Restrict file access from outside

Forum Moderators: phranque

Message Too Old, No Replies

Restrict file access from outside

Allow only include() to access subfolder files

anjanesh

4:50 am on Mar 20, 2005 (gmt 0)

Hi
I have a directory called includes where a lot of scripts in the root call scripts in include (include_once("include/scripta.php")).
I want these include scripts never to be called from outside - like someone typing the url in the browser (http://#*$!.com/include/scripta.php). These are meant only to be called from scripts in root or elsewhere in the my host.
How do I do this?
Im new to htaccess. I tried doing :


<Files ~ "\.php$">
Order Deny,Allow
Deny from all
</Files>

But script is executing when called from a browser giving url.
Once this works I'll add Allow from localhost
Thanks.

sitz

4:58 am on Mar 20, 2005 (gmt 0)

There are a few ways to accomplish this. The easiest (well, potentially) is to move your include/ directory out of the Apache documentroot. The browser is never supposed to request those files, and moving them out of the docroot makes it impossible (weird corner cases notwithstandintg) to request them directly. The down-side to this method is that you'll likely need to tweak the paths in the include() statements in your script.

If that's not an option, then the .htaccess file is the way to go. Your .htaccess is, I assume, in the includes/ directory? Is 'AllowOverride Limit' turned on for your document root (or at least the includes/ directory)? You can try sticking some invalid directives in your .htaccess file and see if that breaks things; if it doesn't, the .htaccess file likely isn't being parsed.

Note that if you *do* get this working, you won't need to add localhost to the allow list; the deny/allow directives are designed to limit HTTP access. When you include() a local file, no HTTP request is being made for the file; PHP just opens it locally; 'Deny from all' will work fine.

anjanesh

5:33 am on Mar 20, 2005 (gmt 0)

Where do I enter AllowOverride Limit?


<Files ~ "\.php$">
AllowOverride Limit On
Order Deny,Allow
Deny from all
</Files>

Yes, my .htaccess file is in the include directory.
Your first method is an option but preferably using .htaccess.

sitz

1:25 pm on Mar 20, 2005 (gmt 0)

Read The Fine Manual:
[httpd.apache.org ]

AllowOverride cannot be set in a .htaccess file; it needs to be set in httpd.conf. Since its purpose is to control what can and cannot be placed in a .htaccess file, allowing *it* to be placed in a .htaccess file would be silly, yes? =)

anjanesh

2:17 pm on Mar 20, 2005 (gmt 0)

Thanks Anyway.
It working on my web host. I initally tried this on my localhost and it wasnt working.