Example.
I have a file site.com/file.html
As expected, I can see file under link site.com/file.html
But unexpectedly I see it under link site.com/file as well. So no extension URI shows, if exists, file with .html extension as far as I can see.
How can I omit this ?
To be closer to real life my PHP application URL site.com/file is overridden by the HTML file placed in the root. Apache doesn't reach my PHP URL, but shows the HTML page. If I remove the HTML file, then PHP-driven url fires. But I must have that .html file there present.
For now I have ended up with Options -MultiViews in .htaccess
So it seems I have enabled MultiViews by default and it works that way I don't need:
The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
https://httpd.apache.org/docs/current/content-negotiation.html
But I don't see or understand any side-effects for now.
If someone has a better answer, please post.
Related
I want to secure and hide my asset folder from publicity. I hear that can be done with the .htaccess file and change the name from my directory-name to random name of the directory and in that case, users can't know the real name of my directory placed into my public_html. Can someone help me with examples of all kinds of documentation? I didn't try anything because I have really bad knowledge of .htaccess coding. Any help will be thankful.
Well, you can do this, but I'm curious as to the purpose if it's just to casually "hide" the underlying file directory? This doesn't really offer any additional "security" and can also cause issues if you have a front-end proxy that is intended to serve static content. It can also be problematic if you are using a CMS like WordPress as you may need to modify the default behaviour. (Although there may be other developmental issues for which you would choose to do this.)
Ideally, you would do something like this with the Alias directive in the main server config (or vHost container).
In .htaccess you can internally rewrite the request using mod_rewrite. Lets's say you are referencing /assets in the URL, but the actual filesystem directory that this should map to is /secret then you could do the following to simply forward all requests to /secret:
RewriteEngine on
RewriteRule ^assets/(.+) secret/$1 [L]
Only requests for /assets/<something> will be forwarded. A request for /assets or /assets/ will simply result in a 404 (assuming this directory does not actually exist).
To be more selective and only forward requests for specific file types, based on the file extension, then you could do something like the following:
RewriteRule ^assets/(.+\.(?:jpg|webp|gif|css|js))$ secret/$1 [L]
You could also check to see whether the target file actually exists before rewriting, but this is generally unnecessary and best avoided since filesystem checks are relatively expensive.
In my yii project i have Changelog and Licence text files. I know about RBAC and applied it on every Controller but how can i prevent any guest user to view these text files. As till now anyone can view this.
I have used this in my htaccess file
<Files ~ "(.txt)">
Order allow, deny
Deny from all
</Files>
But this is worked for txt file and these files have no extension
You can block access to all the files without extension using this rule in your site root .htaccess or Apache config/vhost file:
RewriteEngine On
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
# if there is no extension then block
RewriteRule ^[^.]+$ - [F]
You question is a little board, and so the answer is a little general. but there are a couple approaches;
option 1. remove the Changelog and Licence files? if these are yii install changelog and licence then they dont need to be left on the server. just ensure you complying with the licence requirements.
option 2.
you mentioned "guest user" which htaccess is not going to integrate well with yii for authorized users. you could move the files into a folder with a .htaccess containing a single line Deny from all. this blocks everyone except the PHP executed on your server.
you can now create a method/action in a controller which just echos the file contents. file-get-contents or readfile. wrap this your authentication so only non-guest users are able to use the method.
if there are only two static files, then maybe just an 'action' for each. if its many files that are changing names etc, then you accept an id to the controller pass to a model that uses scandir and checks the file really exists and spits out your output to view.
option 2.1
instead of folder with a .htaccess you could also move the files to the parent of the webhost base dir if you have this access. this means that your webserver can not serve the file, but the php can still reach it with local paths.
option 3
in .htaccess you can use AuthType basic and will invoke your webserver to prompt the user for username and password as configured in the .htaccess. this is problematic as the interface is not user friendly and is very difficult to integrate with your webapps user db.
option 4
.htaccess can support other AuthTypes but option 2 becomes much easier at this point.
I am extremely new to the concept of .htaccess, and I wanted to know how I could use it to allow a file to be used on a script on a .html file in the same directory as the .htaccess and the file. However, if you try to navigate to the file instead of viewing the script on the .html file, I would like it to be blocked. Thanks!
Update: Please see below comments!
Update 2: It seems that there is no way to achieve what I wished. That's ok, though. I just used a bunch of obfustication, and that seems to work well.
You are wanting to restrict access to a (script)file using htaccess so that a visitor can't directly link to the script file. Assuming this is working like described the visitor would load the HTML-file, the HTML-file would render and request the scriptfile....which will be blocked. So this isn't the way to go I reckon.
