Loading ...
Apache Tips & Tricks: Deny access to some folders
Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_access
Scope: global server configuration, virtual host, directory, .htaccess
Type: security
Description: How to deny access to certain folders and the files inside them.
Useful: to deny access to certain folders containing private information (log files, source code, password files, etc.). The example shown here will address the question posted by Saul Howard on how to deny access to all the subversion directories (.svn).
I a previous tip (Deny access to certain file types) I have showed how we can deny access to files using a particular filename or all the files with a particular extension or any regexp we can match the files. In this post we will block access to folders, so instead of using the <Files> directive we will be using the <Directory> section.
Allow/Deny Directive in <Directory>
Let’s see how we can deny access to all the .svn folders that exist on the server.
In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>
Similar to this we can deny access to other folders we might need…
Note: this will show a Forbidden page (code 403) even if the folder does not exist and it is just called from the browser in the url.
Another way how this can be quickly accomplished is by using a Rewrite rule:
RewriteRule ^(.*/)?\\.svn/ - [F,L]or using a redirect:
RedirectMatch 404 /\\.svn(/|$)(in this last example I am using 404 as the returned code so this looks like the folder doesn’t exist on the server; of course if you prefer you can return 403 – forbidden code).
Go to:
Main page of all my Apache Tips & Tricks
12th August 2006, 09:25
Thanks for that, it worked.
I had tried
Order allow,deny
Deny from all
but that didn’t work because the match is for the whole path.
13th August 2006, 10:55
Saul,
You are welcome. I am happy that I could help you solve this issue.
Cheers,
- Marius -
ps. probably you got some characters stripped off when posting the comment as I can’t understand nothing from what you had previously tried… anyway it doesn’t matter, as now you should be ok.
10th September 2007, 04:14
[...] Tutorial on how to hide your SVN folders from public view using Apache Directives (i.e. those SVN folders that reside on your server’s public html folder) http://www.ducea.com/2006/08/11/apache-tips-tricks-deny-access-to-some-folders/ [...]
15th August 2008, 08:44
I’ve tried the example you gave, but it didn’t work. I can still access the folder/directory. Also, how do I use the mod_access module, I noticed that it was not with the LoadModule stuff.
Here’s the stuff I want out
Alias /icons/ “/var/www/icons/”
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
Thanks!
16th August 2008, 00:17
steve: what version of apache do you use? In 2.2.x the mod access was replaced with mod_authz_host. You need to have this module (mod_access for apache1, apache2.0.x or mod_authz_host for apache2.2.x) loaded for this to work.
26th August 2008, 05:05
Hi, in apache2 ver. 2.2.8 I”d like to allow access to phpMyAdmin only from my own IP:
# this is actually a subdir of a virtual host directory
Options None
AllowOverride None
Order allow,deny
Deny from all
# Allow from 127.0.0.1 192.168.1.24
Yet even with a hash the access is allowed from all now ! There are numerous config files and I am looking for the easy way to identify the place which makes the above statements not working.
26th August 2008, 12:45
Zbigniew: wordpress has stripped your comment and I can’t understand how your rule is applied. Use the contact form to send me an email with the information and I will try to help you out. -M.
30th April 2009, 22:42
It’s worth noting that the directory directive isn’t available inside the htaccess file, at least with the version of apache that I’m using.
10th May 2009, 10:21
Will this block even search engines to be able to scan particular folders?
Thats what im looking for…
Can do that with a robots.txt file but search engines can easily ignore this file, i want to lock a particular folder for human AND search engines….
11th May 2009, 07:05
@bob: yes this will block everyone, including web spiders, etc. robots.txt entries are just informal and ‘good’ spiders follow them
.
11th May 2009, 12:18
Thanks Marius,
So .svn can be any foldername?
Order allow,deny
Deny from all
can be (foldername “media”)
Order allow,deny
Deny from all
Is it required to put this on the very top of the .htaccess file or that doesnt matter?
