Welcome to WebmasterWorld Guest from 54.144.246.252

Forum Moderators: Ocean10000 & incrediBILL & phranque

Prevent direct access to a folder and subfolders

   
5:20 am on Aug 20, 2013 (gmt 0)

5+ Year Member Top Contributors Of The Month



I'm using a rewrite rule to serve files out of my cache.

Although the browser shows /page/001.html the file is really /cache/file-001.html

Under no circumstances should the user be able to directly access any file from /cache/ in the browser.

I'm trying to create an .htaccess file at /cache/.htaccess to accomplish this, but 'Deny from all' prevents my rewrite rule from working.

Is there something else I should use?
9:37 am on Aug 20, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



use an [F] flag in a RewriteRule after matching THE_REQUEST in a RewriteCond.

another option is to 301 redirect from any file path-like request to the canonical url.
2:17 pm on Aug 20, 2013 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Near the beginning of the rules:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /cache/
RewriteRule ^cache/ - [F]
10:44 pm on Aug 20, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Under no circumstances should the user be able to directly access any file from /cache/ in the browser.

You don't need to make a separate htaccess file; in fact two or more htaccess files each containing their own RewriteRules is a recipe for disaster.

I suspect what you're really after is the standard redirect-to-rewrite two-step. You already have the rewrite. The redirect part goes (note that this is the same as g1's rule, only converted from F to R)

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /cache/
RewriteRule ^cache/file-(\d+\.html) http://www.example.com/page/$1 [R=301,L]

Put this with the other redirects in your mod_rewrite area.

I'm trying to create an .htaccess file at /cache/.htaccess to accomplish this, but 'Deny from all' prevents my rewrite rule from working.

I further suspect this is a misunderstanding. No user can view .htaccess or .htpasswd directly in the browser; that's where the "Deny from all" kicks in. But that has nothing to do with the workings of the file. Requests have to obey htaccess whether they want to or not. It's not like robots.txt where they can first choose to look at it and then choose to obey it.
1:50 am on Aug 23, 2013 (gmt 0)

5+ Year Member Top Contributors Of The Month



Thanks for the feedback! I will ensure I combine all my rules into one .htaccess file.

I'm using the following code to prevent access to both the cache and logs folder:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(cache|logs)/
RewriteRule ^.* - [F]


It seems to work but I'm not quite sure what the ^[A-Z]{3,9}\ part does.
3:20 am on Aug 23, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I'm not quite sure what the ^[A-Z]{3,9}\ part does


that matches the HTTP Request Method:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1

which would typically be GET, HEAD or POST but there are other possibilities.
3:41 am on Aug 23, 2013 (gmt 0)

5+ Year Member Top Contributors Of The Month



That's what I thought it was but I couldn't find any that were nine characters long.

OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT
5:01 am on Aug 23, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



There are a few others. I recently looked up PROPFIND* (8 letters) for some reason which now escapes me.

You would think w3's list should be comprehensive if anyone's is, but apparently not. There's a list long enough to choke on here [annevankesteren.nl] (dated 2007, so it probably isn't going anywhere). Aside from a couple of hyphenated methods, the longest on that list is 10 characters.

Now, whether you want to admit requests using methods you've never even heard of is another matter. It's very unlikely that a normal person's RewriteRules will apply to requests other than GET, HEAD or POST. So that's {3,4} rather than {,9}.

That's assuming all methods would show up in logs. I've never personally seen any but the Big Three, plus the rare PUT from malign robots. In fact I block most POST requests on general principles.


* Further exploration leads to this elderly thread [webmasterworld.com] with detailed explanation from Our Own jdMorgan. Putting the link here so I'll know where to look next time.
6:21 am on Aug 23, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I recently looked up PROPFIND* (8 letters) for some reason which now escapes me.


you must be thinking of this - For anyone else whose immediate reaction was "What the ### is propfind?":
http://www.webmasterworld.com/apache/4603525.htm [webmasterworld.com]
11:47 pm on Aug 24, 2013 (gmt 0)

WebmasterWorld Senior Member Top Contributors Of The Month



PROPPATCH
http://www.webdav.org/specs/rfc4918.html#METHOD_PROPPATCH
3:30 am on Oct 7, 2013 (gmt 0)



I would like to join the conversation as I am in ned of a similar setup. the main page and any secondary pages contain a link to separate folder called Microchat too enable users to converse if needed. However, I discovered that this results in an address bar kink that could be entered directly without going through the required login and password checks. Anything that would allow a direct internal link to proceed but deny a starting link would be fine. a redirect or even a 403 not authorized. But it must allow the users to connect to tat folder while inside he parent folder or the chat is no good.
Any advise appreciated or even tell me to start a new topic?
 

Featured Threads

Hot Threads This Week

Hot Threads This Month