I have an folder /img
I want that isn't allowed to watch alle pictures via /img
But I want to allow img/picture1.jpg
To deny direct access to img folder, you can use
RewriteEngine on
RewriteCond %{THE_REQUEST} /img/.*
RewriteRule ^ - [F]
RewriteRule ^(.+\.gpg|png|gif)$ /img/$1 [L]
This will rewrite /foo.png to /img/foo.png but you will get 403 error if you request /img/foo.png
Related
I have the following structure:
- root
- css
- test.css
- index.php
Is there a way to throw a 404 error when I try to open anything in CSS folder in my browser as:
http://localhost:1993/css
http://localhost:1993/css/test.css
but still accessible from the browser? I want CSS to load normally, but to throw a 404 error when someone opens this path. Or turn off the directory listing for everything in the directory (with all files inside)? Or something like that? Its possible?
You can try mod_access,
<FilesMatch "\.css$">
order deny,allow
deny from all
allow from 127.0.0.1
allow from localhost
</FilesMatch>
With mod_rewrite
RewriteEngine On
RewriteCond %{HTTP_HOST} ^!localhost
RewriteCond %{REQUEST_URI} ^/css [OR]
RewriteCond %{REQUEST_FILENAME} \.css$
RewriteRule ^ - [R=404]
we have created a CDN subdomain to host images, using this URL:
https://cdn.example.com/images/
What we want is to redirect, if someone goes to any other path of this subdomain. For example:
https://cdn.example.com/
https://cdn.example.com/blabla/
Redirect to other domain, just not redirect if the folder is images.
create htaccess file in your document root, and deny direct access to all files
Order deny,allow
Deny from all
and create htaccess file in images:
Allow from all
Try the following using mod_rewrite, near the top of your .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^cdn.example.com [NC]
RewriteRule !^images/ https://example.com%{REQUEST_URI} [R,L]
If you access cdn.example.com/<something> and the URL-path does not start /images/ then redirect to https://example.com/<something> (the main domain).
Change R to R=301 (after you've made sure it is working OK) if you want a permanent redirect.
UPDATE: To exclude additional folders (eg. images2 and images3) then you can change the RewriteRule directive to:
RewriteRule !^(images|images2|images3)/ https://example.com%{REQUEST_URI} [R,L]
If the folders are literally called images, images2 and images3 then this could be simplified to match (or rather not match) any URL of the form /imagesN - where N is an optional digit:
RewriteRule !^images\d?/ https://example.com%{REQUEST_URI} [R,L]
I have a folder on my site (domain.com/protect) I want to limit to only one referrer (otherdomain.com/subfolder).
Deny for all others, allow only if coming from that URL.
If not coming from that URL, then redirect the visitor over to otherdomain.com/login instead.
How would I write that out in .htaccess rewrite rules?
In the htaccess file in your /protect directory, add these rules:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !otherdomain\.com/subfolder
RewriteRule ^ - [L,F]
The condition checks that the referer doesn't contain: otherdomain.com/subfolder, and if it doesn't, then whatever the request is (inside the /protect directory) will result in a 403 Forbidden.
Alternatively, you can put these rules in the htaccess file in your document root if you would rather keep everything in once place:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !otherdomain\.com/subfolder
RewriteRule ^/?protect/? - [L,F]
I've got different users for my website, owning different images which are all stored in the same folder. The images are stored in an incremental fashion, 1.jpg, 2.jpg etc.
User can view these pictures on a specific php page. Now I want to restrict the access to these images only through this php page so that they can't simply enumerate all the filenames to see the images of other users.
I thought of doing this with an .htaccess file which is stored besides the images in /shop/img/userimg/ and would look something like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/shop/shop.php [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]
My site is a subsite (as you can see: /shop/) and the php page to view these images would be shop.php.
Now, is this possible at all? What am I doing wrong?
Note that the referer header is not to be trusted. Some proxies and firewall remove the header entirely, so you have to account for it not being present (that's what the 2nd line is for)
RewriteCond %{HTTP_REFERER} !/shop/shop\.php$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|bmp|png)$ - [F,L]
Try adding the following to your htaccess file.
RewriteEngine On
RewriteBase /
#if the referer (page request came from) does not contain shop.php
RewriteCond %{HTTP_REFERER} !/shop/shop\.php [NC]
#and it is a request for images, then send a 403 forbidden
RewriteRule \.(jpe?g|gif|bmp|png)$ - [F,L]
I'm having a small problem with my htaccess files. Currently, it redirects everything back to index.php for processing, except when someone tries to access an actual directory. When the directory exists, it displays the 403 error page instead of rewriting the path to index.php like it's supposed too. What can I modify to make it always go to index.php when the files are accessed via the internet, but still load the correct files in PHP on the server?
Options -Indexes +FollowSymLinks
RewriteEngine On
RewriteBase /
ErrorDocument 403 /index.php?403
ErrorDocument 404 /index.php?404
ErrorDocument 414 /index.php?414
RewriteCond %{HTTP_HOST} !^$ [NC]
RewriteRule !^(.*) index.php [L]
Sample file structure:
Web Directory
- com
- source
- index.php
- TEST.HTML
The folders such as 'com' and source' will display the 403 because the user doesn't have access to them. The files such as 'index.php' and 'TEST.HTML' execute normally. I want my htaccess to redirect everything in the Web Directory folder back to the index.php file, no matter what.
I think you want this instead:
Options -Indexes +FollowSymLinks
RewriteEngine On
RewriteBase /
ErrorDocument 403 /index.php?403
ErrorDocument 404 /index.php?404
ErrorDocument 414 /index.php?414
RewriteCond %{REQUEST_URI} !^/index.php
RewriteRule .* index.php [L]
This was on the assumption that you didn't want to be able to access TEST.HTML directly and didn't want to change the URL in the user's browser. If either of those assumptions were wrong, let me know and I'll update the answer with the appropriate rewrite information.