11th May 2009, 12:47
@bob: wordpress stripped the special tags, sorry about that. yes you can use any foldername you want like that. Even more you can add access for special ips if you want that (like an /admin/ part of a site) if this is needed. Just check it out and let me know if i can help you with something else on this issue
11th May 2009, 12:55
Thanks again Marius,
Yes i saw WP stripped the tags but lucky you understand whats mentioned there:).
) a particular folder from search engines.
I was just looking for a way to hide/lock (or even both
Is there a way to monitor this, to detect wich search engine tries to scan it?
11th May 2009, 13:51
You will see those in regular apache logs, something like “client denied by server configuration…”. If you want this mainly for the search engines, add such rules in robots.txt also as major big ones will obey those rules, and will save resources. You will then see in the logs as denied requests just the one from the bots that don’t follow the rules.
11th May 2009, 17:38
Thanks again Marius.
)
I think im not able to view apache logs, as i use a shared hosting account, or??
Yes i already have added a Disallow in the robots file but bots can easily ignore a robots file, although Google shouldn’t do that (i guess
11th May 2009, 17:58
@bob: you are most welcome. Even if you are on a shared host most control panels will allow access to your raw apache logs (unfortunately this is one setting that can’t be overwritten in .htaccess and you can’t overwrite your logs location). And yes google bot will obey the rules in robots.txt; you can see and test that also in the google webmaster tools for your domain.
12th May 2009, 11:05
Thanks Marius.
Ill try some things out here
21st June 2009, 05:29
I’ve tried all three of your options, and while access directly to any of the .svn directories is blocked, I can still access the .svn/entries file without any problems.
Any ideas?
24th June 2009, 20:30
@Bunkai: even if this was not the intent of this post and .svn was just an example, it works as you want it to (first solution). If this doesn’t work for you please check out if other rules in your apache interfere or overwrite this one.
27th July 2009, 05:00
hi
i want to deny the access of a folder images
path is “/www/images”
how can this done?
if we use .htaccess, doest it allow the web user to get the page? (i am using images folder to store all images that wanted for the website)
so my requirement is, when a web user types http://www.domain.com/images he will not able to get the access to images folder. i think you have got it, rt?
Please help me..
Regards
renjitha
27th July 2009, 10:57
@renjitha: it seems to me that you are looking to disable the indexes on that folder, and not the access to the files right? -Indexes is your friend. hth.
27th July 2009, 13:49
hi marius
sorry.. i didnt understand your answer
i will explain the scenario..
take this site as example :
http://www.ducea.com/2006/08/11/
if we remove ‘/11′ from above url we can access the other page…
ie, we can see the content of the url http://www.ducea.com/2006/08/
again if we remove /08 we can see the content of http://www.ducea.com/2006
and so on…
For my site i am storing all the images(also uploaded photos by the user) in the ‘images’ folder
if anyone types http://www.domain.com/images in the browser, he can see all files and directories in the ‘images’ folder and he can download my files…
i want to deny this access..
is there any way to do this…?
regards
renjitha
27th July 2009, 14:06
@renjitha: yes, i understood what you meant. Disable indexes on that folder (add -Indexes to your Options line in that folder) like:
Options -Indexes
(etc. whatever other options you might have there add them on the same line).
Cheers,
- Marius -
27th July 2009, 15:19
Oh… i got it Marius..
thanks !!!
Regards
Renjitha
21st August 2009, 23:49
[...] http://www.ducea.com/2006/08/11/apache-tips-tricks-deny-access-to-some-folders [...]
14th October 2009, 12:22
Halla.
I do have the same problem like renjitha and to be honest I didn’t understand the part with disabling indexes. My problem sounds like this:
I do have a website and and some music files on to it in a specific folder (music folder in this situation). If I open the browser and type http://www.mypersonaldomain.com/music/ I can see the music files there(.mp3 files) and I also can download them.
Now.. I don’t really want that. I just want to close access on that folder and files from it. How can I do that ?
Where can I disable the indexes and how ?
Thanks in advance.
18th October 2009, 10:20
@Vlad: you can do that with the same syntax as in my example of this post. Just put it inside your vhost, and replace .svn with music. hth.
29th November 2009, 04:25
[...] Apache Tips & Tricks: Deny access to some folders [...]