[Resolved] Question about restricting access using .htaccess

bunner_bob

I'm trying to prevent users from reading any of my scripts, which live in their own directory, using .htaccess.

My file consists of the following:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName DenyViaWeb
AuthType Basic

<Limit GET>
order allow, deny
deny from all
</Limit>

It works fine, but I get a "500 Internal Server Error" message if I try to access one of the files. Shouldn't I be getting a different message - access denied or something?

I tried without the first four lines with the same result.

Also, wondering if limiting "GET" is all I need to do?

Out of curiosity, what method does PHP use to include files? The Apache manual suggests <LIMIT EXCEPT> is a safer way to go than <LIMIT>, since it restricts everything except specified methods.

Note that I'm not trying to provide password-protected access or anything, just keep people from reading any of the files.

Thanks,
Bob

drawmack

So the files are being included in php pages, or they are images. Just turn directory browsing off and set up a page that will redirect to the main page of the site as an index.

bunner_bob

Not sure if your first line is a question or statement, but the files are php scripts which are included in other pages (or scripts).

I have turned off indexing for the directory (if that's what you mean by directory browsing) but I want to prevent, for example, someone typing in "www.mysite.com/includes/secretscript.php" and being able to actually load that script.

drawmack

You can actually do this in php with a little self test. I have it laying around here somewhere ....[looking].... AHH THERE IT IS

<?php
  $filename = basename(__FILE__);
  if(ereg($filename,$_SERVER['PHP_SELF']))
      header('Location: http&#58;//www.myurl.com');
?>

if you place this code, by itself in a file then you can use .htaccess to prepend this code to all the scripts in the directory you want to protect. Then if someone attempts to directly access them they will be redirected to your main page, but you can still include them in other files.

MarkR

You should not put a space between Allow and Deny in the "Order" directive.

Have a look at the Apache error log to see what its problem is.

Normally you should not use <Limit> as you want to restrict all methods equally. So just remove the limit directive and put the Require and Allow, Deny etc directives in the main part of the .htaccess.

Mark

bunner_bob

Thanks Mark - I ditched the <LIMIT> tags and the extra space and it seems to be behaving properly now - I'm getting "Forbidden" as expected.

Unfortunately can't view the Apache logs - shared hosting environment - but it's working anyway so no sweat.

MarkR

If you JUST want to prevent any access to a given directory, all that is necessary in .htaccess is

Deny From All

It's that simple.

Mark