I need to block access to my entire site via IP Address except the url /api which should be open to all.
I am currently using ...
<LocationMatch /admin>
Order Deny,Allow
Deny from all
Allow from [MY IP]
</LocationMatch>
this blocks access urls starting with /admin. But I want to block all urls except the ones that start /api.
Chris
RewriteEngine On # (only needs to happen once in .htaccess files.
RewriteBase /
RewriteCond %{REMOTE_ADDR} !^10\.103\.18\.104 # <--YOUR IP HERE
RewriteCond %{REQUEST_URI} !^/api # page or directory to ignore
RewriteRule ^(.*)$ http://example.com/no_access.html [R=401] # where to send blocked requests
Well you can first block the whole site, then simply allow /api.
<LocationMatch />
Order Deny,Allow
Deny from all
Allow from [MY IP]
</LocationMatch>
<LocationMatch /api>
Order Deny,Allow
Allow from all
</LocationMatch>
Sorry I couldn't test it due to the way XAMPP is configured on my PC. Pray it works.
Related
I am working on securing my web server.
I do not want people to be able to execute files they shouldn't.
I was told that I should deny all and whitelist files that could be executed.
That works. Problem is when i access my domain.com it wont execute example.com/index.php . if i type example.com/index.php it works.
here is my htaccess file
Options -Indexes
Order deny,allow
Deny from all
<Files /index.php>
Allow from all
</Files>
<Files "index.php">
Allow from all
</Files>
<Files "teacher_login.php">
Allow from all
</Files>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You know what's a better way to prevent people from executing scripts they shouldn't?
Don't put them on the Web at all.
Put these scripts outside of public_html on your server, and suddenly nobody can access them! No need for .htaccess hacks like what you're trying. And better still, they're still accessible for the server itself - eg.
require($_SERVER['DOCUMENT_ROOT']."/../hidden-scripts/something.php");
Much better.
I want to block HTTP access to every file in my project directory except PHP scripts located in the root folder (not subfolders).
My current .htaccess file looks like this :
# Disable Directory Listings in this Directory and Subdirectories
# This will hide the files from the public unless they know direct URLs
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api.php/$1 [QSA,L]
</IfModule>
# Deny all files from being accessed with Apache
Order Deny,Allow
Deny from all
# Allow specific PHP files at root
<FilesMatch "/(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
This mostly works, except for the URL rewriting on the api.php script. I've tried changing the FilesMatch regexp to /(api|cron|status)(\.php)?$, but it keeps on throwing me a 403 response.
Anyone can explain to me what I did wrong here ? I'm usually OK with regexp, but this has got me thinking Apache doesn't process them like everyone else...
Deny from all
<FilesMatch "^(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
And I guess make sure your .htaccess is on the root level.
I have mp3's in a directory called /mp3/ and I want to be able to access them only from another page.php in another directory /main/ on the site.
No direct linking from outside.
All of the pages are written in php
I put this code in the .htaccess file inside the /mp3/ directory...
Order deny,allow
deny from all
allow from 127.0.0.1
allow from localhost
allow from mydomain.com
allow from 123.45.678.90 # that's myserver's IP address (real one used in code)
Satisfy Any
But none of those work.
It does work however if I use the IP address of were I am.
allow from 1.2.3.4 # my internet connection (real one used in code)
But that means it would work for anyone and their IP address.
What am I missing here? Does this work only on certain servers?
How do I make it use the server's IP address and not my IP address?
Look into "hotlink protection" added to your .htaccess file. You can set it up for just .mp3 file extension, and forbid access by any foreign site or directly from browsers. You might even be able to restrict access from within your own site, but I can't see that being terribly useful.
Something like
RewriteEngine on
Options +FollowSymlinks
# hotlink protection and allowed list
# don't forget to add https: to allow accesss for any with SSL
## uncomment following line to PERMIT direct browser access of mp3 files
#RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com(/)?.*$ [NC]
RewriteRule .*\.mp3$ - [F,NC]
Place the files you want to protect out of the public folder. This way they are only accessible via your scripts.
-root
--mp3s
--public_html
---main
----index.php
----page.php
You are trying to limit a "referral" and not direct access?
Denying from an IP limits all access, whether referred to by your page.php or by typing it into the browser's URL location bar. If you're trying to limit referrals, you can try using something like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain.com/ [NC]
RewriteRule ^mp3/ - [L,F]
but be warned that referers can be spoofed.