I would suggest changing the HTML-file to PHP when possible and include the script with a php include/require. This way the server-side code will determine what content is served.
Once you're including the file server-side you can prevent direct access to the file using htaccess by placing the code below inside your htaccess:
#Prevent Users From Accessing .inc* files in .htaccess
<Files ~ ".inc">
Order allow,deny
Deny from all
</Files>
In the above example direct access to .inc-files will be denied. Change this file-extension to your needs.
Inside your index.php file you'll need to include the file containing your script with something like:
include 'filewithscript.inc';
This should solve your problem.
I have my .htaccess file, and I have a folder with config files in there, and they contain sensitive content, e.g. database details etc. What I would like to know is, how can I block access from a browser, but allow them to be accessed via my scripts?
I know that this can be achieved inside the PHP files themselves, but I'd rather use the .htaccess approach where possible.
Is this actually able to be done? I've attempted it before, but in the process of denying access to the file from the browser, it also denied access from the coding.
I have looked into this before, and some of the answers I came across suggested changing the extension to something like .inc, and then denying access to that. However, a couple of issues I have with that is that a) It instantly alerts anyone that can see that filename, for whatever reason, that it is a config file. Also, b) If my denial code breaks, browsers will not parse it as a PHP file, but rather an inc file, meaning it will print the code in the browser.
Basically, can this be done within a .htaccess file, or do I need to put something in the header of every config file?
Put these files outside of your web server's document root.
You can still access them via your server-side scripts, but this ensures no direct access to them from the outside world.
The conventional advice is to place such files "outside of your web server's document root". This is all well and good, but many shared hosting offerings only give write access to your public_html directory.
I use a simple convention: any private content (that is not URI addressable) is prefixed by an underscore or in a directory that's name is prefixed with an underscore (eg. _private or _include). I then include this rewrite rule in my DOCROOT .htaccess file:
# if a forbidden directory or file name (starting with a . or /)
# then raise 404 Fatal return
RewriteRule (^|/)[_.] - [F]
Remember that you'll need to prefix with a RewriteEngine On and/or include this at the top of any .htaccess file with the engine enabled.
Note that the "." prefix picks up files such as .htaccess.
Please use a framework, these kind of issues just doesn't need to exist. If you insist though, write a .htaccess to redirect every request to a single index.php in the root directory, which then have more logic to determine whether or not the request is for a valid file and include them, otherwise generate 404 or 403. If you need performance for static files, then use RewriteCond to exclude specific directories or file type from the index.php check.
I've been asked to figure out how the Concrete5 system works for an employer, and I can't figure something out.
I have Concrete5 installed to a directory on the server called /realprofessionals. When the Concrete5 system makes new pages, it gives them their own absolute paths, for instance:
http://www.wmcpartners.com/realprofessionals/footer
However, it hasn't actually made a folder in the /realprofessionals directory called footer. So how does that work? How can http://www.wmcpartners.com/realprofessionals/footer be a working link?
Short answer: All page requests are actually going through the one and only index.php file. Page content is stored in the database, not in files on the server.
Long answer:
Concrete5 (and most PHP-based CMS's for that matter) work like this: all requests are routed through the index.php file. This routing is enforced with some mod_rewrite rules in the .htaccess file. The rules say "for any request, don't actually go to that page, but instead go to index.php and pass the rest of the requested path as $_GET parameters". Then in the index.php code (or some other code that is included by the index.php file), the requested page is determined based on the path that was put into the $_GET parameters by Apache (as per the mod_rewrite rule in .htaccess), and the appropriate content is retrieved from the database.
Storing content in the database as opposed to files on the server has several advantages. For example, you can re-use the same html template -- header, footer, sidebar -- on every page, and if you change the template it will automatically be reflected on all pages it's used on. Also, it makes it easier to shuffle pages around and to give them whatever URL you want (e.g. no ".php" extension at the end, or /2010/11/date/based/paths/for/blog/posts).
The disadvantage of course is that every request requires many database queries, but for most sites (those without zillions of page views), the trade-off is well worth it (and various types of caching can help reduce the performance hit).
Jordan's answer is excellent, I would add that you probably don't see index.php in the url because you've enabled pretty URLs (type 'pretty' on concrete5's searchbox to check that).
Anyhow, the best way to programmatically add link to internal pages is:
<a href="<?=$this->url('page-name');?>">
page name
</a>
It works both on localhost and online, with or without pretty URLs.
(For the page-name go to dashboard/full sitemap/page-name/properties/page paths and location.)