Loading ...
Apache Tips & Tricks: Deny access to some folders
Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_access
Scope: global server configuration, virtual host, directory, .htaccess
Type: security
Description: How to deny access to certain folders and the files inside them.
Useful: to deny access to certain folders containing private information (log files, source code, password files, etc.). The example shown here will address the question posted by Saul Howard on how to deny access to all the subversion directories (.svn).
I a previous tip (Deny access to certain file types) I have showed how we can deny access to files using a particular filename or all the files with a particular extension or any regexp we can match the files. In this post we will block access to folders, so instead of using the <Files> directive we will be using the <Directory> section.
Allow/Deny Directive in <Directory>
Let’s see how we can deny access to all the .svn folders that exist on the server.
In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>
Similar to this we can deny access to other folders we might need…
Note: this will show a Forbidden page (code 403) even if the folder does not exist and it is just called from the browser in the url.
Another way how this can be quickly accomplished is by using a Rewrite rule:
RewriteRule ^(.*/)?\\.svn/ - [F,L]or using a redirect:
RedirectMatch 404 /\\.svn(/|$)(in this last example I am using 404 as the returned code so this looks like the folder doesn’t exist on the server; of course if you prefer you can return 403 - forbidden code).
Go to:
Main page of all my Apache Tips & Tricks
12th August 2006, 09:25
Thanks for that, it worked.
I had tried
Order allow,deny
Deny from all
but that didn’t work because the match is for the whole path.
13th August 2006, 10:55
Saul,
You are welcome. I am happy that I could help you solve this issue.
Cheers,
- Marius -
ps. probably you got some characters stripped off when posting the comment as I can’t understand nothing from what you had previously tried… anyway it doesn’t matter, as now you should be ok.
10th September 2007, 04:14
[...] Tutorial on how to hide your SVN folders from public view using Apache Directives (i.e. those SVN folders that reside on your server’s public html folder) http://www.ducea.com/2006/08/11/apache-tips-tricks-deny-access-to-some-folders/ [...]
15th August 2008, 08:44
I’ve tried the example you gave, but it didn’t work. I can still access the folder/directory. Also, how do I use the mod_access module, I noticed that it was not with the LoadModule stuff.
Here’s the stuff I want out
Alias /icons/ “/var/www/icons/”
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
Thanks!
16th August 2008, 00:17
steve: what version of apache do you use? In 2.2.x the mod access was replaced with mod_authz_host. You need to have this module (mod_access for apache1, apache2.0.x or mod_authz_host for apache2.2.x) loaded for this to work.
26th August 2008, 05:05
Hi, in apache2 ver. 2.2.8 I”d like to allow access to phpMyAdmin only from my own IP:
# this is actually a subdir of a virtual host directory
Options None
AllowOverride None
Order allow,deny
Deny from all
# Allow from 127.0.0.1 192.168.1.24
Yet even with a hash the access is allowed from all now ! There are numerous config files and I am looking for the easy way to identify the place which makes the above statements not working.
26th August 2008, 12:45
Zbigniew: wordpress has stripped your comment and I can’t understand how your rule is applied. Use the contact form to send me an email with the information and I will try to help you out. -M.