How to deny access to a file in .htaccess

Question

I have the following .htaccess file:

RewriteEngine On
RewriteBase /

# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>

# Protect log.txt
<Files ./inscription/log.txt>
Order Allow,Deny
Deny from all
</Files>

# Disable directory browsing
Options All -Indexes

I am trying to forbid visitors to access the following file:

domain.com/inscription/log.txt

but what I have above does not work: I can still access the file from the browser remotely.

Why are you denying access to the .htaccess file? – tonybaldwin Apr 1 '15 at 20:39 — tonybaldwin, Apr 1 '15 at 20:39

Jon Lin · Accepted Answer · 2012-07-30 21:18:18Z

Within an htaccess file, the scope of the <Files> directive only applies to that directory (I guess to avoid confusion when rules/directives in the htaccess of subdirectories get applied superceding ones from the parent).

So you can have:

<Files "log.txt">
Order Allow,Deny
Deny from all
</Files>

In an htaccess file in your inscription directory. Or you can use mod_rewrite to sort of handle both cases deny access to htaccess file as well as log.txt:

RewriteRule /?\.htaccess$ - [F,L]

RewriteRule ^/?inscription/log\.txt$ - [F,L]

Using the rewrite rules denies my own code from accessing the contents of *.txt. How would you get around this? — Pantss, Dec 6 '15 at 5:34
"the scope of the <Files> directive only applies to that directory" - no it doesn't. It applies to that directory and all subdirectories below it. So <Files "log.txt"> will catch /log.txt and/inscription/log.txt. — MrWhite, Jan 30 at 15:45

Yaşar Xavan · Answer 2 · 2014-03-07 13:38:32Z

Strong pattern matching — This is the method that I use here at Perishable Press. Using strong pattern matching, this technique prevents external access to any file containing “.hta”, “.HTA”, or any case-insensitive combination thereof. To illustrate, this code will prevent access through any of the following requests:

.htaccess
.HTACCESS
.hTaCcEsS
testFILE.htaccess
filename.HTACCESS
FILEROOT.hTaCcEsS

..etc., etc. Clearly, this method is highly effective at securing your site’s HTAccess files. Further, this technique also includes the fortifying “Satisfy All” directive. Note that this code should be placed in your domain’s root HTAccess file:

# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

I get a 500 internal server error when using this code. Any idea why? I'm using Wordpress. — Keryn Gill, Jan 26 '15 at 21:25
Wouldn't it make more sense to just disallow users from accessing dotfiles? Using something like <Files ~"^\..*">. — Time Sheep, Nov 15 '16 at 9:12

MrWhite · Answer 3 · 2017-01-31 20:27:48Z

I don't believe the currently accepted answer is correct. For example, I have the following .htaccess file in the root of a virtual server (apache 2.4):

<Files "reminder.php">
require all denied
require host localhost
require ip 127.0.0.1
require ip xxx.yyy.zzz.aaa
</Files>

This prevents external access to reminder.php which is in a subdirectory. I have a similar .htaccess file on my Apache 2.2 server with the same effect:

<Files "reminder.php">
        Order Deny,Allow
        Deny from all
        Allow from localhost
        Allow from 127.0.0.1
     Allow from xxx.yyy.zzz.aaa
</Files>

I don't know for sure but I suspect it's the attempt to define the subdirectory specifically in the .htaccess file, viz <Files ./inscription/log.txt> which is causing it to fail. It would be simpler to put the .htaccess file in the same directory as log.txt i.e. in the inscription directory and it will work there.

Sebastian Lenartowicz · Answer 4 · 2016-09-21 02:01:18Z

Place below line in your .htaccess and replace file name as your wish

RewriteRule ^(test\.php) - [F,L,NC]

Nicholas English · Answer 5 · 2017-01-25 02:55:43Z

Well you could use the <Directory> tag for example:

<Directory /inscription>
  <Files log.txt>
    Order allow,deny
    Deny from all
  </Files>
</Directory>

Do not use ./ because if you just use / it looks at the root directory of your site.

For a more detailed example visit http://httpd.apache.org/docs/2.2/sections.html

But a <Directory> container is not permitted in .htaccess. In .htaccess, the .htaccess file itself is the "Directory container" (per-directory config file). — MrWhite, Jan 30 at 13:47
Well then you could use the Redirect. Redirect /inscription/log.txt access_denied.html This will redirect the user to access_denied.html if the user goes to inscription/log.txt in the inscription directory. — Nicholas English, Jan 30 at 14:47

You are here

How to deny access to a file in .htaccess

5 Answers 正确答案

来自 https://stackoverflow.com/questions/11728976/how-to-deny-access-to-a-file-in-htaccess

友情链接

搜索表单

用户登录

You are here

How to deny access to a file in .htaccess

5 Answers 正确答案

来自 https://stackoverflow.com/questions/11728976/how-to-deny-access-to-a-file-in-htaccess

友情链接