拒绝htaccess直接访问文件夹和文件

时间:2021-05-11 00:29:22

Here is the scenario:

这是场景:

  • There is a index.php file in root folder
  • 有一个指数。根文件夹中的php文件
  • some files are included in index.php which are in the includes folder.
  • 有些文件包含在索引中。包含在include文件夹中的php。
  • 1 other file (submit.php) is in the root folder for form submit action.
  • 另一个文件(submit.php)在根文件夹中,用于表单提交操作。

I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file. Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).

我想通过htaccess限制用户直接访问include文件夹中的文件。submit.php。但是包括将用于索引。php文件。例如,如果用户输入www.domain.com/includes/somepage.php,它将限制它(可能被重定向到一个错误页面)。

7 个解决方案

#1


232  

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

我只是想把include文件夹从web根目录中移出来,但是如果您想阻止对整个include文件夹的直接访问,您可以将.htaccess文件放在该文件夹中,其中只包含:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.

这样,您就无法从该文件夹中打开任何文件,但是您可以在php中包含它们,而不会出现任何问题。

#2


46  

This is pure mod_rewrite based solution:

这是纯基于mod_rewrite的解决方案:

RewriteRule ^(includes/|submit\.php) - [F,L,NC]

This will show forbidden error to use if URI contains either /includes/ or /submit.php

如果URI包含/include /或/submit.php,则将显示禁止使用的错误

#3


18  

It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:

可以使用文件指令,不允许访问所有文件,然后再次使用它设置可访问的文件:

<Files ~ "^.*">
  Deny from all
</Files>

<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
  Allow from all
</Files>

#4


10  

1 liner mod_alias based solution :

1基于线性mod_alias的解决方案:

RedirectMatch 403 ^/folder/file.php$

This will show forbidden error for /folder/file.php

这将显示/folder/file.php的禁止错误

#5


8  

If I understand correctly you just want to deny access to the includes folder?

如果我理解正确,您只想拒绝对include文件夹的访问?

An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.

在include文件夹中放置一个带有“DENY FROM ALL”指令的.htaccess会起到这个作用。

#6


8  

Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.

你的问题分为两部分,耶罗文和阿努巴瓦的解决方案都适用于第一部分——拒绝访问/包含。anubhava也适用于第二部分。我更喜欢后者,因为我使用的是DOCROOT/。无论如何,这将把所有这些控制保存在一个文件中。

However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.

但是,我不想讨论的是“拒绝对submit.php的访问”的概念。如果您不想使用submit。那么为什么要在DOCROOT中使用php呢?我猜想这里的答案是,您将它作为某些表单的操作目标,并且只希望它在提交表单时被触发,而不是直接被触发,例如来自spambot。

If this is true then you can't use anubhava's part II as this will cause your form to fail. What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:

如果这是真的,那么你不能使用anubhava的第二部分,因为这会导致你的表单失败。你在这里可以做的是(i)使用。htaccess检查以确保引用者是你自己的索引页:

RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php   [NC]
RewriteRule ^submit\.php$    -                                   [F]

And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.

和(ii)在PHP索引中。php表单生成器包含一些用于时间戳和验证的隐藏字段。验证可以是时间戳的MD5的前10个字符和一些内部秘密。在处理提交时,您可以(i)验证时间戳和验证匹配,(ii)时间戳在当前时间的15分钟内。

This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.

这可以防止垃圾邮件作为垃圾邮件发送者获得有效的时间戳/验证对的唯一可行的方式,但是这种刮擦只会有15分钟的生命。

#7


6  

Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:

根据可能在更高级别设置的其他选项,您可能需要将以下内容放入您的包含目录中的.htaccess文件中:

Satisfy all
Order deny,allow
Deny from all

I ran into this when the upper directory defined basic authentication including the line:

当上面的目录定义了基本的身份验证时,我遇到了这一行:

Satisfy any

This was preventing my deny from all to take effect because the users were authenticated.

这阻止了我的拒绝生效,因为用户是经过验证的。

#1


232  

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

我只是想把include文件夹从web根目录中移出来,但是如果您想阻止对整个include文件夹的直接访问,您可以将.htaccess文件放在该文件夹中,其中只包含:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.

这样,您就无法从该文件夹中打开任何文件,但是您可以在php中包含它们,而不会出现任何问题。

#2


46  

This is pure mod_rewrite based solution:

这是纯基于mod_rewrite的解决方案:

RewriteRule ^(includes/|submit\.php) - [F,L,NC]

This will show forbidden error to use if URI contains either /includes/ or /submit.php

如果URI包含/include /或/submit.php,则将显示禁止使用的错误

#3


18  

It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:

可以使用文件指令,不允许访问所有文件,然后再次使用它设置可访问的文件:

<Files ~ "^.*">
  Deny from all
</Files>

<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
  Allow from all
</Files>

#4


10  

1 liner mod_alias based solution :

1基于线性mod_alias的解决方案:

RedirectMatch 403 ^/folder/file.php$

This will show forbidden error for /folder/file.php

这将显示/folder/file.php的禁止错误

#5


8  

If I understand correctly you just want to deny access to the includes folder?

如果我理解正确,您只想拒绝对include文件夹的访问?

An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.

在include文件夹中放置一个带有“DENY FROM ALL”指令的.htaccess会起到这个作用。

#6


8  

Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.

你的问题分为两部分,耶罗文和阿努巴瓦的解决方案都适用于第一部分——拒绝访问/包含。anubhava也适用于第二部分。我更喜欢后者,因为我使用的是DOCROOT/。无论如何,这将把所有这些控制保存在一个文件中。

However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.

但是,我不想讨论的是“拒绝对submit.php的访问”的概念。如果您不想使用submit。那么为什么要在DOCROOT中使用php呢?我猜想这里的答案是,您将它作为某些表单的操作目标,并且只希望它在提交表单时被触发,而不是直接被触发,例如来自spambot。

If this is true then you can't use anubhava's part II as this will cause your form to fail. What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:

如果这是真的,那么你不能使用anubhava的第二部分,因为这会导致你的表单失败。你在这里可以做的是(i)使用。htaccess检查以确保引用者是你自己的索引页:

RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php   [NC]
RewriteRule ^submit\.php$    -                                   [F]

And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.

和(ii)在PHP索引中。php表单生成器包含一些用于时间戳和验证的隐藏字段。验证可以是时间戳的MD5的前10个字符和一些内部秘密。在处理提交时,您可以(i)验证时间戳和验证匹配,(ii)时间戳在当前时间的15分钟内。

This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.

这可以防止垃圾邮件作为垃圾邮件发送者获得有效的时间戳/验证对的唯一可行的方式,但是这种刮擦只会有15分钟的生命。

#7


6  

Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:

根据可能在更高级别设置的其他选项,您可能需要将以下内容放入您的包含目录中的.htaccess文件中:

Satisfy all
Order deny,allow
Deny from all

I ran into this when the upper directory defined basic authentication including the line:

当上面的目录定义了基本的身份验证时,我遇到了这一行:

Satisfy any

This was preventing my deny from all to take effect because the users were authenticated.

这阻止了我的拒绝生效,因为用户是经过验证的。