I am looking for the specific .htaccess command that will allow me to deny http access from everyone BUT my scripts.
I have a script that runs out of the root directory that goes and fetches all of the .jpg's out of a given protected directory with the following .htaccess file
<files *.jpg>
order allow, deny
deny from all
</files>
I was thinking something similar to this might work
<files *.jpg>
order allow, deny
deny from all
allow from rootUrl.com
</files>
Your first example should work, since scripts don't make any HTTP requests.
Edit: Unless, your script for some strange reason makes HTTP requests to its own server, which I really don't think it does. Nor should it.
Edit again: Since your script is outputting img elements pointing to the protected files, you have to let all visitors access the files. There is no work-around. You could however stop hotlinking by using .htaccess like this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ [F]
Related
I want to restrict access to a file "test.txt" with .htaccess
The problem, I'm on a multisite and I want only one domain to access to the file eg. mydomain.com/test.txt
When other domain trying to access, it should denied them: otherdomain.com/test.txt
Multisite is sharing the same files but different db.
<Files "test.txt">
Order deny,allow
deny from all
allow from mydomain.com
</Files>
You may use this deny rewrite rule instead of allow/deny:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^(?:www\.)?mydomain\.com$ [NC]
RewriteRule ^test\.txt$ - [NC,F]
I have jpg urls like these:
http://domain.com/members/content/upload/temp/1600watermarked/photo.jpg
http://domain.com/members/content/upload/test-123/1200watermarked/photo.jpg
http://domain.com/members/content/upload/random/1800watermarked/photo.jpg
In the folder content I have an htaccess file with this in there:
<FilesMatch /watermarked/.*>
Order Allow,Deny
Deny from all
</FilesMatch>
But that doesn't seem to work in blocking any jpg urls with the word "watermarked" in them. Any suggestions?
Well after some more experimenting I got this:
RewriteCond %{REQUEST_URI} ^(.*)watermarked(.*)$
RewriteRule ^(.*)$ http://domain.com/forbidden.htm [R=301,L]
It's not exactly a forbidden error but it works better in my case since I can redirect them to a page to upgrade their accounts to see the blocked content.
I'm building something that I want to release as an open source project. To make it easier to use I'd like to go without the public-folder approach, where you hide all other files than index.php (and assets) from public_html. Meaning, I'd like to do it like WordPress, where you simply toss the code on a server and it works, in that URL you tossed it in.
Here is the content of my htaccess-file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
</IfModule>
Does this code really prevent access to other files? For example, is there any way an attacker could access vendor/Acme/Libraries/Foo.php? Based on my tests it does, but that doesn't mean there isn't a way to circumvent it.
Let's look at your rule closely:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
Here this rule is saying that if request is NOT for a valid file then rewrite it to /index.php. Which means /index.php will be invoked for any non-file requests but that also means you are allowing direct access to all the files.
btw QSA is useless here and can be removed.
You cited Wordpress here. Which basically uses /index.php for any non-file, non-directory requests thus allowing direct access to any valid file OR directory.
If you really want to block access to all the files and directories then you probably will need this rule:
RewriteRule ^ index.php [L]
but I am not sure if you want to handle direct access to resources like images, js/css files via index.php also.
Yes, an attacker can still access your other code files, using only the rule you provided. But:
On a properly configured server, a call to vendor/Acme/Libraries/Foo.php would execute that file, not display its contents. Which might or might not be good enough, and there's still the possibility of a configuration error that would display the source code.
You can block web access to the remaining files by adding Deny directives, for example:
<Location />
Order deny,allow
Deny from all
<Files index.php>
Allow from all
</Files>
</Location>
looking for some htaccess rewrite rules to block all access to a directory except for the server itself. It's a directory full of images and flash swf files. Yes I know it's sort of odd to not want direct access to a file its own directory, but to allow it to be seen by the user when referenced in other html outside the protected directory, but thats what i'm after. I have tried a few different methods as shown below:
# send them to index.php
Options +FollowSymlinks
RewriteEngine on
#RewriteRule ^(.*)$ ../User/ [NC]
#RewriteRule ^(.*)$ [R=301,L,NC]
# no one gets in here!
#deny from all
Options All -Indexes
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 192.168.0.0/33
</Limit>
None of them seem to really do what I want. some of them block access to everything, including the server itself. Other redirect the request to another page, but because it keeps the same url, the links on the 'page' the user gets redirected to wont work.
If possible I would not even like to do a 404 warning, because while this disallows users access to the directory, the user will still know that that directory exists.
You can simply use this one line rule to do that:
RewriteRule ^mydir/ - [L,R=404,NC]
That way all the files under /mydir/ will generate 404 errors to your visitors but your server will still have access to those files.
I think I know how to hide the files but how do I use mod_rewrite to allow only the web service to be called in the same directory?
Here is the directory/file structure
/var/www/html/xmlrpc/xmlrpc.server.php
/var/www/html/xmlrpc/xmlrpc.client.php
/var/www/html/xmlrpc/xmlrpc.class.php
/var/www/html/xmlrpc/xmlrpc.ini
/var/www/html/xmlrpc/logs
Important note: /var/www/html/xmlrpc/logs has 777 permission
before you start harping on me I plan to move this into a non public directory and give the correct permissions. But I was asked to see if I could hide it with the .htaccess file.
.htaccess
AuthType Basic
AuthName "My hidden files"
AuthBasicProvider file
AuthUserFile /var/www/html/xmlrpc/.pswds
Require valid-user
.pswds
user:5/abcde1abcdE
Also I'm a newbie with mod_rewite/mod_alias and need this URL:
http://127.0.0.1/xmlrpc/xmlrpc.server.php
to be this:
http://127.0.0.1/xmlrpc/v1/
How does one do this?
Also on know on the virtual host setup in Apache you can set the log file paths/names, can this be done from the .htaccess file as well?
Examples are welcome as this is a learning experience for me as well.
Ah mod_rewrite. Try this in the xmlrpc directory:
RewriteEngine On
RewriteRule ^v1/$ xmlrpc.server.php [L]
Some questions though - does xmlrpc.server.php take any get parameters? Can you guarantee that the url will always include a trailing slash?
To enforce a trailing slash as well as some other stuff, try this:
# Allows direct linking to files
RewriteCond %{REQUEST_FILENAME} !-f
#Checks if the url is missing a slash, if so, evaluate rule below
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://127.0.0.1/$1/ [L,R=301]
The last rule will have to be adjusted depending on where you put the .htaccess file. If it's at the root, then it will work for all lower directories. If it's in the xmlrpc folder, then you can leave off the localhost.
Also remember to restrict access to the .htaccess file:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Someone else will have to answer the other questions - not as familiar with that.