How to allow to view a file in (/../)subfolder using .htaccess ?
Folder structure:
root/
root/.htaccess
root/public
root/public/.htaccess
root/public/index.php
root/public/css
root/public/js
root/.htaccess
RewriteEngine On
RewriteBase /
Options -MultiViews
<FilesMatch ".*">
Deny from all
</FilesMatch>
#i tried to add here, public directory permission, but it does not work
#with DirectoryMatch i am getting the error The server encountered an internal error or misconfiguration and was unable to complete your request.
#without DirectoryMatch i am getting the error You don't have permission to access /type705b/public/index.php on this server.
<DirectoryMatch "/public.*">
Allow from All
</DirectoryMatch>
root/public/.htaccess
RewriteEngine On
RewriteBase /public/
Options -MultiViews
#wrong according comments <FilesMatch "public.*" >
Allow from all
#</FilesMatch>
#the rest of htaccess below
If i try to view root/public/index.php, i am getting the error :Forbidden You don't have permission to access /root/public/index.php on this server.
After the corrections, i am getting The server encountered an internal error or misconfiguration and was unable to complete your request.
The error log for the code above says xxx/htdocs/root/.htaccess: <DirectoryMatch not allowed here
Since you don't have any rewrite rule in public/.htaccess, you don't really need anything in public/.htaccess other than this line:
Allow from all
Moreover Files directive is used for matching file names only so it can never match a file path that includes directories also.
If I am not wrong, you have <Files ~ "^public.*" >, that's wrong.
The correct one should be <Files ~ ".*" > because you already has the RewriteBase /public/
<Files ~ "^public.*" > will allow only files that match public.* but as a file name, not as a path nor dir.
The working combination to allow to view a file in (/../)subfolder using .htaccess :
Folder structure:
root/
root/.htaccess
root/public
root/public/.htaccess
root/public/index.php
root/public/css
root/public/js
root/.htaccess
RewriteEngine On
RewriteBase /
Options -MultiViews
Deny from all
root/public/.htaccess
RewriteEngine On
RewriteBase /public/
Options -MultiViews
Allow from all
#the rest of code
Using <File > <FileMatch > <Directory > <DirectoryMatch > was giving the errors.
Related
My project name is funfeesa and all client side pages are contains in "client" folder. But I want to access then without to write client folder in the url.
just like below:
localhost/funfeesa/index.php
I have tried many rules in .htaccess file but nothing is working fine.
can anyone help me?
#prevent directory listing
Options -Indexes
IndexIgnore */*
#follow symbolic links
Options FollowSymlinks
RewriteEngine on
RewriteRule ^funfeesa/index.php(.+)?$ funfeesa/client/index.php/$1
Try to access your .htaccess file as above
Still if it doesn't work try by removing index.php from above rules but I think It should work :)
I have got a contact form on my website with file attachment as well, that has been restricted only to pictures. Although if I type in example.com/uploads/ all the files are accessible by anyone. Is htaccess the best way to hide it? Also how could I do that in a safe manner, without messing up the contact form?
I have tried this, but it blocks the whole website
deny from all
<Files ~ “^w+.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>
if I type in example.com/uploads/ all the files are accessible
You mean you get a directory listing? This can be disabled in .htaccess:
Options -Indexes
To actively block all HTTP requests for files in the /uploads directory (since you state in comments that these are only ever accessed over FTP) then all you need is (in your root .htaccess file):
RewriteEngine On
RewriteRule ^uploads - [F]
This will respond with a 403 Forbidden for all requests that start /uploads.
Just to block access to example.com/uploads/ you can place this rule in /uploads/.htaccess:
RewriteEngine On
RewriteRule ^/?$ - [F]
Consider these files structures on web root directory :
files/1/1.jpg
files/1/2.jpg
files/2/1.jpg
files/2/3.jpg
files/3/6.jpg
files/3/8.jpg
files/4/1.jpg
I want to deny access to files inside folder 2 and 3 using htaccess file that exists in web root directory. I try but nothing happend. Here's the code I used:
<FilesMatch "(2|3)\/*$" >
Order deny,allow
Deny from all
</FilesMatch>
Would you correct my mistake?
Thank you.
If your htaccess file is in your web root, and the files directory is also in the web root, you won't be able to match against files in another (sub)directory. You can either try putting the <FilesMatch> in an htaccess file in the files directory, or you can use mod_rewrite in the htaccess file in your web root:
RewriteEngine On
RewriteRule ^files/(2|3)/ - [F,L]
For optimal performance using htaccess, you should create a .htaccess file in each of the directories you want to protect:
Order deny,allow
Deny from all
I have the following .htaccess file:
RewriteEngine On
RewriteBase /
# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
# Protect log.txt
<Files ./inscription/log.txt>
Order Allow,Deny
Deny from all
</Files>
# Disable directory browsing
Options All -Indexes
I am trying to forbid visitors to access the following file:
domain.example/inscription/log.txt
but what I have above does not work: I can still access the file from the browser remotely.
