deny access to index.php but allow index.php?var=val - .htaccess

I wonder if I can deny accessing http://domain.tld/index.php and allow only http://domain.tld/index.php?var=val
Is this possible with a rewritecond and rewriterule? I cannot figure this out. Any help?
Thanks!

Yes it is possible. The trick to use a condition to check the query string, using this in your docroot .htaccess file which allows you to forbid access to index.php unless the variable var is set:
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} !\bvar=
RewriteRule index.php - [F]

Does it have to be a rewrite rule? If it's a PHP script, you could detect the absence of the required parameters and just return an appropriate HTTP header to deny access.

Related

Create new .htaccess file to deny

Let me start by saying I am new to creating an htaccess file. I want to deny certain IPs from access to our site. I created this and I am looking for validation that this is correct. I know that there is no advanced redirect page within this as I am not sure how to accomplish that yet. I am more concerned that this snippet would work to block IPs. Thanks in advance for any and all help.
#.htaccess
DirectoryIndex index.htm
#deny list
order allow,deny
allow from all
deny from xxx.xxx.xxx.xxx
deny from yyy.yyy.yyy.yyy
Looks good to me, assuming you're on Apache 2.2 To block individual visitors, you can use the following directives:
Order Allow,Deny
Allow from all
Deny from 123.123.123.123
Instead of blocking visitors, you can redirect them to another location. Here's how to do it using Apache's mod_rewrite:
#<IfModule mod_rewrite.c>
RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123$
RewriteRule .* https://www.google.com [R=301,L]
#</IfModule>
See also: https://htaccessbook.com/block-ip-address/
Alternatively, try this to block a range if IPS (here 10.0.8.0-10.0.8.21:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^10\.0\.8\.(2[01]|[0-9][0-9]|[0-9])
#or RewriteCond %{HTTP_HOST} 12\.34\.56\.789
RewriteRule .* https://www.google.com [L,R=301]
If you are on Apache 2.4 this link from the htaccess book shows the differences between 2.2 and 2.4: https://htaccessbook.com/access-control-apache-2-4/

deny access of php file from url htaccess

Here's the Scenario,
I have a sample link that looks like this
Let's say ProjectName/products.php
I was able to rename the URL in htaccess to make it look like: ProjectName/products
HTACCESS:
RewriteEngine On
RewriteRule ^products?$ products.php
My question is, is it possible to deny access when trying to enter URL ProjectName/products.php ? I'm new in htaccess. I've tried adding deny from all, yes it solved the problem of not accessing that php file but it happens that I also can't access now the cleaned URL, I hope i made my question clear. thanks for the help.
To deny external access to the php file, you can use the following rule :
RewriteEngine on
RewriteCond %{THE_REQUEST} /products\.php [NC]
RewriteRule ^ - [R=403,L]

.htaccess - block request if containts a word (variable)

I'm getting tons of requests on my site based on an old url (get variable) structure. Its not something humans follow, so instead of redirecting it I want to block it so it uses almost 0 resources from server.
If the url contains something like thewebsite.com/?s=bla&some_variable=1 I want to block it with prejuduce!
This is what I have but it does not seem to work.
<FilesMatch "some_variable=1$">
order allow,deny
deny from all
</FilesMatch>
What am I doing wrong here?
You could parse query string with mod_rewrite and QUERY_STRING.
You can put this code in your root htaccess
RewriteEngine On
RewriteCond %{QUERY_STRING} some_variable=1 [NC]
RewriteRule ^ - [F]
Note: don't forget to check if mod_rewrite is enabled

Restrict / Block Directory Based on IP Address

Trying to block directory access from everyone except 1 IP address. This .htaccess code blocks access but it blocks access to everything including images, css, etc. What do I need to change?
RewriteCond %{REMOTE_ADDR} !^XX\.XXX\.XX\.XXX$
RewriteRule ^hidedirectory(.*)$ http://site.com/ [R,L]
Anyone accessing mysite.com/hidedirectory except me should redirect to mysite.com. Is there a better, more secure way to do this including something like an http response code?
Better way is to do this in your .conf file:
<Directory /hidedirectory>
options -Indexes
Order Deny,Allow
Deny from all
Allow from XX.XXX.XX.XXX
</Directory>
This will deny everythig like your rewrite rules.
But since you want to allow access to images/css etc...
RewriteCond %{REMOTE_ADDR} !^XX\.XXX\.XX\.XXX$
RewriteCond %{REQUEST_URI} !\.(?:jpe?g|png|gif|css)$ [NC]
RewriteRule ^hidedirectory(.*)$ http://site.com/ [R,L]
Add any other extensions into (?:jpe?g|png|gif|css) suffixed by a |(or).

Use .htaccess to block all domains to access images folder except myown domain

i want to use .htacess to block all domains to access my images folder.
this folder is only accessible by own domain only.
I think what you are looking for is some sort of hotlink protection in which case this in your .htaccess file should work:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
Change yourdomain.com to whatever your domain is. Change the RewriteRule to include any file extensions you wish to block and then place the entire thing in a .htaccess file in the directory you wish to protect.
As described in this page of Apache docs, you can accomplish it with the following directives, replacing example\.com with your domain name (please remember to escape any dot characters from . to \.:
SetEnvIf Referer example\.com localreferer
<FilesMatch \.(jpe?g|png|gif)$>
Order deny,allow
Deny from all
Allow from env=localreferer
</FilesMatch>

Resources