Question 91179 in Apache Question posted in
Some documentation to get you started can be found here.

Apache .htaccess <FilesMatch> // Setting as forbidden subfolder files

I’m going mad over Apache .htaccess

I’m trying to setting as protected my subfolders using relative address, but it seems impossible.

The path of Apache folder is structured like this:

/var/www/apachedir

now I want to protect

/var/www/apachedir/subfolder/*

What I tryied is putting in /var/www/apachedir/ an .htaccess file like this

<FilesMatch "subfolder/.*">
    Order Allow,Deny
    Deny from all
</FilesMatch>

but it seems not woking good.

I don’t want to use ModRewrite and I want to make this .htaccess reusable.

So, listen, if I put the site over an other server that has a direcory structure like /var/www/zzz it has to protect files in /var/www/zzz/subfolder/*.

Also the file .htaccess has to stay in the root folder /var/www/apachedir.

There’s a way to do it?

Edit:
I don’t want to use ModRewrite but also I don’t want to use Redirectmatch.

I want to know if there’s a way to set it up with FilesMatch without ModRewrite or Redirectmatch.

Tags:

2

Answers


  1. 0

    I don’t want to use ModRewrite.

    You can use RedirectMatch to block access to a known path:

    Redirectmatch 403 ^/subfolder/
    Login or Signup to reply.
  2. 0

    I want to know if there’s a way to set it up with FilesMatch

    No, because the FilesMatch (and the non-regex Files) directive(s) literally match against files only, not directories. eg. <Files "*.jpg"> matches all .jpg files in any subdirectory.

    There are various methods to block access to that subdirectory…

    Use a <Directory> section in the server config

    If you have access to the server (virtual host) config then you can use the <Directory> (and <DirectoryMatch>) directive(s) to target specific directories. But this is not permitted in .htaccess. For example:

    <Directory "/var/www/apachedir/subfolder">
    Require all denied
</Directory>

    Create an additional .htaccess file in that subdirectory

    The equivalent userland .htaccess way of doing this is to create an additional .htaccess file in that subdirectory (ie. at /subfolder/.htaccess) with a single Require all denied directive. The .htaccess file itself is equivalent to the <Directory> directive in the server config.

    Aside: Order, Deny and Allow are Apache 2.2 directives and formerly deprecated on Apache 2.4 (which you are far more likely to be using). You should be using the equivalent Require (mod_authz_core) directives instead, as used above.

    Use Redirect 403 (mod_alias) – not a "redirect"

    I don’t want to use ModRewrite but also I don’t want to use Redirectmatch

    RedirectMatch (and Redirect) are part of mod_alias – this is a base module and compiled into Apache by default (unlike mod_rewrite), so using the prefix-matching Redirect directive (no need for the regex variant RedirectMatch) is a reasonable solution as @anubhava suggests in his answer, depending on the scenario and existing directives. For example:

    Redirect 403 /subfolder/

    Despite the use of the Redirect directive, this is not an external (HTTP) redirect. The 403 response is served via an internal subrequest.

    Set an environment variable and check with mod_authz_….

    Alternatively, you can set an environment variable when the /subfolder is requested (using SetEnvIf) and check for this using the Require directive. This allows you to keep the condition separate from the directives that actually permit access. For example (using Apache 2.4 mod_authz_core):

    SetEnvIf Request_URI "^/subfolder/" BLOCK_ACCESS
<RequireAll>
    Require all granted
    Require not env BLOCK_ACCESS
</RequireAll>

    NB: If you are doing any URL-rewriting with mod_rewrite then you might need to check for REDIRECT_BLOCK_ACCESS instead in the above Require directive.

    <If> expression (Apache 2.4)

    On Apache 2.4 you can also use an <If> expression to target that specific subfolder with a containing mod_authz_core directive. For example:

    <If "%{REQUEST_URI} =~ m#^/subfolder/#">
    Require all denied
</If>

    Although, strictly speaking, these methods target the URL-path, not the file-path.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search