Are you sure, you want to do that? Even css and js files and images and ...?

您确定要这样做吗？甚至 css 和 js 文件和图像和...？

OK, first check if mod_access in installed to apache, then add the following to your .htaccess:

好的，首先检查是否在 apache 中安装了 mod_access，然后将以下内容添加到您的 .htaccess 中：

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

<Files /index.php>
    Order Allow,Deny
    Allow from all
</Files>

The first directive forbids access to any files except from localhost, because of Order Deny,Allow, Allow gets applied later, the second directive only affects index.php.

第一个指令禁止访问除本地主机以外的任何文件，因为Order Deny,Allow, Allow 稍后应用，第二个指令仅影响 index.php。

Caveat: No space after the comma in the Order line.

警告：订单行中逗号后没有空格。

To allow access to files matching *.css or *.js use this directive:

要允许访问匹配 *.css 或 *.js 的文件，请使用以下指令：

<FilesMatch ".*\.(css|js)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

You cannot use directives for <Location>or <Directory>inside .htaccess files, though.

但是，您不能在 .htaccess 文件中<Location>或<Directory>在 .htaccess 文件中使用指令。

Your option would be to use <FilesMatch ".*\.php$">around the first allow,deny group and then explicitely allow access to index.php.

您的选择是<FilesMatch ".*\.php$">围绕第一个允许，拒绝组使用，然后明确允许访问 index.php。

Update for Apache 2.4:This answer is correct for Apache 2.2. In Apache 2.4 the access control paradigmhas changed, and the correct syntax is to use Require all denied.

Apache 2.4 更新：此答案适用于 Apache 2.2。在 Apache 2.4 中，访问控制范式发生了变化，正确的语法是使用Require all denied.

Actually, I came here with the same question as the creator of the topic, but none of the solutions given were a complete answer to my problem. Why adding a code to ALL the files on your server when you could simply configure it once ? The closest one was Residuum's one, but still, he was excluding ALL files, when I wanted to exclude only php files that weren't named index.php.

实际上，我带着与主题创建者相同的问题来到这里，但给出的解决方案都不是我问题的完整答案。当您只需配置一次代码时，为什么还要向服务器上的所有文件添加代码？最接近的是 Residuum 的那个，但是，当我只想排除没有命名为 index.php 的 php 文件时，他仍然排除了所有文件。

So I came up with a .htaccess containing this :

所以我想出了一个包含这个的 .htaccess ：

<Files *.php>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
</Files>

<Files index.php>
    Order Allow,Deny
    Allow from all
</Files>

(Remember, htaccess files are working recursively, so it suits perfectly the prerequisite of the question.)

（请记住，htaccess 文件以递归方式工作，因此它非常适合问题的先决条件。）

And here we go. The only php files that will be accessible for an user will be the ones named index.php. But you can still acces to every image, css stylesheet, js script, etc.

现在我们开始。用户可以访问的唯一 php 文件是名为 index.php 的文件。但是您仍然可以访问每个图像、css 样式表、js 脚本等。

An oblique answer to the question is to write all the code as classes, apart from the index.php files, which are then the only points of entry. PHP files that contain classes will not cause anything to happen, even if they are invoked directly through Apache.

这个问题的一个间接答案是将所有代码编写为类，除了 index.php 文件，然后它们是唯一的入口点。包含类的 PHP 文件不会导致任何事情发生，即使它们是通过 Apache 直接调用的。

A direct answer is to include the following in .htaccess:

一个直接的答案是在 .htaccess 中包含以下内容：

<FilesMatch "\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
<FilesMatch "index[0-9]?\.php$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

This will allow any file like index.php, index2.php etc to be accessed, but will refuse access of any kind to other .php files. It will not affect other file types.

这将允许访问任何文件，如 index.php、index2.php 等，但将拒绝对其他 .php 文件的任何类型的访问。它不会影响其他文件类型。

You can try defining a constant in index.phpand add something like

您可以尝试在其中定义一个常量index.php并添加类似的内容

if (!defined("YOUR_CONSTANT")) die('No direct access');

to the beginning of the other files.

