I came across a blog article that indicates that .htaccess files should be protected but I am a little confused as to which part of this is the correct way to implement this security. Here is the snippet:
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order Deny,Allow
#order allow,deny
Deny from all
satisfy all
</Files>
should it be Order Deny, Allow or Order Allow, Deny
It should be Order Deny,Allow (note the lack of space).
The Order directive defines the order which permission checks should be performed, so Order Deny,Allow says “check the Deny directives before checking Allow directives”.
Related
I have .htaccess file for wordpress. There is code
<Files wp-login.php>
order deny,allow
deny from all
allow from 46.61.xxx
allow from 91.211.xxx
allow from 176.14.xxx
</files>
2 of these ip - works, i.e. i can enter from 46.61.xxx and 176.14.xxx, but i can't enter from 91.211.xxx. What problem could it be?
Give it a try without those xxx's, check the apache documentation
<Files wp-login.php>
order deny,allow
deny from all
allow from 46.61
allow from 91.211
allow from 176.14
</files>
I have files which contain important settings(MySQL password etc...), and jQuery scripts. I don't want them to be accessed(over link, eg. link.com/scripts/jquery_script.js). I made something but that code don't work. Code is in .htaccess file. .htaccess file is in root. I put echo in settings.php file, and I can see it.
<files scripts/settings.php>
order allow,deny
deny from all
</files>
Files directive doesn't take full path.
Use this directive in /scripts/.htaccess (create it if it doesn't exist):
<files settings.php>
order allow,deny
deny from all
</files>
I've recently upgraded a web app and I want to combine the new and old htaccess into one file. Here is my new htaccess:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
And my old htaccess:
order deny,allow
deny from all
Allow from 12.34.567.89
Allow from 12.34.567.88
My end goal is that No One can access the *.inc but only the approved IPs can access the rest of the folder.
Can I just concatenate these two rules in one file?
Yes you can use:
order deny,allow
deny from all
Allow from 12.34.567.89
Allow from 12.34.567.88
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
I'm creating a new website, so I'm creating a new .htaccess for it.
To get an example, I took a look at another website I have, and found the following code, among some other code, inside:
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
What is the purpose of these commands? should I implement them in my new site as well?
LIMIT defines what method(s) can be used.
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
order deny,allow will make the deny rule evaluated first, then it will evaluate the allow rule. The above, will tell it to deny access to everything, but then allow the GET and POST methods access everything. So that is basically useless.
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
The above will deny all PUT and DELETE methods.
This link can explain what GET, POST, PUT, and DELETE methods are in.
As for the IndexIgnore
The IndexIgnore directive adds to the list of files to hide when listing a directory. File is a shell-style wildcard expression or full filename. Multiple IndexIgnore directives add to the list, rather than the replacing the list of ignored files. By default, the list contains . (the current directory).
^Gotten from the Apache documents
I try to configure my Apache .conf file to deny listing from a certain category, but I want to allow a specific file inside this category.
It appears that the Directory rule is "stronger" than the Files rule, so when using both - I can't access that certain file.
This is what I try:
<Directory /var/www/denied_directory>
order deny,allow
Deny From All
</Directory>
<Files safefile.php>
Order Allow,Deny
Allow from All
</Files>
It works perfectly if it is configured properly:
<Directory /var/www/denied_directory>
Order allow,deny
<Files test.php>
Order deny,allow
</Files>
</Directory>
In Apache 2.4, with an additional test on an environment variable for good measure:
See also: Require Directive
<Directory "/wikis/foswiki">
Require all denied
# Allow access to toplevel files ending in .html (in particular index.html) only
# (comment out if you don't care for this)
<Files ~ "\.html$">
<RequireAll>
Require all granted
Require not env blockAccess
</RequireAll>
</Files>
</Directory>
put your files directive inside your directory directive.
To allow a specific file when access is restricted by HTTP password. Be careful, password protection is defined on filesystem basis and specific allowed files are defined by URI. Updated for Apache 2.4.
<Directory /path/to/directory/>
AuthName SecureArea
AuthType Basic
AuthUserFile /path/to/passwd-file
Require user my-user
SetEnvIf Request_URI "path/to/uri-allowed-1.php" allowedURL
SetEnvIf Request_URI "path/to/uri-allowed-2.php" allowedURL
Require env allowedURL
</Directory>
There is a missing line in #acond's answer. I think it needs Allow:
<Directory /var/www/denied_directory>
order deny,allow
Deny from All
<Files safefile.php>
order deny,allow
Allow from All
</Files>
</Directory>
Since there is only one rule in each directive, I suspect the order lines may be irrelevant. Although maybe the outermost one is required, because there is more than one rule nested. (I'm new to apache configuration)
Create an .htaccess file in the directory (folder) and use the block below:
order deny,allow
deny from all
<Files safefile.php>
allow from all
</Files>
This will allow ../safefile.php file but ../.
If you want to allow ../ (for instance you need to have ../index.php), then you should do this:
order deny,allow
deny from all
<FilesMatch ^(index\.php)?$>
allow from all
</FilesMatch>