Welcome to WebmasterWorld Guest from 54.145.144.101

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

protect ALL htaccess files from public view

   
5:23 pm on Jan 15, 2004 (gmt 0)

10+ Year Member



# Ban access to files & file extensions
RewriteRule ^\.htaccess$ - [F]
RewriteRule ^\.htpasswd$ - [F]

My intentions are to ban access to all .ht(access/passwd) files, but this only works for the root directory. How would you modify this to include all subdirectory .ht(access/passwd) files as well?

..a

6:17 pm on Jan 15, 2004 (gmt 0)

10+ Year Member



When I installed Apache the following was already in "httpd.conf" and works fine:
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

As for your ".htaccess" code:

RewriteRule ^\.htaccess$ - [F]
RewriteRule ^\.htpasswd$ - [F]

The "^" is forcing the comparison to start at the extreme left edge of the string. Maybe try dropping it.
6:40 pm on Jan 15, 2004 (gmt 0)

10+ Year Member



ah yes. the infamous ^

thanks!

8:26 pm on Jan 15, 2004 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Be aware that <Files> also means "only files". That is, the string inside <Files> is compared only to a filename, not to a file-path. Therefore, you use the start anchor in <Files> but not in RewriteRule. <Files> ignores directory-path info, while RewriteRule does not, since it works with URLs.

It's a subtle, but important difference.

Jim

9:14 pm on Jan 15, 2004 (gmt 0)

10+ Year Member



Yes & thanks for the advice!

I decided to go the mod_rewrite method because I have other rules that rewrite [domain.com...] >> [domain.com...]

That in conjunction with errordocument was resulting in rewriting the path to my errordocument to the address bar. Since I'm using error.php?404 or error.php?403 etc I thought it best just to force 403 so that the inner-workings of my errordocuments stays hidden in the event that someone asks for [domain.com...]

..a