到其他文件的开头。

OR, you can use mod_rewriteand redirect requests to index.php, editing .htaccesslike this:

或者，您可以使用mod_rewrite并将请求重定向到 index.php，编辑.htaccess如下：

RewriteEngine on
RewriteCond  !^(index\.php)
RewriteRule ^(.*)$ /index.php/ [L,R=301]

Then you should be able to analyze all incoming requests in the index.php and take according actions.

然后您应该能够分析 index.php 中的所有传入请求并采取相应的措施。

If you want to leave out all *.jpg, *.gif, *.css and *.png files, for example, then you should edit second line like this:

例如，如果您想省略所有 *.jpg、*.gif、*.css 和 *.png 文件，那么您应该像这样编辑第二行：

RewriteCond  !^(index\.php|*\.jpg|*\.gif|*\.css|*\.png)

How about keeping all .php-files except for index.php above the web root? No need for any rewrite rules or programmatic kludges.

如何将除 index.php 之外的所有 .php 文件保留在 Web 根目录之上？不需要任何重写规则或程序化的kludges。

Adding the includes-folder to your include path will then help to keep things simple, no need to use absolute paths etc.

将包含文件夹添加到包含路径将有助于保持简单，无需使用绝对路径等。

URL rewriting could be used to map a URL to .php files. The following rules can identify whether a .php request was made directly or it was re-written. It forbids the request in the first case:

URL 重写可用于将 URL 映射到 .php 文件。以下规则可以识别 .php 请求是直接发出的还是重写的。它禁止第一种情况下的请求：

RewriteEngine On
RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ]
RewriteRule \.php$ - [F]
RewriteRule test index.php

These rules will forbid all requests that end with .php. However, URLs such as /(which fires index.php), /test(which rewrites to index.php) and /test?f=index.php(which contains index.php in querystring) are still allowed.

这些规则将禁止所有以.php. 但是，仍然允许使用/（触发 index.php）、/test（重写为 index.php）和/test?f=index.php（在查询字符串中包含 index.php）等 URL。

THE_REQUESTcontains the full HTTP request line sent by the browser to the server (e.g., GET /index.php?foo=bar HTTP/1.1)

THE_REQUEST包含浏览器发送到服务器的完整 HTTP 请求行（例如，GET /index.php?foo=bar HTTP/1.1）

Instead of passing a variable around I do this which is self-containedat the top of any page you don't want direct access to, this should still be paired with .htaccess rules but I feel safer knowing there is a fail-safe if htaccess ever gets messes up.

而不是传递一个变量，我这样做是在你不想直接访问的任何页面的顶部自包含的，这仍然应该与 .htaccess 规则配对，但我觉得更安全，知道有故障安全，如果htaccess 总是搞砸。

<?php
// Security check: Deny direct file access; must be loaded through index
if (count(get_included_files()) == 1) {
    header("Location: index.php"); // Send to index
    die("403"); // Must include to stop PHP from continuing
}
?>

An easy solution is to rename all non-index.php files to .inc, then deny access to *.inc files. I use this in a lot of my projects and it works perfectly fine.

一个简单的解决方案是将所有非 index.php 文件重命名为 .inc，然后拒绝访问 *.inc 文件。我在很多项目中都使用了它，而且效果很好。

With Apache 2.4, the syntax for access control has changed. If using directives like:

在 Apache 2.4 中，访问控制的语法发生了变化。如果使用如下指令：

Order deny,allow
Deny from all

does not work, you're likely using Apache 2.4.

不起作用，您可能使用的是 Apache 2.4。

The Apache 2.4 docs are here.

在Apache的2.4文档是在这里。

You need to use Require all deniedin one of these ways:

您需要以下列Require all denied方式之一使用：

# you can do it this way (with "not match")

<FilesMatch ^((?!index\.php).)*$>
  Require all denied
</FilesMatch>

# or 

Require all denied

<Files index.php>
  Require all granted
</Files>

place all files in one folder. place a .htaccess file in that folder and give it the value deny all. then in index.php thats placed outside of the folder have it echo out the right pages based on user input or event

将所有文件放在一个文件夹中。在该文件夹中放置一个 .htaccess 文件，并为其指定值拒绝全部。然后在放在文件夹外的 index.php 中让它根据用户输入或事件回显正确的页面