Loading ...
Apache Tips & Tricks: Deny access to certain file types
Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_access
Scope: global server configuration, virtual host, directory, .htaccess
Type: security
Description: How to deny access to certain file types.
Useful: to deny access to certain files that contain private information (log files, source code, password files, etc.).
I a previous tip (Hide a file type from directory indexes) I have showed how we can hide some files from appearing in directory indexes. Even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser… How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes).
So if there are ’special files’ that you want to not be served in any case to remote users then you will have to deny access to them.
In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (<Directory>, <Files>, and <Location> sections). In this case we will be interested in the <Files> section.
Allow/Deny Directive in <Files>
Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:
<Files ~ "^\.htaccess">
Order allow,deny
Deny from all
</Files>
This is a simple example of how we can deny access to a single file by its name. If you don’t have such a configuration, then it might be a good idea to add it :-).
Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
Similar to this we can deny access to whatever files we might need…
Go to:
Main page of all my Apache Tips & Tricks
10th August 2006, 22:02
Thanks for that Marius.
Do you know what to add to httpd.conf or apache2.conf to deny all access to all the subversion directories (all called ‘.svn’) in my webspace?
11th August 2006, 14:56
Saul,
I have written a separate post to respond to your question. I hope that this will help you:
Apache Tips & Tricks: Deny access to some folders
20th March 2007, 07:56
thanks dear for this sharing with us ,,
i want to ask about something it may be a code or setting or a tool .. to check the file content while uploading via http or ftp .
when attacker find an uploader file on awebsite he uploading php shells or perl - cgi shell to access the server .. .
is there any idea to check the file content ?
in the php.ini file we are disbleing functions like system() popen() etc..
if an attacker trys to upload a file contain any of disabled functions the tool will prevent him saying somthing like (your file is not safe to our system ) .
is there any idea ??
-Hamada
26th October 2007, 15:17
Hi,
I wanted to deny access to all users and allow only those who come from a particular domain.I treid manipulating the https.conf file in Linux but it is not having any effect. Can anyone throw some light on this.
Thanks a lot…Waiting for a positive reply.
Sandesh
26th October 2007, 21:43
Sandesh: in order to achieve that your rule needs to look like:
Order deny,allow
Deny from all
Allow from .mydomain.com
6th December 2007, 00:20
I want to hide .inc files from the web. My .htaccess file looks like this, and hides .htaccess and .cfg files. Access to .inc files is wide open. Any suggestions?
# -Hide .htaccess from web
order allow,deny
deny from all
AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml
Options -Indexes
# -Hide .cfg files from web
Order Allow,Deny
Deny from all
# -Hide .inc files from web
Order Allow,Deny
Deny from all
6th December 2007, 00:23
Oops. system ate the files … /files markup which are present.
6th December 2007, 08:18
Lewy: indeed wordpress removed those lines completely so I can’t see them. Please send them by email (use the contact form to reach me) so I can have a look and tell you my opinion on your question. M.
3rd June 2008, 08:17
A pretty cool .htaccess file I use which is used to prevent random web browsers from accessing folders directly, while allowing them to be accessed via your site. Bassically if someone tried to access yoursite.com/vidoes/1.wmv or something, they would be redirected to a page you specify. But if you had a link at yoursite.com when a user clicks on it takes them to yoursite.com/videos/1.wmv would be allowed. This prevents access to folders/directories and even if a person was to guess the link they wouldn’t be able to access it unless they first came through your site.
I did test this with ie and firefox and it seems to work great in each.
Code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.yoursite.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://subdomain.yoursite.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://.yoursite.com/subfolder.* [NC]
RewriteCond %{HTTP_REFERER} !^http://yoursite.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yoursite.com/subfolder.* [NC]
RewriteRule /* http://www.yoursite.com/index.php [R,L]
Just create a .htaccess and insert that code into any subfolder/directory you don’t want anyone to directly access without coming through your site. like yoursite.com/videos/.htaccess (with the above code)
RewriteCond = yoursite.com (this is your site, subdomains, and subfolders allowed to access)
RewriteRule = the address they are forwarded to if they try to access directly.
Jeremy
dialme.com
22nd August 2008, 00:21
Akane soma….
Soma online sales. Soma. Soma and addiction….
13th September 2008, 04:37
[...] information (log files, source code, password files, etc.). The example shown here will address the question posted by Saul Howard on how to deny access to all the subversion directories [...]
11th October 2008, 03:57
Fantastic stuff. I created a protected directory for my client to satisfy a licensing agreement for distributing materials electronicaly to his students. The problem is that when the student clicks on a link for a video file, the student would be asked for username and password again each time. I allowed access to those files via
Satisfy any
Allow from nopasswd
But then, you could access the video directy, if you know the url, bypassing the security. Jeffery’s post above came to the rescue. I inserted that in the .htaccess file above my code. I figured out that you have to set RewriteEngine Off after the RewriteRule.