Protect ajax files from direct call using htaccess - .htaccess

To prevent my Ajax files from direct acccess I did this:
I put all files in a common directory called "ajax" and put this in an .htaccess file in the same folder. This is my directory structure:
/var/www/html/ajax
<Directory "/var/www/html/ajax">
order allow,deny
Deny from all
Allow from 127.0.0.1
</Directory>
But this produces server error 500. .htaccess use is enabled in my server along with mod-rewrite. Please help.

The Directory directive is not allowed in your .htaccess file. see http://httpd.apache.org/docs/2.0/mod/core.html#directory. However, you can achieve the same result by simply placing the code you have in the .haccess in the /var/www/html/ajax directory, without the Directory directive
order allow,deny
Deny from all
Allow from 127.0.0.1

<Directory> is a directive that's not supported in .htaccess files, it's core and vhost specific.
For an .htaccess file, the directive is superfluous and must be omitted, because the directory is implied by the location of the .htaccess file.
Simply remove <Directory> and its closing "tag" and it should work.

Related

Htaccess - restrict access to file but only in present directory

I have index.php file that i want to allow access only for specific ip with htaccess.
However i want to allow access for files named index.php in subdiectories for everyone.
How should I write rule that would affect only index.php in present directory? This is what i tried but with no success, it blocks index.php in subdirectories too:
<Files "./index.php">
Order deny,allow
Deny from all
Allow from 192.168.24.2
</Files>
You can write a .htaccess inside the subdirectories which contained the Allow from all, thus allowing access to those specific directories, and subdirectories from them onwards.

Redirect all requests to base URL without using .htaccess

When I browse example.com/img it shows all the directory contents. This leads to security problem . How to redirect these kind of url requests to example.com but without using htaccess
Best practice usually suggests adding these lines to your Apache config to disable directory listing:
<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>
But this will simply deny users access to the URL example.com/img. If you'd like to redirect as well, you could add an index.php file to each directory you'd like to redirect from in addition to making the Apache config change. The index.php file should contain:
<?php
header("Location:".$_SERVER['DOCUMENT_ROOT']);

Disabled PHP for Single Directory with HTACCESS (PHP-FPM)

I want to disable the parsing of PHP files in a specific directory, and found out how to do that here. The problem is that my server uses PHP-FPM, and I get Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration when I try to use php_flag in my httpd.conf file.
How can I disable parsing of PHP files in a given web-accessible directory with an htaccess/httpd.conf file that is located above web root on a server using PHP-FPM?
Since Fedora 27 switched to php-fpm recently, I, too, ran into this problem. Unfortunately, the old ways of doing things with mod_php do not apply to php-fpm.
I did find another question here that definitely seemed more relevant:
Apache: Disable php in a directory
The gist of it was was to use a <directory> and <filesmatch> block in your config file, and use SetHandler ! for every directory you didn't want PHP code interpreted.
e.g.:
<Directory "/path/to/no/phpfiles">
<Files "*.*">
SetHandler !
</Files>
</Directory>
This is tested and working on Fedora 27, PHP-FPM 7.1.12.
Unlike using the fpm configs directly, this technique works recursively, so placing it at the top level of a tree of stuff you don't want PHP interpreting works as expected.
I disable .htaccess files in my configurations, but this technique should still work. However, <directory> is not valid inside a .htaccess file. Hopefully just removing it, and leaving:
<Files "*.*">
SetHandler !
</Files>
Should be sufficient.
How can I disable parsing of PHP files in a given web-accessible
directory with an htaccess/httpd.conf file that is located above web
root on a server using PHP-FPM?
You can't persay the way you're trying it without mod_php (which you don't want) which is why you're getting that error. PHP-FPM is not an Apache module. It runs independent of Apache. That's actually it's purpose to be used on heavily loaded sites and it can control all the PHP processes.
One way you might be able to achieve this is to specify the exact path you want to run PHP, in your virtualhost file with the Directory directive. Instead of just having the PHP handler stuff, enclose it with the Directory directive with the actual path you want it to run. Here is an example.
<VirtualHost *:80>
ServerAdmin webmaster#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html/
ErrorLog /var/www/example.com/error.log
CustomLog /var/www/example.com/access.log combined
<Directory /path/to/php/only/folder/>
#then you PHP handler stuff
<IfModule mod_fastcgi.c>
AddType application/x-httpd-fastphp5 .php
Action application/x-httpd-fastphp5 /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi_example.com
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi_example.com -socket /var/run/php5-fpm_example.com.sock -pass-header Authorization
</IfModule>
</Directory>
</VirtualHost>
Then restart Apache. This should limit it to that directory. You might have to remove the php handler info from the other config so it's not overwritten.
Note I have not tested this solution.

htaccess file not working with wamp

I'm running WAMP on my Win7 box and trying to configure an htaccess folder to restrict my guests from browsing the directory structure.
Right now, if you head to http://grovertechnologysolutions.com/Technical, it will list the directory structure which I do not want. They should be only able to get to the .html site.
I've already modified the httpd.conf file to remove the commented out rewrite mod.
I've added the htaccess file to the documentroot of my website.
My htaccess file looks like this:
options -indexes
# or #
IndexIgnore *
I've restarted all services multiple times.
Should the htaccess be in the WWW folder or the document root? I run many websites virtually and only care about my main site, so I've been placing the htaccess inside that folder, but have tried www as well.
I'm assuming you've edited the proper .htaccess file in the website's DocumentRoot folder.
Options -Indexes
The above will only work if your particular WAMP's configuration and the website's VirtualHost file has the proper AllowOverride value set, such as...
AllowOverride All
Check the website's VirtualHost file, and/or httpd.conf's for something like...
<Directory "C:/WampDeveloper/Websites/www.example.com/webroot">
Options All
AllowOverride All
order allow,deny
allow from all
</Directory>
If it's not set to All nor lists Indexes, that .htaccess line is going to get ignored.
I've already modified the httpd.conf file to remove the commented out rewrite mod
mod_rewrite has nothing to do with this.
I've restarted all services multiple times.
.htaccess files are re-read on every request. You don't need to restart Apache.
http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

Configuring .htaccess for subdirectories

Hello I don't know much about the .htaccess configuration, but I want to restrict access to php files on my web server and I want to have only index.php with parameters accessible.
My files are in subfolder like: www.mydomain.com/sub/index.php. I want to have access to open that index.php in subfolder, css files and js files.
Here is my configuration I have so far:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch "*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
I have tried to do something like <Files sub/index.php> but everytime it restricts all php files in subfolders and www.mydomain.com/index.php works fine.
Can anyone help me with it?
You can move all files except ones needed to be accessible by http (index.php, css, images etc.) out from DocumentRoot directory to upper level, so directory layout looks like this:
/lib
/files
/html
/index.php
/css/
/images/
where /html is your DocumentRoot.
In this case you won't need any additional restrictive rules in .htaccess or VirtualHost configuration/
htaccess may not be the best option to preventing direct access to some of your Php files. Instead, create an access value and set it to some value in the page you wish directed access to and don't set it in other pages otherwise.
$access = 'some value';
if(empty($access)) { header("location:index.php"); die();}
This way other php files will only be accessible via include or require. Hope that helps.

Resources