Grant access to only one directory with .htaccess - .htaccess

I want to only provide public access to a single directory (/dist). I have an .htaccess file with the following:
Order deny,allow
Deny from all
<Directory /dist>
Order Allow,Deny
Allow from all
</Directory>
I'm trying to first deny access to all, then overwirte that directive with a allow rule for the /dist directory. However, when I try to access any file through the browser, I get the following:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at you#example.com to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
What am I doing wrong?

As #Anubhava said, Directory dirctive is not allowed in htaccess contex ,this directive is available for use only in Directory context. You can use a RewriteRule to deny access to all except /dist directory :
RewriteEngine on
RewriteRule !dist - [F]
This will forbid all incomming requests except a request for /dist.

Related

How to deny all access to a directory and redirect 403?

I have a folder on my webserver and want to deny all access to that folder and all the files in it. Additionally, the visitor must be redirected to a specific error page on the same server.
The secured folder path is:
https://www.mywebsite.com/some_folder/files
The error page is located here:
https://www.mywebsite.com/some_folder/error.php
I tried placing a .htaccess file in the 'files' folder. This does prevent visitors from accessing the folder and files, but the redirect does not take place. I suspect that the syntax of the relative path is not correct.
This is my .htaccess:
ErrorDocument 403 /../error.php
Order deny,allow
Deny from all
When hitting the secured folder URL, the browser gives me this error message: "A 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."
Does someone have an example of what my .htacces should be?
You may try this in some_folder/.htaccess:
RewriteEngine On
RewriteEngine !^error\.php$ error.php [L,NC]
This will rewrite all requests that start with /some_folder/ to some_folder/error.php though browser won't see status code 403.
Inside error.php you may use this php code to return 403:
http_response_code(403);

Only allow users in my htpasswd list to access a file, but also allow wordpress to access the file

I have an XML file that I want to be only accessed by users via my wordpress deployment - but not if they try and access the file directly.
Is that possible?
I tried the following but it doesn't appear to work:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://my-domain.com/ [NC]
RewriteRule \.(xml)$ - [NC,L,F]
Any suggestions? Thanks in advance, love this community.
There are two ways:
Put the sensitive config file outside of the web root. The httpd follows the local file system hierarchies and privileges, not its own (virtual) virtual structure.
If your host does not allow this, you can restrict any HTTP requests to the files using .htaccess. Put the config file in a separate directory with a .htaccess file that blocks everybody (or a list of IPs, etc).
<Files important.xml>
Order allow,deny
Deny from all
</Files>
Since the web server still can read and execute the file PHP can access and process it too.

500 server error when denying access to subdirectory

I am trying to deny direct access to a subdirectory using .htaccess:
# Deny direct access
<Directory "/cron">
Deny from all
</Directory>
The above code is in the .htaccess file of my public_html directory. The subdirectory I am trying to block is located at public_html/cron.
When I enter an address within the /cron folder directly in the browser, I get a 500 server error instead of a 403. Any idea why?
You can't use <Directory> in .htaccess files.
http://httpd.apache.org/docs/2.2/en/mod/core.html#directory
Context: server config, virtual host
Use in your /cron/.htaccessfile:
deny from all

Protect restrict Solr Admin url from external user using .htaccess or tomcat

I have recently installed Solr on server and i want to restrict only local users can access it with .htaccess
site.com:8983/solr/admin [ restrict all user]
And below is the .htaccess code
RewirteRule on
<FilesMatch "127.0.0.1:8983/solr/admin">
Order Deny, Allow
Deny form all
Allow 127.0.0.1
</FilesMatch>
Or is there any method we can protect / restrict Solr Admin on site.com:8983/solr/admin accessing from other users
Only local ip users can use it..
And i tried this one, but its not working.
Your <FilesMatch "127.0.0.1:8983/solr/admin"> line will never match anything because you've stuck the hostname and port in the regular expression. Try using the Location container instead:
<Location "/solr/admin">
Order Deny, Allow
Deny from all
Allow 127.0.0.1
</Location>
Or better yet, Directory:
<Directory "/path/to/your/document/root/solr/admin">
Order Deny, Allow
Deny from all
Allow 127.0.0.1
</Directory>
You'll need to fill in the full path to the solr/admin directory.
Get rid of the RewirteRule on line, it doesn't do anything and it's not even spelled right and will cause a 500 error.
However, neither of these directives can be use in an htaccess file. You need to use these in either the server of vhost config. If you must use an htaccess file, then create an htaccess file in your solr/admin directory and simply put these directives in it:
Order Deny, Allow
Deny from all
Allow 127.0.0.1
Or, in the htaccess file in your document root:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteRule ^/?solr/admin - [L,F]
Check following links. Hope they will help you.
Restrict Solr Admin Access
Solr Security
Securing Solr administrative console
How to protect Apache Solr admin console

Protect ajax files from direct call using htaccess

To prevent my Ajax files from direct acccess I did this:
I put all files in a common directory called "ajax" and put this in an .htaccess file in the same folder. This is my directory structure:
/var/www/html/ajax
<Directory "/var/www/html/ajax">
order allow,deny
Deny from all
Allow from 127.0.0.1
</Directory>
But this produces server error 500. .htaccess use is enabled in my server along with mod-rewrite. Please help.
The Directory directive is not allowed in your .htaccess file. see http://httpd.apache.org/docs/2.0/mod/core.html#directory. However, you can achieve the same result by simply placing the code you have in the .haccess in the /var/www/html/ajax directory, without the Directory directive
order allow,deny
Deny from all
Allow from 127.0.0.1
<Directory> is a directive that's not supported in .htaccess files, it's core and vhost specific.
For an .htaccess file, the directive is superfluous and must be omitted, because the directory is implied by the location of the .htaccess file.
Simply remove <Directory> and its closing "tag" and it should work.

Resources