php 拒绝通过 htaccess 直接访问文件夹和文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9282124/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
deny direct access to a folder and file by htaccess
提问by Imrul.H
Here is the scenario:
这是场景:
- There is a
index.phpfile in root folder - some files are included in
index.phpwhich are in theincludesfolder. - 1 other file (
submit.php) is in the root folder for form submit action.
index.php根文件夹中有一个文件- 一些文件包含在
index.php其中是在includes文件夹中。 - 1 个其他文件 (
submit.php) 位于表单提交操作的根文件夹中。
I want to restrict direct user access to the files in includesfolder by htaccess. also for submit.php. But include will work for index.phpfile.
Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).
我想限制用户includes通过 htaccess直接访问文件夹中的文件。也为submit.php。但包含将适用于index.php文件。就像,如果用户输入www.domain.com/includes/somepage.php,它会限制它(可能会重定向到错误页面)。
回答by jeroen
I would just move the includesfolder out of the web-root, but if you want to block direct access to the whole includesfolder, you can put a .htaccessfile in that folder that contains just:
我只是将includes文件夹移出 web 根目录,但如果您想阻止对整个includes文件夹的直接访问,您可以.htaccess在该文件夹中放置一个仅包含以下内容的文件:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems.
这样您就无法打开该文件夹中的任何文件,但您可以将它们包含在 php 中而不会出现任何问题。
回答by anubhava
This is pure mod_rewritebased solution:
这是纯mod_rewrite基于解决方案:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains either /includes/or /submit.php
如果 URI 包含/includes/或/submit.php
回答by luke1985
It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:
可以使用 Files 指令并禁止访问所有文件,然后再次使用它来设置可访问的文件:
<Files ~ "^.*">
Deny from all
</Files>
<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
Allow from all
</Files>
回答by starkeen
1 liner mod_alias based solution :
1 个基于 mod_alias 的解决方案:
RedirectMatch 403 ^/folder/file.php$
This will show forbidden error for /folder/file.php
这将显示 /folder/file.php 的禁止错误
回答by mainegreen
If I understand correctly you just want to deny access to the includes folder?
如果我理解正确,您只想拒绝访问包含文件夹?
An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.
一个带有“DENY FROM ALL”指令的 .htaccess 放在包含文件夹中就可以了。
回答by TerryE
Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccessanyway and this keeps all such control in one file.
您的 Q 分为两部分,jeroen 和 anubhava 的解决方案都适用于第一部分——拒绝访问 /includes。anubhava 也适用于第二部分。我更喜欢后者,因为我DOCROOT/.htaccess无论如何都使用 a并且这将所有此类控制保存在一个文件中。
However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.phpthen why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.
然而,我想讨论的是“拒绝访问submit.php”的概念。如果您不想使用,submit.php那么为什么要在 DOCROOT 中使用它呢?我怀疑这里的答案是您在某些表单中将其用作操作目标,并且只希望在提交表单时触发它,而不是直接触发它,例如来自垃圾邮件机器人。
If this is true then you can't use anubhava's part II as this will cause your form to fail.
What you can do here is (i) with the .htaccesscheck to ensure that the referrer was your own index page:
如果这是真的,那么您不能使用 anubhava 的第二部分,因为这会导致您的表格失败。您在这里可以做的是 (i).htaccess检查以确保引用者是您自己的索引页面:
RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php [NC]
RewriteRule ^submit\.php$ - [F]
And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.
并且 (ii) 在您的 PHP index.php 表单生成器中包含一些用于时间戳和验证的隐藏字段。例如,验证可以是时间戳的 MD5 的前 10 个字符和一些内部秘密。在处理提交时,您可以 (i) 验证时间戳和验证匹配,以及 (ii) 时间戳在当前时间的 15 分钟内。
This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.
这可以防止垃圾邮件,因为垃圾邮件发送者可以获得有效时间戳/验证对的唯一实用方法是解析表单,但这种抓取只有 15 分钟的生命周期。
回答by Keith
Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:
根据在更高级别设置的可能的其他选项,您可能需要将以下内容放入包含目录的 .htaccess 文件中:
Satisfy all
Order deny,allow
Deny from all
I ran into this when the upper directory defined basic authentication including the line:
当上层目录定义包括以下行的基本身份验证时,我遇到了这个问题:
Satisfy any
This was preventing my deny from all to take effect because the users were authenticated.
这阻止了我的拒绝全部生效,因为用户已通过身份验证。
回答by user1324491
You can add the below command to .htaccessfile
您可以将以下命令添加到.htaccess文件中
Deny from all
ErrorDocument 403 "nothing is here"
It will display the "nothing is here" message in case of the unauthorised access.
在未经授权的访问的情况下,它将显示“这里没有任何东西”消息。
If you want to redirect by an error code to a certain page then you can define a command as follows:
如果你想通过错误代码重定向到某个页面,那么你可以定义一个命令如下:
ErrorDocument 404 "/errors/404.html"
It will redirect to the /errors/404.htmland show the custom page not found screen.
它将重定向到/errors/404.html并显示自定义页面未找到屏幕。
