I don't know if what i need to do is possible but this the problem...
I have this folder structure:
PDF
-index.php
-SUBFOLDER1
--index.html
-SUBFOLDER2
--index.html
...
Index.php receive a parameter (POST Method) and pass it to an iframe src.
<iframe src="<?php echo $_POST['link'];?>"</iframe>
so can be
<iframe src="http://mydevsite.com/PDF/SUBFOLDER1/"></iframe>
My problem is to allow this access from iframe of index.php but deny all direct access of any subfolder from browser navigation bar.
For example, http://mydevsite.com/PDF/SUBFOLDER1/ could not accessible in browser.
I tried in .htaccess at the same level than index.php
Options -Indexes
order deny,allow
deny from all
allow from 127.0.0.1
But it does not works.
In index.php i can use a php header location instead of iframe if solution is easier with it.
I hope there's a solution to this problem.
Thanks a lot
Related
I have a website running on a server. It's just an index.html with a hello world text. Also, I have a folder named /vpn which contains various txt files and an index.html file.
If I try to access the URL domain/vpn, it shows me the content of index.html.
I just need to show the files inside the folder vpn when the user tries to access domain/vpn.
I created an .htaccess file with the next content in the root:
RewriteEngine on
<If "%{REQUEST_URI} == '/vpn/'">
DirectoryIndex disabled
Options +Indexes
</If>
When I try to access to vpn, it shows me a 404 error, the requested URL was not found on this server.
.htaccess is applying the DirectoryIndex rule (If a delete it, it shows me index.html content again), but not the Options +Indexes one.
I tried the same example in localhost (with XAMPP) and it's working fine.
What can be the problem?
PD: This is the content of apache2.conf file:
When I try to acces to vpn, it shows me a 404 error, the requested URL was not found on this server.
If you are getting a "404 Not Found" then it would imply that mod_autoindex is not actually installed on your server (consequently Options +Indexes has no effect - although it would seem from your server config that Indexes is perhaps already enabled).
mod_autoindex is the module responsible for generating the directory listings.
I created an .htaccess file with the next content in the root:
Personally, I would create an additional .htaccess file in the /vpn directory instead:
DirectoryIndex disabled
Options +Indexes
And disable Indexes (and set DirectoryIndex) in the root .htaccess file.
NB: RewriteEngine has no place here, unless you are overriding a parent config.
If I try to access the url "domain/vpn"
Note that you should be requesting domain/vpn/ (with a trailing slash). If you omit the trailing slash then mod_dir issues a 301 redirect to append it.
My website name is: cabinets.ga
I want to deny the access to all of my folders and files in my website, so this is my code to do that:
Order deny,allow
Deny from all
<FilesMatch "index\.php">
Allow from all
</FilesMatch>
This code works fine if the user write the link with the index.php like that : cabinets.ga/index.php but if he write only the domain name without the index.php like that: cabinets.ga it will give him (Forbidden)
So i want that if he enter both the domain name with the index.php or without it the website display the index.php without Forbidden it.. Any help please?
You can actually just make the filename optional in the regex (you don't need to use mod_rewrite). For example:
Order deny,allow
Deny from all
<FilesMatch "^(index\.php)?$">
Allow from all
</FilesMatch>
This will allow direct requests to index.php and also requests for the directory (no filename) ...which results in index.php (the DirectoryIndex) being served by mod_dir via an internal subrequest (which occurs later).
Note that you can't simply permit an empty filename (ie. "^$"). Whilst this allows the initial request for the bare directory, it will result in the internal subrequest for the DirectoryIndex, ie. index.php being blocked - so ultimately the request is blocked.
Note also that this allows access to all index.php files in all subdirectories and all directories that contain an index.php index document.
However, if you are on Apache 2.4 then you should be using Require instead, since Order, Deny and Allow are all deprecated on Apache 2.4.
Require all denied
<FilesMatch "^(index\.php)?$">
Require all granted
</FilesMatch>
UPDATE: My website is a single page application has just an index.php page controls all of my website with jquery ajax request, so i want when the user writed any other links accept my domain name accept the domain name the htaccess will redirect the user to the domain name
It sounds like you need to implement a front-controller pattern. The simplest form is using the FallbackResource directive. For example:
FallbackResource /index.php
Any requests that would otherwise result in a 404 are routed to /index.php. Any static resources (CSS, JS, images etc.) remain accessible and are not routed to /index.php.
When I browse example.com/img it shows all the directory contents. This leads to security problem . How to redirect these kind of url requests to example.com but without using htaccess
Best practice usually suggests adding these lines to your Apache config to disable directory listing:
<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>
But this will simply deny users access to the URL example.com/img. If you'd like to redirect as well, you could add an index.php file to each directory you'd like to redirect from in addition to making the Apache config change. The index.php file should contain:
<?php
header("Location:".$_SERVER['DOCUMENT_ROOT']);
I have got a contact form on my website with file attachment as well, that has been restricted only to pictures. Although if I type in example.com/uploads/ all the files are accessible by anyone. Is htaccess the best way to hide it? Also how could I do that in a safe manner, without messing up the contact form?
I have tried this, but it blocks the whole website
deny from all
<Files ~ “^w+.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>
if I type in example.com/uploads/ all the files are accessible
You mean you get a directory listing? This can be disabled in .htaccess:
Options -Indexes
To actively block all HTTP requests for files in the /uploads directory (since you state in comments that these are only ever accessed over FTP) then all you need is (in your root .htaccess file):
RewriteEngine On
RewriteRule ^uploads - [F]
This will respond with a 403 Forbidden for all requests that start /uploads.
Just to block access to example.com/uploads/ you can place this rule in /uploads/.htaccess:
RewriteEngine On
RewriteRule ^/?$ - [F]
Hello I don't know much about the .htaccess configuration, but I want to restrict access to php files on my web server and I want to have only index.php with parameters accessible.
My files are in subfolder like: www.mydomain.com/sub/index.php. I want to have access to open that index.php in subfolder, css files and js files.
Here is my configuration I have so far:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch "*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
I have tried to do something like <Files sub/index.php> but everytime it restricts all php files in subfolders and www.mydomain.com/index.php works fine.
Can anyone help me with it?
You can move all files except ones needed to be accessible by http (index.php, css, images etc.) out from DocumentRoot directory to upper level, so directory layout looks like this:
/lib
/files
/html
/index.php
/css/
/images/
where /html is your DocumentRoot.
In this case you won't need any additional restrictive rules in .htaccess or VirtualHost configuration/
htaccess may not be the best option to preventing direct access to some of your Php files. Instead, create an access value and set it to some value in the page you wish directed access to and don't set it in other pages otherwise.
$access = 'some value';
if(empty($access)) { header("location:index.php"); die();}
This way other php files will only be accessible via include or require. Hope that helps.