I have a php file that inherits (includes) another PHP files. All inherited files are located in one folder called "includes". I want to be able to restrict any direct access to this folder. Only PHP files within the server can communicate with the files in the "includes" folder. How can I use .htaccess to accomplish such goal?
FYI, I used the following code and it did not work
Order deny,allow
deny from all
Any help would be appreciated
If you don't have the option of actually moving the "includes" folder outside of the Document Root area, and using the include_path (i.e. you can't get to it from web), then enter
deny from all
in a .htaccess directory in that directory.
However, alternative is to use a DEFINES directive to only allow access to those include programs by specific authorised files. For example, put
<?php defined('ACCESS_ALLOWED') or die('Restricted Access'); ?>
in the top of the include files, and then put
<?php define('ACCESS_ALLOWED', 1); ?>
in the programs that are allowed to include those files.
This will prevent casual GETs to those include files from running them, and will work for any web server, not just those supporting htaccess files.
in your includes/.htaccess :
Order deny,allow
deny from all
You can actually just use an index.php and pass a 404 header using header():
header('HTTP/1.1 404 Not Found', 404);
IMO, this is better than a 403, since it's like the folder doesn't exist. As for the include files, put this line above the first include/require line of the main file:
define('INCLUDED', true);
And on every file in the include directory, put this at top most part.
if (!defined(INCLUDED)) {
header('HTTP/1.1 404 Not Found', 404);
}
You can deny direct access to the folder using the following Directives in htaccess or server.config contex :
Mod-alias based solution
Redirect 403 ^/folder/.+$
This will redirect all files and dirs of /folder/ to 403 forbidden error page.
Mod-rewrite base solution :
RewriteEngine on
RewriteRule ^/?folder/.+$ - [F]
Depending on possible other options set at a higher level you may need to use:
Satisfy all
Order deny,allow
Deny from all
I ran into this when the upper directory defined basic authentication including the line:
Satisfy any
This was preventing my deny from all to take effect because the users were authenticated.
Related
SetEnvIf User-Agent .*Wget* wget
Order deny,allow<br>
Deny from all<br>
Allow from env=wget
ErrorDocument 403 /403.shtml
So I am currently using the above lines of text inside my htaccess file, and it works perfectly. The problem is I need to allow access to a mailer.php file that is also listed in that directory.
Is there a way i can allow access to just this file and use the above code yet to block out the rest?
And if it matters, the phpfile writes to a file inside that directory... it is called rc3.key (not sure if that is important but i think it could be)
Just add the following:
<Files "mailer.php">
Allow from all
</Files>
This will allow everyone to access mailer.php but will throw a 403 error for every other file.
I have index.php file that i want to allow access only for specific ip with htaccess.
However i want to allow access for files named index.php in subdiectories for everyone.
How should I write rule that would affect only index.php in present directory? This is what i tried but with no success, it blocks index.php in subdirectories too:
<Files "./index.php">
Order deny,allow
Deny from all
Allow from 192.168.24.2
</Files>
You can write a .htaccess inside the subdirectories which contained the Allow from all, thus allowing access to those specific directories, and subdirectories from them onwards.
I put this piece of code in the includes directory to avoid users having access to its content:
order allow,deny
deny from all
and I use the code below to redirect error 403 to particular error page,this is place in parent root (website) of the includes directory:
ErrorDocument 403 /errors/403.html
... but the styles don't apply to the pages. What is the problem?
Note: the errors directory is placed in "website" and "styles" directory placed in "includes" directory
As you deny the access to the includes folder, the users browser is not able to get the files in your styles folder, assuming the CSS stylesheets necessary for styling the page. Instead it receives an error 403 "Forbidden".
See deny directory listing with htaccess if you want to disable directory listing and thus only allow the user to access files directly.
Hello I don't know much about the .htaccess configuration, but I want to restrict access to php files on my web server and I want to have only index.php with parameters accessible.
My files are in subfolder like: www.mydomain.com/sub/index.php. I want to have access to open that index.php in subfolder, css files and js files.
Here is my configuration I have so far:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch "*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
I have tried to do something like <Files sub/index.php> but everytime it restricts all php files in subfolders and www.mydomain.com/index.php works fine.
Can anyone help me with it?
You can move all files except ones needed to be accessible by http (index.php, css, images etc.) out from DocumentRoot directory to upper level, so directory layout looks like this:
/lib
/files
/html
/index.php
/css/
/images/
where /html is your DocumentRoot.
In this case you won't need any additional restrictive rules in .htaccess or VirtualHost configuration/
htaccess may not be the best option to preventing direct access to some of your Php files. Instead, create an access value and set it to some value in the page you wish directed access to and don't set it in other pages otherwise.
$access = 'some value';
if(empty($access)) { header("location:index.php"); die();}
This way other php files will only be accessible via include or require. Hope that helps.
To prevent my Ajax files from direct acccess I did this:
I put all files in a common directory called "ajax" and put this in an .htaccess file in the same folder. This is my directory structure:
/var/www/html/ajax
<Directory "/var/www/html/ajax">
order allow,deny
Deny from all
Allow from 127.0.0.1
</Directory>
But this produces server error 500. .htaccess use is enabled in my server along with mod-rewrite. Please help.
The Directory directive is not allowed in your .htaccess file. see http://httpd.apache.org/docs/2.0/mod/core.html#directory. However, you can achieve the same result by simply placing the code you have in the .haccess in the /var/www/html/ajax directory, without the Directory directive
order allow,deny
Deny from all
Allow from 127.0.0.1
<Directory> is a directive that's not supported in .htaccess files, it's core and vhost specific.
For an .htaccess file, the directive is superfluous and must be omitted, because the directory is implied by the location of the .htaccess file.
Simply remove <Directory> and its closing "tag" and it should work.