I am able to disable access to a file with .htaccess, but I don't know how to disallow multiple files to be viewed (directly, not from includes)
They are .php so I can't disable a file type (like the only tutorials online say..)
<FILES ... ?
</FILES>
Or something.. For example "home.php, file.php , test.php" how do I disallow access to all three files with that tag? or similar, help please!
If you want to exclude files based on regular expressions, you could use FilesMatch instead of Files, e.g.:
<FilesMatch ^((home|test|file)\.php$|mysecretfolder|asecretpicture\.jpe?g)$>
...
</FilesMatch>
Looks like you have to exclude those files one by one:
<files home.php>
Deny/Allow/Whatever
</files>
<files file.php>
...
You can use *.gif in <files> or something*, but as home.php, file.php and test.php can't really be grouped with a "*", this is probably the only way to go.
since apache 2.4
<FilesMatch "\.htaccess|config\.php">
Require all denied
</FilesMatch>
instead of
<FilesMatch "\.htaccess|config\.php">
Order allow,deny
Deny from all
</FilesMatch>
Related
I want to deny direct access to all files, except one: go.php.
I've read this question, but in my case it doesn't work because I send also a GET parameter.
That means that all files should be denied, except when trying to go to www.domain.com/go.php?code=xyz123.
My code now:
Order Allow,Deny
deny from all
allow from [my IP here]
<FilesMatch "go.php">
Allow from all
</FilesMatch>
How can I fix it?
Thanks!
EDIT 1
I updated the code to:
<Files go.php>
Allow from all
</Files>
Now it does allow if the url is domain.com/go.php?code=123. The thing is that I use pretty URLs with this rewrite condition:
RewriteRule ^go/([a-z0-9]+)$ /go.php?code=$1
RewriteRule ^go/([a-z0-9]+)/$ /go.php?code=$1
So, the above Files code does not work if the url is domain.com/go/123. How to fix this?
Since this is just one specific file, you don't need FilesMatch, but can use Files instead
<Files go.php>
...
</Files>
Rewriting from /go/123 to /go.php?code=123 is a classic. You capture the part for the query string and use it in the substitution
RewriteRule ^go/(.+)$ /go.php?code=$1 [L]
I didn't expect <Files go> or <FilesMatch go> to work, because "/go/123" isn't a file in the strict sense.
So despite my ignorance an additional
<Files go>
Allow from all
</Files>
works.
As an alternative, you can use If and check for the requested URL path
<If "%{REQUEST_URI} =~ m,^/go/,">
Allow from all
</If>
Problem solved:
<FilesMatch "go|go.php">
Allow from all
</FilesMatch>
Thank you all!
I have a website that has multiple PHP files with the same name, like this:
martin/info.php
david/info.php
peter/info.php
How can I disable opening info.php files?
Try this in your .htaccess file :
<FilesMatch "info\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
I'd like to deny multiple files through htaccess.
<FilesMatch (profile|reg|register|..............|)\.php>
order allow,deny
deny from all
</FilesMatch>
I have lots of files (6 folders with like 30 files each) that I want to deny access to, so using the method above by entering them one by one will take time.
Could I deny access to all files in the folders like this?
<Directory /www/php/login/pages>
Order Allow,Deny
</Directory>
To multiple
<FilesMatch "(foo|bar|doo)\.php$">
Deny from all
</FilesMatch>
or go for rewrite rules (RewriteEngine On)
RewriteRule \.(psd|log)$ - [NC,F]
To deny access to all files in the folders:
rewriteRule ^www/php/login/pages - [NC,F]
or simply place a `Deny from all' directly in that folder...
Update 2015: Using Apache 2.4 or higher, the `Deny from all' would needs adjustment.
You would need to add "deny from all" like your initial approach, but yes you can.
Scroll down in the documentation for the syntax you are looking for: http://httpd.apache.org/docs/2.2/mod/core.html#directory
This question already has answers here:
.htaccess deny access to specific files? more than one
(3 answers)
Closed 8 years ago.
I want to deny access to multiple PHP files in directory /all/cstl/.
My .htaccess is also stored in this directory.
This is my current code and it's not working.
<Files "\ (config.php|function.php|include.php)">
Order allow,deny
Deny from all
</Files>
I have tried to deny the directory and allow specific files but it denies the directory and does not allow the requested .php files. My code for this is:
<Directory />
Order deny,allow
Deny from all
<Directory>
<Files "index.php|post.php">
Order deny,allow
Deny from all
</Files>
Please give me some example of blocking access to multiple specific files within a directory.
There are several problems with the .htaccess you have there.
As BSen linked in the comment above, you should use FilesMatch.
Also, your regular expression is wrong.
The problem with the regular expression is that you have an escaped space at the start, so all files must start with a space character (followed by one of config.php, function.php etc)
Also a small explaination of the Order allow,deny directive:
http://www.maxi-pedia.com/Order+allow+deny
Try this:
<FilesMatch "config\.php|function\.php|include\.php">
Order allow,deny
Deny from all
</FilesMatch>
If you'd like to deny all but a few files, this would read as
Order deny,allow
Deny from all
<FilesMatch "index\.php|index\.html">
Allow from all
</FilesMatch>
In my site I've some file used by my application where are putted the log information.
For example a log file is "access.log", and i write in by PHP.
If a visitor go to www.mysite.ext/access.log , can see the file and all the information inside it.
How can I disallow this?
thanks a lot
Put this in your .htaccess
<FilesMatch "\.(htaccess|htpasswd|pinc|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Will block .log and other common files you don't want people to access.
If you want to do this in Apache, you can add the following to your .htaccess:
<files access.log>
deny from all
</files>