views:

40

answers:

4

I have a folder in my root that i want no one to know of. Even if someone types in it correct i want to throw a 404 not found.

Would this be Possible to do with mod-rewrite perhaps?

I cant store it outside root right now, dont ask why

Thanks!

+1  A: 

Is throwing a 403 out of the question? If you have shell access, you can chmod the directory so the web user cannot read or stat it.

Tristan
At the very least, throwing a 404 is not the correct HTTP status. 204 No Content, a 301 Redirect, 401 Unauthorized by adding security, or a 403 Forbidden is fine.
Jordan
True, although RFC 2616 does say "This status code is commonly used when the server does not wish to reveal exactly why the request has been refused." It's sort of an implicit endorsement (or at least recognition) of the practice of using 404 to "pretend" that an existing file isn't there without revealing why.
David Zaslavsky
A: 

I did not try this, but I guess you could redirect to something that does not exist.

zvonimir
A: 

Create a custom 404 page and then set mod_rewrite up to rewrite requests to the offending directory to the custom 404 file. Custom 404 pages are generally good practice anyway so you get two for the price of one by doing this.

hollsk
A: 

I'd first suggest moving the file out of the web root, unless you have a really good reason not to (and I won't easily be convinced that you do).

If you're intent on not doing that, use Tristan's suggestion of a 403 error. Something like

<Files /path/to/docroot/nameoffile>
    Order allow,deny
    Deny from all
</Files>

If you're really intent on not doing that, you should be able to use an alias to redirect the URL to a nonexistent location:

Alias /nameoffile /path/that/doesnt/exist

The same could be done with mod_rewrite,

RewriteRule /nameoffile /path/that/doesnt/exist [L]

The rewrite is more computationally expensive, but it might be your only option if you don't have access to the main server configuration.

David Zaslavsky
To make the `RewriteRule` case a little more efficient, you can avoid rewriting at all and do `RewriteRule ^/nameoffile - [R=404]` to immediately throw a 404 status on the match. It kind of bastardizes the semantics of the `R` flag, but `mod_rewrite` considers it entirely acceptable.
Tim Stone