posts htaccess restrict
Posted on: November 17, 2017
Restrict access to files and folders on a server
That's the question that sooner or later everyone dealing with web development comes across in one's mind. Sometimes it is just too important not to let anyone access certain files or folders or even list them through a web browser. For this reason, we are going to take a look at how to do that with .htaccess on Apache server. Additionally, we will redirect everyone but specific IP addresses to a 404 page when calling for these files because by default, when restricting access, it generates 403 error. Pages that are generally hidden this way are administration and private information related pages.
PART 1 - File restriction and redirection with htaccess
So to restrict access to a file like admin.php for example, you would have to open or create a file called .htaccess. I'm certain many of you already know this but for those who do not, know that it is a hidden file so before creating a new file, check for hidden files. Let's say we want to hide the admin login and logout from anyone but our home XXX.XXX.XXX.XXX IP address.
# Example from previous login script with two files
<FilesMatch "admin\.php|logout\.php">
Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX
</FilesMatch>
That's basically it. You may add as many files as you want to the FilesMatch option or allow the files to be seen by as many IPs as you like. This will, however, generate a 403 forbidden error when an IP with no access tries to access the files. To redirect that to 404, you'll first have to create a 404.php or 404.html file. 403 error is then redirected to 404 file. Of course, naturally it is expected that 404 error is also redirected to 404 file. So we'll do both in this example.
# Combined code
ErrorDocument 404 /404.php
ErrorDocument 403 /404.php
<FilesMatch "admin\.php|logout\.php">
Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX
</FilesMatch>
This should now be working like a charm but what about directories or even listing the directories that is enabled by default. Anyone knowing what to look for can practically list the directories, especially folders like images or for example in open source environemnts such as Worpress. To undo the ability to list files you could add the following line to .htaccess.
Options -Indexes
PART 2 - Folder restriction with config file
But to restrict access to entire directories, you will have to modify apache2.conf file found in /etc/apache2/ directory. Alternatively you may need to modify httpd.conf, all depends how the server is set up. You may even experience being unable to alter any of these files, especially if you are on a shared hosting package. Some services do provide alternatives for this, others do not, so make sure to do your research before commiting to it. Anyway, I'm going to show you how to restrict access to folders when you do have access to those files. Inside the apache2.conf or httpd.conf file there will be a few statements like this one:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
It tells us that access is granted to all for the /var/www/ folder and can follow the link if a folder is a symlink . Now let's say we have a folder called private in /var/www/html/ and we want to restrict access to a specific IP. We would add to the file.
<Directory /var/www/html/private/>
Options Indexes FollowSymLinks
AllowOverride None
Require ip XXX.XXX.XXX.XXX
</Directory>
That's it, simple enough but let's say that while we want to keep the access restriced to the folder, we would like to remove restriction for a specific file, public.php in our example, in that folder.
<Directory /var/www/html/private/>
Options Indexes FollowSymLinks
AllowOverride None
Require ip XXX.XXX.XXX.XXX
<FilesMatch "public\.php">
Require all granted
</FilesMatch>
</Directory>
