Welcome to WebmasterWorld Guest from 54.158.21.160

Forum Moderators: Ocean10000 & incrediBILL & phranque

Blocking access to individual files on Apache server

     
6:55 am on Aug 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:660
votes: 8


Hi so I noticed some firewall logs and found users accessing urls like:

http://www.example.com/sitemodule/lightbox.js

How do I make it so that the pages using these scripts are rendered properly, but users trying to access individual files like the above are denied access?

Please advise. Thanks!
2:05 pm on Aug 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:660
votes: 8


So I tried following .htaccess which worked... but it's screwing access via browser as well! Here is the .htaccess directive:

<Files *.js>
Deny from all
</Files>

I placed this .htaccess in the sitemodule directory.. it seems to be blocking individual browser access to the file but it's messing up cache headers.. (gives forbidden value) etc. Can anyone please help?

What's the correct method to not let people launch .js script files individually, but as well as allow rendering of pages, browser cache header values etc. for the same file?

Thanks!
3:06 pm on Aug 5, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14041
votes: 523


Can't be done. At best, you can deny access to requests with no referer--but then you'll have to poke holes for search engines and other authorized robots. And you'll still be blocking humans who have told their browsers not to send a referer with requests for supporting files. (Query: Why would a human do this? Answer: No idea, but some do. Plays havoc with my log wrangling: Oh, I see, this person isn't requesting 50 images one by one; they're actually on the page.)

Denying access with a blanket "Deny from" directive is only for files like .htblahblah that are never, ever to be http-requested for any reason.
3:23 pm on Aug 5, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3451
votes: 181


You can alter the .js file permissions, but again you may be blocking bots that expect to parse the .js to determine whether your pages function as expected. Things like responsive menus .js need to be readable to "see" the finished results.
3:39 pm on Aug 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:660
votes: 8


Oh boy yep u guys are right I deleted the htaccess file.. thanks
4:25 pm on Aug 5, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3451
votes: 181


I deleted the htaccess file

I hope that means that you removed the lines denying access to .js

If not, I hope you have another way to handle canonical versions.
12:48 am on Aug 6, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:660
votes: 8


not2easy apologies.. I'm no SEO expert, could you let me know what do you mean by handling canonical versions? Thanks!
9:01 am on Aug 6, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 300
votes: 21


Hi so I noticed some firewall logs and found users accessing urls like:


Just curious... how were you differentiating direct requests from the user and secondary requests that resulted from a user requesting your page? (I guess maybe you weren't by the sounds of it?)

...handling canonical versions?


Ensuring that there is just 1 URL for every unique resource. Commonly, this refers to the www subdomain vs apex domain (as well as HTTP vs HTTPS). For example, if your site is accessible by both www.example.com and example.com, making sure you redirect the user to www.example.com (if the www subdomain is your canonical domain).
12:55 pm on Aug 6, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:660
votes: 8


whitespace no actually I just saw the logs on cloudflare which specifically listed the url with javascript files with crazy extensions within the url to probe for weaknesses I guess?

Yeah I've already setup the redirect for the www domain from example.com. Long time ago.
1:29 pm on Aug 6, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 300
votes: 21


....with crazy extensions within the url to probe for weaknesses I guess?


Ahh, maybe that is something you CAN block!? (Unless this is something that is already handled by Cloudflare?)
6:08 pm on Aug 6, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14041
votes: 523


with crazy extensions

Extensions? You mean query strings? You can absolutely block requests with a query string when the real URL doesn’t use one. (I do this for .html, though I haven't needed to do it for other static extensions.) Simplest is to redirect to the query-less version.
10:25 pm on Aug 6, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:660
votes: 8


Not query strings just weird ASCII characters..
11:39 pm on Aug 6, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 300
votes: 21


If it's "just weird ASCII characters" and "not query strings" then you would expect this to result in a 404 (or is already blocked by the server)? Unless... these "weird ASCII characters" are prefixed with a slash and appears after the filename then your server is perhaps seeing this as additional path information (PATH_INFO) - but path info would normally be blocked on JavaScript (application/javascript) files by default and so should already result in a 404 as well?

But you say "within the url"? Do you mind giving an example (to at least satisfy our curiosity)? :)