Within an htaccess file, the scope of the <Files> directive only applies to that directory (I guess to avoid confusion when rules/directives in the htaccess of subdirectories get applied superceding ones from the parent).
So you can have:
<Files "log.txt">
Order Allow,Deny
Deny from all
</Files>
For Apache 2.4+, you'd use:
<Files "log.txt">
Require all denied
</Files>
In an htaccess file in your inscription directory. Or you can use mod_rewrite to sort of handle both cases deny access to htaccess file as well as log.txt:
RewriteRule /?\.htaccess$ - [F,L]
RewriteRule ^/?inscription/log\.txt$ - [F,L]
Strong pattern matching — This is the method that I use here at Perishable Press. Using strong pattern matching, this technique prevents external access to any file containing “.hta”, “.HTA”, or any case-insensitive combination thereof. To illustrate, this code will prevent access through any of the following requests:
.htaccess
.HTACCESS
.hTaCcEsS
testFILE.htaccess
filename.HTACCESS
FILEROOT.hTaCcEsS
..etc., etc. Clearly, this method is highly effective at securing your site’s HTAccess files. Further, this technique also includes the fortifying “Satisfy All” directive. Note that this code should be placed in your domain’s root HTAccess file:
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
I don't believe the currently accepted answer is correct. For example, I have the following .htaccess file in the root of a virtual server (apache 2.4):
<Files "reminder.php">
require all denied
require host localhost
require ip 127.0.0.1
require ip xxx.yyy.zzz.aaa
</Files>
This prevents external access to reminder.php which is in a subdirectory.
I have a similar .htaccess file on my Apache 2.2 server with the same effect:
<Files "reminder.php">
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 127.0.0.1
Allow from xxx.yyy.zzz.aaa
</Files>
I don't know for sure but I suspect it's the attempt to define the subdirectory specifically in the .htaccess file, viz <Files ./inscription/log.txt> which is causing it to fail. It would be simpler to put the .htaccess file in the same directory as log.txt i.e. in the inscription directory and it will work there.
Place the below line in your .htaccess file and replace the file name as you wish
RewriteRule ^(test\.php) - [F,L,NC]
Well you could use the <Directory> tag
for example:
<Directory /inscription>
<Files log.txt>
Order allow,deny
Deny from all
</Files>
</Directory>
Do not use ./ because if you just use / it looks at the root directory of your site.
For a more detailed example visit http://httpd.apache.org/docs/2.2/sections.html
I saw several htaccess example disabling some files to access:
<Files ~ "\.(js|sql)$">
order deny,allow
deny from all
</Files>
for example, this prevents to access all .JS and .SQL files, the others are enabled. I want the contrary! I want those files to be ENABLED, all others to be prevented. How to achieve this?
Vorapsak's answer is almost correct. It's actually
order allow,deny
<Files ~ "\.(js|sql)$">
allow from all
</Files>
You need the order directive at the top (and you don't need anything else).
The interesting thing is, it seems we can't just negate the regex in FilesMatch, which is... weird, especially since the "!" causes no server errors or anything. Well, duh.
and a bit of explanation:
The order cause tells the server about its expected default behaviour. The
order allow,deny
tells the server to process the "allow" directives first: if a request matches any allow directive, it's marked as okay. Then the "deny" directives are evaulated: if a request matches any deny directives, it's denied (it doesn't matter if it was allowed in the first pass). If no matches were found, the file is denied.
The directive
order deny,allow
works the opposite way: first the server processes the "deny" directives: if a request matches, it's marked to be denied. Then the "allow" directives are evaulated: if a request matches an allow directive, it's allowed in, even if it matches a deny directive earlier. If a request matches nothing, the file is allowed.
In this specific case, the server first tries to match the allow directives: it sees that js and sql files are allowed, so a request to foo.js goes through; a request to bar.php matches no directives, so it's denied.
If we swap the directive to "order deny,allow", then foo.js will go through (for being a js), and bar.php will also go through, as it matches no patterns.
oh and, one more thing: directives in a section (i.e. < Files> and < Directory>) are always evaulated after the main body of the .htaccess file, overwriting it. That's why Vorapsak's solution did not work as inteded: the main .htaccess denied the request, then the < Files> order was processed, and it allowed the request.
Htaccess is magic of the worst kind, but there's logic to it.
Did you try setting a
deny from all
outside (before) the tag, then changing the
deny from all
to
allow from all
inside? Something like
deny from all
<Files ~ "\.(js|sql)$">
order allow,deny
allow from all
</Files>
if you are having trouble with your website, use this htaccess code. It solves all error you may likely encounter
DirectoryIndex index.html index.php
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php)$">
Order allow,deny
Allow from all
</FilesMatch>
<FilesMatch "^(votes|themes|xmlrpcs|uninstall|wp-login|locale|admin|kill|a|allht|index|index1|admin2|license3|votes4|foot5|load|home|items|store).php$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
If this help you, don't forget to thump up!!!