Comments on: Apache Tips & Tricks: Deny access to certain file types http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/ The Journal Of A Linux Sysadmin Sat, 31 Jul 2010 13:48:55 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Un peu de tout » Archives du Blog » sécurisation d’un serveur Apache : configurationhttp://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-181330 Un peu de tout » Archives du Blog » sécurisation d’un serveur Apache : configuration Sun, 29 Nov 2009 04:24:17 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-181330 [...] Apache Tips & Tricks: Deny access to certain file types [...] [...] Apache Tips & Tricks: Deny access to certain file types [...]

]]> By: Failure to Restrict URL Access – OWASP Top 10 – A10 « Miscellaneous Securityhttp://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-181306 Failure to Restrict URL Access – OWASP Top 10 – A10 « Miscellaneous Security Thu, 19 Nov 2009 18:03:35 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-181306 [...] should block access to all file types that the application doesn’t [...] [...] should block access to all file types that the application doesn’t [...]

]]> By: Johnhttp://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-178699 John Sat, 11 Oct 2008 03:57:31 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-178699 Fantastic stuff. I created a protected directory for my client to satisfy a licensing agreement for distributing materials electronicaly to his students. The problem is that when the student clicks on a link for a video file, the student would be asked for username and password again each time. I allowed access to those files viaSatisfy any Allow from nopasswdBut then, you could access the video directy, if you know the url, bypassing the security. Jeffery's post above came to the rescue. I inserted that in the .htaccess file above my code. I figured out that you have to set RewriteEngine Off after the RewriteRule. Fantastic stuff. I created a protected directory for my client to satisfy a licensing agreement for distributing materials electronicaly to his students. The problem is that when the student clicks on a link for a video file, the student would be asked for username and password again each time. I allowed access to those files via

Satisfy any
Allow from nopasswd

But then, you could access the video directy, if you know the url, bypassing the security. Jeffery’s post above came to the rescue. I inserted that in the .htaccess file above my code. I figured out that you have to set RewriteEngine Off after the RewriteRule.

]]> By: rul3z » Blog Archive » Deny access to some foldershttp://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-178598 rul3z » Blog Archive » Deny access to some folders Sat, 13 Sep 2008 04:37:25 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-178598 [...] information (log files, source code, password files, etc.). The example shown here will address the question posted by Saul Howard on how to deny access to all the subversion directories [...] [...] information (log files, source code, password files, etc.). The example shown here will address the question posted by Saul Howard on how to deny access to all the subversion directories [...]

]]> By: Soma in san diego.http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-178513 Soma in san diego. Fri, 22 Aug 2008 00:21:36 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-178513 <strong>Akane soma....</strong>Soma online sales. Soma. Soma and addiction.... Akane soma….

Soma online sales. Soma. Soma and addiction….

]]> By: Jeremyhttp://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-171090 Jeremy Tue, 03 Jun 2008 08:17:42 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-171090 A pretty cool .htaccess file I use which is used to prevent random web browsers from accessing folders directly, while allowing them to be accessed via your site. Bassically if someone tried to access yoursite.com/vidoes/1.wmv or something, they would be redirected to a page you specify. But if you had a link at yoursite.com when a user clicks on it takes them to yoursite.com/videos/1.wmv would be allowed. This prevents access to folders/directories and even if a person was to guess the link they wouldn't be able to access it unless they first came through your site.I did test this with ie and firefox and it seems to work great in each.Code: AuthUserFile /dev/null AuthGroupFile /dev/nullRewriteEngine OnRewriteCond %{HTTP_REFERER} !^http://www.yoursite.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://subdomain.yoursite.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://.yoursite.com/subfolder.* [NC] RewriteCond %{HTTP_REFERER} !^http://yoursite.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://www.yoursite.com/subfolder.* [NC]RewriteRule /* http://www.yoursite.com/index.php [R,L]Just create a .htaccess and insert that code into any subfolder/directory you don't want anyone to directly access without coming through your site. like yoursite.com/videos/.htaccess (with the above code)RewriteCond = yoursite.com (this is your site, subdomains, and subfolders allowed to access) RewriteRule = the address they are forwarded to if they try to access directly.Jeremy dialme.com A pretty cool .htaccess file I use which is used to prevent random web browsers from accessing folders directly, while allowing them to be accessed via your site. Bassically if someone tried to access yoursite.com/vidoes/1.wmv or something, they would be redirected to a page you specify. But if you had a link at yoursite.com when a user clicks on it takes them to yoursite.com/videos/1.wmv would be allowed. This prevents access to folders/directories and even if a person was to guess the link they wouldn’t be able to access it unless they first came through your site.

I did test this with ie and firefox and it seems to work great in each.

Code:
AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://www.yoursite.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://subdomain.yoursite.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://.yoursite.com/subfolder.* [NC]
RewriteCond %{HTTP_REFERER} !^http://yoursite.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yoursite.com/subfolder.* [NC]

RewriteRule /* http://www.yoursite.com/index.php [R,L]

Just create a .htaccess and insert that code into any subfolder/directory you don’t want anyone to directly access without coming through your site. like yoursite.com/videos/.htaccess (with the above code)

RewriteCond = yoursite.com (this is your site, subdomains, and subfolders allowed to access)
RewriteRule = the address they are forwarded to if they try to access directly.

Jeremy
dialme.com

]]> By: - Marius -http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-110178 - Marius - Thu, 06 Dec 2007 08:18:42 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-110178 Lewy: indeed wordpress removed those lines completely so I can't see them. Please send them by email (use the contact form to reach me) so I can have a look and tell you my opinion on your question. M. Lewy: indeed wordpress removed those lines completely so I can’t see them. Please send them by email (use the contact form to reach me) so I can have a look and tell you my opinion on your question. M.

]]> By: Lewyhttp://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-110012 Lewy Thu, 06 Dec 2007 00:23:06 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-110012 Oops. system ate the files ... /files markup which are present. Oops. system ate the files … /files markup which are present.

]]> By: Lewyhttp://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-110011 Lewy Thu, 06 Dec 2007 00:20:59 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-110011 I want to hide .inc files from the web. My .htaccess file looks like this, and hides .htaccess and .cfg files. Access to .inc files is wide open. Any suggestions?# -Hide .htaccess from weborder allow,deny deny from allAddHandler application/x-httpd-php5 .php .php4 .php3 .phtml Options -Indexes# -Hide .cfg files from webOrder Allow,Deny Deny from all# -Hide .inc files from webOrder Allow,Deny Deny from all I want to hide .inc files from the web. My .htaccess file looks like this, and hides .htaccess and .cfg files. Access to .inc files is wide open. Any suggestions?

# -Hide .htaccess from web

order allow,deny
deny from all

AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml
Options -Indexes

# -Hide .cfg files from web

Order Allow,Deny
Deny from all

# -Hide .inc files from web

Order Allow,Deny
Deny from all

]]> By: - Marius -http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/comment-page-1/#comment-95700 - Marius - Fri, 26 Oct 2007 21:43:21 +0000 http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/#comment-95700 Sandesh: in order to achieve that your rule needs to look like: <code>Order deny,allow Deny from all Allow from .mydomain.com </code> Sandesh: in order to achieve that your rule needs to look like:
Order deny,allow
Deny from all
Allow from .mydomain.com

]]>