It may not harm website but I don't want my users to see those templates in an UN-organized manner. Instead, I want to restrict the user if he tries to directly access those files within include folder and redirect him to homepage.
Put this in an .htaccess file in that directory:
Deny from all
This is assuming you're using Apache or another web server that knows how to read and process .htaccess files.
For the redirect, instead of Deny from all you could try this instead:
RedirectMatch 301 ^/includes/$ http://www.yoursite.com/
You can configure the server such that this folder is not available to the public. Alternately, structure the site so this folder is below the siteroot - this makes it completely invisible to the public. Simply adjust your include paths and you're done. I prefer this solution, because the files are completely off the radar unless you are logged in and have access to the file system.
Is it possible to set the .htaccess file to deny all users but allow includes such as PHP functions or CSS?
Thanks
Yes, that's one of the most popular uses of the .htaccess file. Set up .htaccess to deny all. Nobody can download the pages in that directory, but you can include php files from this directory in your other directories. You can't really host css files in the directory and then deny all, because the user has to download these directly. Same goes for images and javascript files. Basically, anything the client has to read shouldn't go in a "deny-all" directory, but stuff that only needs to be read by the server, like php includes are fine.
If you don't want something to be downloadable, then don't put it into a public-facing directory. Put those files in a different directory outside the webroot.
This way they don't get exposed if the .htaccess gets disabled somehow.