I have a directory protected with a .htaccess file. I needed to add an exception for two files so I added the following:
<FilesMatch "^(file-A|file-B)\.php$">
satisfy any
allow from all
</FilesMatch>
File A worked no problem. File B however remained protected. I tried navigating to the files over HTTP instead of HTTPS. Suddenly both are unprotected. This solves my problem but I'd like to know why, especially since it only affected one file.
Related
I am extremely new to the concept of .htaccess, and I wanted to know how I could use it to allow a file to be used on a script on a .html file in the same directory as the .htaccess and the file. However, if you try to navigate to the file instead of viewing the script on the .html file, I would like it to be blocked. Thanks!
Update: Please see below comments!
Update 2: It seems that there is no way to achieve what I wished. That's ok, though. I just used a bunch of obfustication, and that seems to work well.
You are wanting to restrict access to a (script)file using htaccess so that a visitor can't directly link to the script file. Assuming this is working like described the visitor would load the HTML-file, the HTML-file would render and request the scriptfile....which will be blocked. So this isn't the way to go I reckon.
I would suggest changing the HTML-file to PHP when possible and include the script with a php include/require. This way the server-side code will determine what content is served.
Once you're including the file server-side you can prevent direct access to the file using htaccess by placing the code below inside your htaccess:
#Prevent Users From Accessing .inc* files in .htaccess
<Files ~ ".inc">
Order allow,deny
Deny from all
</Files>
In the above example direct access to .inc-files will be denied. Change this file-extension to your needs.
Inside your index.php file you'll need to include the file containing your script with something like:
include 'filewithscript.inc';
This should solve your problem.
Following an answer to this question, I'm starting to look at keeping multiple .htaccess files for my different environments. The gist of it is, you create a file for each environment (.htaccess-dev, .htaccess-prod, etc) so you can track them all in Git, then symlink .htaccess to whichever file you want to use on a given environment. Simple enough, and easy to rebuild if it gets destroyed.
Before I implement this though, I wanted to do my diligence - I can't find anything relating to security of .dotfiles past .htaccess/.htpasswd. If I had .htaccess-dev and .htaccess-prod on my production server, would they be accessible through a browser? Are there any other security considerations I should be aware of?
There's probably something like this inside your server configuration (older Apache):
<FilesMatch "^.ht">
Order allow,deny
Deny from all
</FilesMatch>
Or maybe this (new Apache):
<Files ".ht*">
Require all denied
</Files>
Or even this (nginx):
location ~ /\.ht {
deny all;
}
As the first line of each bit suggests, these rules restrict access to any file starting with .ht. However, there's no guarantee that this configuration option is there, it just happens to be in the default config for some web servers.
In short, there's nothing magical about .htaccess files not being accessible, it's all in your config file. In your case, your alternative htaccess files happen to match the rule, but you're probably better off just writing similar rules for other files you want to deny access to, so you can make it explicit that you do want these stored but don't want them published.
I've made a site 1 year ago using php, when I had alot less experience. My teacher and I were analysing the code today and there seems to be a security issue. He wants me to fix it before he gives me the points I need.
I've got an index.php and an edit.php file in the root directory, and a login page in /php/login.php (which I find to be a very silly place to put a login file in, now that I look back on it, I would probably swap edit.php's and login.php's directory's if I were to rewrite my site).
Basically, I want these three files to be accessible externally. I want all other php files to be restricted from the outside, so it's impossible to do an ajax call to /php/phpsavefile.php from outside the system (which is the security issue I mentioned). edit.php makes the ajax call to /php/savefile.php.
I think this is what I need to get the job done:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
But how can I add three files instead of just one after <Files and before >?
I've also tried second approach:
Order Deny,Allow
Deny from all
This doesn't seem to work because an ajax call appears to be a regular http request as well, so it gets a 403 response.
Another approach I tried was putting the restricted php files inside a map called "private"
in the same folder where "httpdocs" remains (the parent folder of webroot). My teacher had told me about an admin folder, that no one can access but the site itsself. I tried including the restricted php files inside the private folder, but it didn't seem to include it properly...
Any help or tips for this novice at .htaccess would be appreciated :-)
Edit:
.htaccess allow access to files only from includes
Ray's comment said:
Of course, because they are requested by the client. You can't "allow the client" and "not allow the client" to serve files.
I suppose this is true, but how can I prevent people from calling my ajax file?
I secured it by checking if the user was logged in.
I've placed a simple cache control in my .htaccess file:
#cache css and javascript files for one week
<FilesMatch ".(js|css)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
When I test the desktop site at Google's Page Site tester: https://developers.google.com/speed/pagespeed/insights ... it shows the javascript and images are being cached properly. However, when I test my mobile website, the caching isn't working. My htaccess file is contained in the public_html directory alongside all my desktop files (ie. public_html/index.html, public_html/images/, public_html/css/, public_html/.htaccess etc.) My mobile site is contained here: public_html/mobile/.
Would I need to add a second .htaccess file to the mobile directory to make it work?
Thanks.
The best option is to use .htaccess file of html5 boilerplate. It is highly optimised for cache,gzip,cross-domain ajax plus a lot of features.
Also do check whether mod_deflate is on or not.
You don't need any additional .htaccess file just use a single file in the root of your directory.
I'm trying to do a dirty hack in order to set some php.ini variables for a specific part of my website.
The hack is so that site wide the php.ini variables regarding POST sizes are the recommended PHP defaults. However in one area I am expecting a massive POST to be sent. This is for security reasons and so that people cant post massive objects everywhere and take up the sites RAM and processors etc.
Here's what I'm trying to do then:
I have created a subdirectory in the public_html area called 'massiveupload' (the controller is also called this).
In the folder I have place a .htaccess file which is the same as the default kohana one with a few differences (firstly RewriteBase is now /massiveupload and secondly RewriteRule is now RewriteRule .* index.php/projects/$0 [PT]). My php_values are also set here.
Copied the index.php file and altered the system, application, and module paths so that they're correct.
Now... if I stick phpinfo() at the top of the index file I can see that the php_values are working when I visit http://www.mysite.com/massiveupload
However when phpinfo() is taken out the website breaks at this line:
require SYSPATH.'classes/kohana/core'.EXT;
Which gives me a HTTP 500 (Internal Server Error).
I have checked the path and the file exists, file_exists() can find it too. So my guess would be that it's something within the file.
Any help would be greatly appreciated.
Having tried to debug the code further with the use of XDebug it wouldn't debug any further into the line that was causing the issue.
I have instead implemented the solution a different way, setting specifc php_values in the VirtualHost part of HTTPD config... which can be found here: Kohana - controller specific .htaccess