Deny access to all .php files except root index.php
You cannot do it with <FilesMatch
or <Files>
directive alone: you need to combine them with <Directory
. For example:
<Directory /var/www>
<FilesMatch "\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
<FilesMatch "^index\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
</Directory>
<Directory /var/www/*>
<FilesMatch "\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
</Directory>
The catch here is that you should edit httpd.conf
or similar files, as <Directory>
directive cannot be used in .htaccess
.
If you can't update .conf
files and .htaccess
is the only way around, you would have to copy the shown rule in each directory's .htaccess
, I suppose. Whether or not it's better than using if(defined(...))
trick, is up to you.
deny access to all files accept the index.php and the domain name with .htaccess
You can actually just make the filename optional in the regex (you don't need to use mod_rewrite). For example:
Order deny,allow
Deny from all
<FilesMatch "^(index\.php)?$">
Allow from all
</FilesMatch>
This will allow direct requests to index.php
and also requests for the directory (no filename) ...which results in index.php
(the DirectoryIndex
) being served by mod_dir via an internal subrequest (which occurs later).
Note that you can't simply permit an empty filename (ie. "^$"
). Whilst this allows the initial request for the bare directory, it will result in the internal subrequest for the DirectoryIndex
, ie. index.php
being blocked - so ultimately the request is blocked.
Note also that this allows access to all index.php
files in all subdirectories and all directories that contain an index.php
index document.
However, if you are on Apache 2.4 then you should be using Require
instead, since Order
, Deny
and Allow
are all deprecated on Apache 2.4.
Require all denied
<FilesMatch "^(index\.php)?$">
Require all granted
</FilesMatch>
UPDATE: My website is a single page application has just an index.php page controls all of my website with jquery ajax request, so i want when the user writed any other links accept my domain name accept the domain name the htaccess will redirect the user to the domain name
It sounds like you need to implement a front-controller pattern. The simplest form is using the FallbackResource
directive. For example:
FallbackResource /index.php
Any requests that would otherwise result in a 404 are routed to /index.php
. Any static resources (CSS, JS, images etc.) remain accessible and are not routed to /index.php
.
Deny access to all files in a directory unless a specific php page is referrer
Try something like this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !request_file.php
RewriteRule ^uploads/downloads/ - [L,R=404]
htaccess - disallow direct access to all files except logged in users (PHP)
You cannot do this with .htaccess
alone. What you need to do is:
- Deny file access from all
- Have a "file provider" script which allows file passthrough after authentication.
Example:
proxy.php
<?php
$proxiedDirectory = "./files/"; //Whatever the directory you blocked access to is.
$filename = isset($_GET["fn"])?$_GET["fn"]:null;
if (!user_is_authenticated()) { //Not a real method, use your own check
http_response_code(403);
exit;
}
if ($filename === null || !file_exists($proxiedDirectory.$filename)) {
http_response_code(404);
exit;
}
$fp = fopen($proxiedDirectory.$filename, 'rb');
header("Content-Type: image/???"); //May need to determine mime type somehow
header("Content-Length: " . filesize($proxiedDirectory.$filename));
fpassthru($fp);
exit;
And you'd use this via:
http://example.com/proxy.php?fn=filename.txt
How to block access to all .php except index.php in root folder (via .htaccess)?
In .htaccess:
RewriteEngine on
RewriteRule ^/application - [F]
The [F]
option instructs it to issue a 403 Forbidden response on all matching URLs.
Or add a separate .htaccess file in /application
containing just:
deny from all
Or in your Apache vhost definition:
<Location /application>
deny from all
</Location>
Related Topics
Laravel 5 Failed Opening Required Bootstrap/../Vendor/Autoload.PHP
Remove Warning Messages in PHP
How to Get First 5 Characters from String
Redirecting to Previous Page After Login - PHP
Why Is Pdo Better For Escaping MySQL Queries/Querystrings Than MySQL_Real_Escape_String
How to Get Enum Possible Values in a MySQL Database
Laravel Update Model With Unique Validation Rule For Attribute
How to Store File Name in Database, With Other Info While Uploading Image to Server Using PHP
How to Best Store User Information and User Login and Password
PHP - Redirect and Send Data Via Post
How to Know Which 'PHP.Ini' File Is Used