Jörg Steinhauer
Jörg Steinhauer

Reputation: 147

Deny for all php files, but allow specific folder with php files

I want to deny access to all PHP files in all subfolders, but allow access to all PHP files in a specific subfolder (e.g. test).

I tried a lot, but cannot find any solution.

Here is the whole htaccess file

<filesmatch \.(php|phtml)$>
    deny from all
</filesmatch>
<filesmatch (index.php|install.php)>
    allow from all
</filesMatch>
<ifmodule mod_deflate.c>
    <filesmatch \.(css|js|php|phtml|svg|woff|xml)$>
        setoutputfilter deflate
    </filesmatch>
</ifmodule>
<ifmodule mod_security.c>
    secfilterengine off
    secfilterscanpost off
</ifmodule>
<ifmodule mod_rewrite.c>
    rewriteengine on
    rewritecond %{https} off
    rewritecond %{http_host} ^www\.(.*)$ [nc]
    rewriterule ^(.*)$ http://%1/$1 [r=301,l]
    rewritecond %{https} on
    rewritecond %{http_host} ^www\.(.*)$ [nc]
    rewriterule ^(.*)$ https://%1/$1 [r=301,l]
    rewritecond %{request_filename} !-d
    rewriterule ^(.*)/$ /$1 [r=301,l]
    rewritecond %{request_filename} -f
    rewriterule ^(.*) $1 [l]
    rewritecond %{request_filename} !-d
    rewriterule ^([^.]*)$ ?p=$1 [l]
    rewritecond %{request_filename} !-d
    rewriterule ^([^.]*).([\w]{2})$ ?p=$1&l=$2 [l]
    rewritecond %{request_filename} !-d
    rewriterule ^([^.]*).([\w]{3,})$ ?p=$1&t=$2 [l]
</ifmodule>
<ifmodule mod_headers.c>
    <filesmatch \.(gif|ico|jpg|svg|png|woff)$>
        header set cache-control max-age=2419200
    </filesmatch>
    <filesmatch \.(css|js|swf)$>
        header set cache-control max-age=604800
    </filesmatch>
    <filesmatch \.(phtml|xml)$>
        header set cache-control max-age=600
    </filesmatch>
</ifmodule>
fileetag none

Thanks!

Upvotes: 0

Views: 580

Answers (1)

Alp Yeni
Alp Yeni

Reputation: 38

In a system I coded, I added the following line to the codes, which I only want them to be accessible by those which I want them to access:

defined('AUTH') or die(header('HTTP/1.0 403 Forbidden'));

And for those .php files, if I want them to use/access that particular PHP script, I started them by adding this line onto the top before I include() or require() the files:

define('AUTH', true);

This way, any access attempt to those files that do not have "AUTH" defined in it will get an HTTP 403. This also forbids direct link access. ;) Maybe this solution works for you, too.

Upvotes: 0

Related Questions