homepage Welcome to WebmasterWorld Guest from 54.237.38.30
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Prevent direct access to a folder and subfolders
ocon

5+ Year Member



 
Msg#: 4603520 posted 5:20 am on Aug 20, 2013 (gmt 0)

I'm using a rewrite rule to serve files out of my cache.

Although the browser shows /page/001.html the file is really /cache/file-001.html

Under no circumstances should the user be able to directly access any file from /cache/ in the browser.

I'm trying to create an .htaccess file at /cache/.htaccess to accomplish this, but 'Deny from all' prevents my rewrite rule from working.

Is there something else I should use?

 

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4603520 posted 9:37 am on Aug 20, 2013 (gmt 0)

use an [F] flag in a RewriteRule after matching THE_REQUEST in a RewriteCond.

another option is to 301 redirect from any file path-like request to the canonical url.

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4603520 posted 2:17 pm on Aug 20, 2013 (gmt 0)

Near the beginning of the rules:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /cache/
RewriteRule ^cache/ - [F]

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4603520 posted 10:44 pm on Aug 20, 2013 (gmt 0)

Under no circumstances should the user be able to directly access any file from /cache/ in the browser.

You don't need to make a separate htaccess file; in fact two or more htaccess files each containing their own RewriteRules is a recipe for disaster.

I suspect what you're really after is the standard redirect-to-rewrite two-step. You already have the rewrite. The redirect part goes (note that this is the same as g1's rule, only converted from F to R)

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /cache/
RewriteRule ^cache/file-(\d+\.html) http://www.example.com/page/$1 [R=301,L]

Put this with the other redirects in your mod_rewrite area.

I'm trying to create an .htaccess file at /cache/.htaccess to accomplish this, but 'Deny from all' prevents my rewrite rule from working.

I further suspect this is a misunderstanding. No user can view .htaccess or .htpasswd directly in the browser; that's where the "Deny from all" kicks in. But that has nothing to do with the workings of the file. Requests have to obey htaccess whether they want to or not. It's not like robots.txt where they can first choose to look at it and then choose to obey it.

ocon

5+ Year Member



 
Msg#: 4603520 posted 1:50 am on Aug 23, 2013 (gmt 0)

Thanks for the feedback! I will ensure I combine all my rules into one .htaccess file.

I'm using the following code to prevent access to both the cache and logs folder:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(cache|logs)/
RewriteRule ^.* - [F]


It seems to work but I'm not quite sure what the ^[A-Z]{3,9}\ part does.

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4603520 posted 3:20 am on Aug 23, 2013 (gmt 0)

I'm not quite sure what the ^[A-Z]{3,9}\ part does


that matches the HTTP Request Method:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1

which would typically be GET, HEAD or POST but there are other possibilities.

ocon

5+ Year Member



 
Msg#: 4603520 posted 3:41 am on Aug 23, 2013 (gmt 0)

That's what I thought it was but I couldn't find any that were nine characters long.

OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4603520 posted 5:01 am on Aug 23, 2013 (gmt 0)

There are a few others. I recently looked up PROPFIND* (8 letters) for some reason which now escapes me.

You would think w3's list should be comprehensive if anyone's is, but apparently not. There's a list long enough to choke on here [annevankesteren.nl] (dated 2007, so it probably isn't going anywhere). Aside from a couple of hyphenated methods, the longest on that list is 10 characters.

Now, whether you want to admit requests using methods you've never even heard of is another matter. It's very unlikely that a normal person's RewriteRules will apply to requests other than GET, HEAD or POST. So that's {3,4} rather than {,9}.

That's assuming all methods would show up in logs. I've never personally seen any but the Big Three, plus the rare PUT from malign robots. In fact I block most POST requests on general principles.


* Further exploration leads to this elderly thread [webmasterworld.com] with detailed explanation from Our Own jdMorgan. Putting the link here so I'll know where to look next time.

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4603520 posted 6:21 am on Aug 23, 2013 (gmt 0)

I recently looked up PROPFIND* (8 letters) for some reason which now escapes me.


you must be thinking of this - For anyone else whose immediate reaction was "What the ### is propfind?":
http://www.webmasterworld.com/apache/4603525.htm [webmasterworld.com]

JD_Toims

WebmasterWorld Senior Member Top Contributors Of The Month



 
Msg#: 4603520 posted 11:47 pm on Aug 24, 2013 (gmt 0)

PROPPATCH
http://www.webdav.org/specs/rfc4918.html#METHOD_PROPPATCH
questorfla



 
Msg#: 4603520 posted 3:30 am on Oct 7, 2013 (gmt 0)

I would like to join the conversation as I am in ned of a similar setup. the main page and any secondary pages contain a link to separate folder called Microchat too enable users to converse if needed. However, I discovered that this results in an address bar kink that could be entered directly without going through the required login and password checks. Anything that would allow a direct internal link to proceed but deny a starting link would be fine. a redirect or even a 403 not authorized. But it must allow the users to connect to tat folder while inside he parent folder or the chat is no good.
Any advise appreciated or even tell me to start a new topic?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved