Apache Tips & Tricks: Deny access to some folders

Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_access
Scope: global server configuration, virtual host, directory, .htaccess
Type: security

Description: How to deny access to certain folders and the files inside them.
Useful: to deny access to certain folders containing private information (log files, source code, password files, etc.). The example shown here will address the question posted by Saul Howard on how to deny access to all the subversion directories (.svn).

I a previous tip (Deny access to certain file types) I have showed how we can deny access to files using a particular filename or all the files with a particular extension or any regexp we can match the files. In this post we will block access to folders, so instead of using the directive we will be using the section.

Allow/Deny Directive in

Let’s see how we can deny access to all the .svn folders that exist on the server. In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):

<Directory  ~ "\.svn">
	Order allow,deny
	Deny from all
</Directory>

Similar to this we can deny access to other folders we might need…

Note: this will show a Forbidden page (code 403) even if the folder does not exist and it is just called from the browser in the url. Another way how this can be quickly accomplished is by using a Rewrite rule:

RewriteRule ^(.*/)?\\.svn/ - [F,L]

or using a redirect:

RedirectMatch 404 /\\.svn(/|$)

(in this last example I am using 404 as the returned code so this looks like the folder doesn’t exist on the server; of course if you prefer you can return 403 - forbidden code).

Go to:
Main page of all my Apache Tips & Tricks

comments powered by Disqus