拒绝 htaccess 对文件夹和文件的直接访问
场景如下:
- 根文件夹中有一个
index.php文件, - 一些文件包含在
index.php中,这些文件位于includes文件夹中。 - 另外 1 个文件 (
submit.php) 位于用于表单提交操作的根文件夹中。
我想限制用户通过 htaccess 对 includes 文件夹中的文件进行直接访问。也适用于 submit.php。但 include 将适用于 index.php 文件。 例如,如果用户输入 www.domain.com/includes/somepage.php,它将对其进行限制(可能会重定向到错误页面)。
Here is the scenario:
- There is a
index.phpfile in root folder - some files are included in
index.phpwhich are in theincludesfolder. - 1 other file (
submit.php) is in the root folder for form submit action.
I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file.
Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
我只是将
includes文件夹移出 Web 根目录,但如果您想阻止直接访问整个includes文件夹,您可以将.该文件夹中的 htaccess文件仅包含:这样您就无法从该文件夹中打开任何文件,但您可以将它们包含在 php 中而不会出现任何问题。
I would just move the
includesfolder out of the web-root, but if you want to block direct access to the wholeincludesfolder, you can put a.htaccessfile in that folder that contains just:That way you cannot open any file from that folder, but you can include them in php without any problems.
这是纯粹基于 mod_rewrite 的解决方案:
如果 URI 包含
/includes/或/submit.php,这将显示禁止使用的错误This is pure
mod_rewritebased solution:This will show forbidden error to use if URI contains either
/includes/or/submit.php可以使用 Files 指令并禁止访问所有文件,然后再次使用它来设置可访问的文件:
It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:
1 基于 mod_alias 的衬垫解决方案:
这将显示 /folder/file.php 的禁止错误
1 liner mod_alias based solution :
This will show forbidden error for /folder/file.php
如果我理解正确的话,您只是想拒绝访问包含文件夹?
在包含文件夹中放置带有“DENY FROM ALL”指令的 .htaccess 即可解决问题。
If I understand correctly you just want to deny access to the includes folder?
An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.
根据在更高级别设置的可能的其他选项,您可能需要将以下内容放入包含目录中的 .htaccess 文件中:
当上层目录定义基本身份验证时,我遇到了这个问题,包括行:
这阻止了我的拒绝由于用户已通过身份验证,因此生效。
Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:
I ran into this when the upper directory defined basic authentication including the line:
This was preventing my deny from all to take effect because the users were authenticated.
你的 Q 分为两部分,jeroen 和 anubhava 的解决方案都适用于第一部分——拒绝访问 /includes。 anubhava 的作品也适用于第二部分。我更喜欢后者,因为无论如何我都使用
DOCROOT/.htaccess并且这将所有此类控制保留在一个文件中。然而我想讨论的是“拒绝访问
submit.php”的概念。如果您不想使用submit.php那为什么要把它放在 DOCROOT 中呢?我怀疑这里的答案是您在某些表单中将其用作操作目标,并且只希望在提交表单时而不是直接(例如从垃圾邮件机器人)提交表单时触发它。如果这是真的,那么你就不能使用 anubhava 的第二部分,因为这会导致你的表格失败。
您在这里可以做的是 (i) 使用
.htaccess检查以确保引荐来源网址是您自己的索引页面:以及 (ii) 在 PHP index.php 表单生成器中包含一些隐藏字段时间戳和验证。例如,验证可以是时间戳 MD5 的前 10 个字符和一些内部秘密。在处理提交时,您可以 (i) 验证时间戳和验证是否匹配,以及 (ii) 时间戳在当前时间的 15 分钟内。
这样您就可以防止垃圾邮件发送,因为垃圾邮件发送者获得有效时间戳/验证对的唯一实用方法是解析表单,但这种抓取的寿命只有 15 分钟。
Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a
DOCROOT/.htaccessanyway and this keeps all such control in one file.However what I wanted t discuss is the concept of "denying access to
submit.php". If you don't want to usesubmit.phpthen why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.If this is true then you can't use anubhava's part II as this will cause your form to fail.
What you can do here is (i) with the
.htaccesscheck to ensure that the referrer was your own index page:And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.
This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.
您可以将以下命令添加到
.htaccess文件中,以防未经授权的访问,它将显示“nothing is here”消息。
如果您想通过错误代码重定向到某个页面,那么您可以定义一个命令,如下所示:
它将重定向到
/errors/404.html并显示自定义页面未找到屏幕。You can add the below command to
.htaccessfileIt will display the "nothing is here" message in case of the unauthorised access.
If you want to redirect by an error code to a certain page then you can define a command as follows:
It will redirect to the
/errors/404.htmland show the custom page not found screen.