The FilesMatch directive operates on files not URLs and should work in conjunction with the

DirectoryIndex index.php

directive.


Why the "^[(index.php)]+$" complexity here? The [ ] and ( ) and + are not required.

The complexity is by accident, a legacy of more complex FilesMatch rules I originally had. Thanks for the tip. I don't really understand the rest of your reply, I think DirectoryIndex index.php is already set by the server administrator (shared hosting) which is why the empty file name case defaults to index.php. However, it still gives permission denied for an empty filename using my .htaccess snippet. This is what I need to fix.

Answer found. This works in my testing under Apache2 on XP, note the empty "OR" after index.php

deny from all
<FilesMatch "^(index.php|)$">
order allow,deny
allow from all
</FilesMatch>

[edited by: jdMorgan at 6:39 pm (utc) on Mar 9, 2011]
[edit reason] [ code ] tags to suppress bbcode. [/edit]

If your intent is to deny HTTP access to all but the home page, I'd suggest:

Order Deny,Allow
Deny from all
<FilesMatch "^(index\.php)?$">
Allow from all
</FilesMatch>

If indeed you must allow for a blank FilesMatch, then that indicates a potential problem with your server, as <FilesMatch> should not be executed until after the requested URL example.com/ has already been resolved to the filepath /index.php by mod_dir. Perhaps the LoadModule order is incorrect?

Worth looking into, as such config problems can cause really hard-to-find problems.

Jim

[edited by: jdMorgan at 9:53 pm (utc) on Mar 28, 2011]

My testing server is XAMPP on Win XP. The only thing I've altered is the vhosts.conf file, otherwise it's stock out of the box, so to speak. I'll look at the LoadModule order and reply if I find an issue. It definitely gives me a permission denied for the URL example.com/ without the empty option in the FilesMatch code.

I've found that .htaccess regexps are a bit confusing as they don't seem to be exactly the same as Perl regexps. Do I really need to escape the stop (.) when it's inside the parenthisis as part of a pattern? My experience has been not (but I do need to escape it if its not in parenthesis, e.g. between two sets of parenthesised patterns. As I said, I'm a liitle confused and often rely on testing.

Unescaped "." characters outside of alternate-characters sets (e.g. [aeiou]) mean "match any single character."

Therefore, your unescaped-period patterns may indeed appear to "work," but will actually match any character where you expect your period to be. This can lead to security-related problems in some cases.

Apache 1.x used only POSIX regular expressions. Apache 2.x supports PCRE, but allows "overlap" with POSIX.

"Match one or more characters not a period, followed by a period, one or more times, followed by 'html'" is thus properly coded ^([^.]+\.)+html$

Note that with PCRE support comes the ability to do atomic back-references across almost all OS platforms... Very handy if you want to compare two variables in mod_rewrite -- something not possible with POSIX versions.

Jim

Thank you very much. Great, concise information.