What about something like this, in your .htaccess
<Files ~ ".mp3$">
Order allow,deny
Deny from all
</Files>
This will not allow direct access to any files with .mp3 from your web server.
Place this code in your mp3/.htaccess file:
RewriteEngine on
RewriteBase /mp3/
RewriteCond %{HTTP_REFERER} !^https?://(localhost|(www\.)?mydomain\.com)/ [NC]
RewriteRule ^ - [F]
In my .htaccess file, I am using the below to prevent direct access to folders:
Options -Indexes
I am using the below to prevent access to a critical file of ours:
<Files admin.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from (my ipaddress)
</Files>
So, now users cant go to www.domain.com/scripts as it throw 404 error, nor can they access admin.php
But how do I prevent direct access to all?
For example, if someone knew the filename, they can still get to it, such as: www.domain.com/scripts/process.php
What to do?
Using mod_rewrite:
Put this rule on top of all other rules:
RewriteRule ^scripts(/.*|)$ - [F,NC]
Without using mod_rewrite:
Put this code in scripts/.htaccess:
Order Deny,Allow
Deny from all
UPDATE: To block direct access to all files:
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{THE_REQUEST} \..+[\s?]
# return forbidden error if not static files
RewriteRule (?!^.+\.(?:jpe?g|gif|bmp|png|tiff|css|js)$)^.*$ - [F]
How can I deny access to http://sub.mydomain.com/, but allow for (completely) http://sub.mydomain.com/test (or http://sub.mydomain.com/test/)
There is a magento back-end behind http://sub.mydomain.com/test/
.htaccess directives apply to that directory, and all subdirectories thereof, so you should disallow access in your DocumentRoot,
http://sub.mydomain.com/.htaccess:
Order deny,allow
Deny from all
And override that in any specific subdirectories you would like to allow access to,
http://sub.mydomain.com/test/.htaccess:
Order allow,deny
Allow from all
How about a .htaccess at the root directory, with the following lines?
RewriteEngine On
# check if request is for subdomain
RewriteCond %{HTTP_HOST} ^sub.mydomain.com$ [NC]
# check if 'test' isnt part of request
RewriteCond %{REQUEST_URI} !^/test/?(.*)$ [NC]
# if subdomain and no 'test' part, redirect to main domain...
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R,L]
So if the '/test/' section is present, no redirect takes place...
Try create .htaccess file in sub.mydomain.com for deny, and in sub.mydomain.com/test for allow.
Or you can redirect from http://sub.mydomain.com/ to deny subdir.
I know this is a very old thread, but I've been struceling with exactly this scenario for several days and finally got it to work, thus I thought I'd share my solution for further reference.
As of Apache version 2.4 (I guess), it's possible to use directive <RequireAll> and <RequireAny>.
This can be used to allow access to specific subfolders.
My solution for .htaccess (inspired from this site: https://www.the-art-of-web.com/system/apache-authorization/):
SetEnvIf REQUEST_URI "^/test/.*" PUBLICACCESS
# Use for multiple subfolders:
# SetEnvIf REQUEST_URI "^/(?:test|test2|test3|test4)/.*" PUBLICACCESS
<RequireAny>
<RequireAll>
# Public access
Require env PUBLICACCESS
Require all granted
</RequireAll>
<RequireAll>
# Require user and password
AuthType Basic
AuthName "Secured"
AuthUserFile /var/www/example.com/.htpasswd
Require valid-user
</RequireAll>
</RequireAny>
I'm using a cpanel powered server which will add .htaccess entries like the following:
#----------------------------------------------------------------cp:ppd
# Section managed by cPanel: Password Protected Directories -cp:ppd
# - Do not edit this section of the htaccess file! -cp:ppd
#----------------------------------------------------------------cp:ppd
AuthType Basic
AuthName "Protected"
AuthUserFile "/home/****/.htpasswds/sites/****/passwd"
Require valid-user
#----------------------------------------------------------------cp:ppd
# End section managed by cPanel: Password Protected Directories -cp:ppd
#----------------------------------------------------------------cp:ppd
I wanted to allow access to a specific subfolder, and the solution was creating an .htaccess file within that subfolder and placing the following inside:
Satisfy any
If you have protected your DocumentRoot by Auth, then you can allow your Subfolder by follow:
http://sub.mydomain.com/test/.htaccess:
require all granted
Order allow,deny
Allow from all