ansaurus

Question

Deny direct access to files or directory using .htaccess

Answer 1

A:

Try this rule:

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .*\.php$ 404.php [L]

This will rewrite all requests whose paths contain a .php internally to 404.php.

Gumbo 2010-09-24 21:44:20

That's ok, but what about directory? Is it possible to do it without using a php file to check them? The -d flag is quite weird. I think I'm not getting it.

dierre 2010-09-24 22:03:31

Actually, why do you need the RewriteCond? What about RewriteRule ^(.*)\.php$ 404.php [L]

dierre 2010-09-24 22:10:41

Answer 2

+1 A:

If I've understood your requirements correctly, you're looking to do something like this:

# This is a real directory...
RewriteCond %{REQUEST_FILENAME} -f [OR]
# Or it's a real file...
RewriteCond %{REQUEST_FILENAME} -d
# And it's not 404.php...
RewriteCond $0 !=404.php
# And it's not the root
RewriteCond $0 !=""
# And it's not any of the above due to an internal redirect...
RewriteCond %{ENV:REDIRECT_STATUS} ^$
# So cause a 404 response (you could redirect to 404.php if you want)
RewriteRule ^.*$ - [R=404,L]

# Set the 404 error document
ErrorDocument 404 /~my_user/my_base/404.php

Keep in mind that this blocks everything that exists, so any images, stylesheets, or scripts will be sent to the 404 page too. If you just want to block access to the PHP files, Gumbo's solution is more appropriate. I think in that case you'll need another RewriteCond though to prevent looping:

# Make sure the reason this request has a .php is because it was requested
# by the user (and not due to a redirect)
RewriteCond %{THE_REQUEST} ^[A-Z]+\s/[^\s]+\.php
# Make sure we aren't on 404.php already
RewriteRule %{REQUEST_URI} !404\.php$
# We aren't, so redirect to 404.php
RewriteRule ^ 404.php [L]

Tim Stone 2010-09-26 06:50:32

Yeah I want to block everything but just out of curiosity. Could you explain me the use of `$0` in there? Does it contain `${REQUEST_FILENAME}`? And you chained 5 `RewriteCond`, how does apache understand you need to confront the last three with the result of the first two? Does it just evaluate the first two before everything (in order of appearance)?

dierre 2010-09-26 08:44:28

@dierre: The `$0` is a backreference to the `RewriteRule` test pattern (it contains the entire match from `^.*$`). It would have been possible to condense those two `RewriteCond` into the test pattern of the `RewriteRule`, I suppose, like `!^(|404\.php)$`. As for the chaining, there is an implicit `AND` that joins all `RewriteCond` together, unless you specifiy the `[OR]` flag.

Tim Stone 2010-09-26 09:03:57

Relatedly, mod_rewrite processes the test pattern of the `RewriteRule` first, then tests each `RewriteCond` that is attached to the current rule (directly above it), starting at the top and working downwards. If all of that passes, then it performs the substitution in the `RewriteRule`.

Tim Stone 2010-09-26 09:05:18

I was thinking, you use in `ErrorDocument` the full path of `RewriteBase`, is there any env:variable containing the value of `RewriteBase`?

dierre 2010-09-26 09:12:57

@dierre: Not that I'm aware of. There's also not any way to have `ErrorDocument` use the file relative to the current directory, as far as I know. In that case, it might be better to just redirect to 404.php directly, like the `RewriteRule` in the second example, since then you wouldn't need to write the whole path again. Just be sure that 404.php returns a 404 status header in that case.

Tim Stone 2010-09-26 09:18:27

ansaurus

tags:

views:

answers:

Deny direct access to files or directory using .htaccess

related questions