Apache Deny access to files or extensions

How to forbid visitors to read files from a directory?

Forbidding all files:

deny from all

Allow access from a certain IP address:

order allow deny<br></br>
deny from all<br></br>
allow from <your_IP>```

In this case, <your_IP> stands for a specific address. For example:

order allow deny


deny from all


allow from 192.126.12.199```

Forbid access from a certain IP address:

order allow deny<br></br>
deny from all<br></br>
deny from <your_IP>```

Using <your_IP> is similar to the example above.

[]()Forbidding a group of files by mask:

<Files ~ ".(inc|sql|...other_extensions...)$">


order allow,deny


deny from all


```

Defines access to a file by its extension. For example, forbidding web visitors to access files with the “inc” extension:

<Files ~ "\.(inc)$"><br></br>
order allow,deny<br></br>
deny from all<br></br>
</Files>```

In this example the Apache server can access files with this extension.

[]()Forbidding a particular file:

You can forbid a particular file using its name and extension.




order allow,deny


deny from all


```

This example forbids the file config.inc.php to be accessed.

**Setting a password **

Password for a directory:

AuthName "Private zone"<br></br>
AuthType Basic<br></br>
AuthUserFile /pub/home/your_login/.htpasswd<br></br>
require valid-user```

`AuthName` will be displayed for the user and can be used to explain authentication request. The value of `AuthUserFile` defines the location where the file with passwords for accessing this directory is stored. This file is created by a special tool named htpasswd.exe or more convenient and flexible program [Htpasswd Generator](http://www.htpasswdgenerator.com/index.html).

For example, we create the following .htaccess file in the protected directory:

AuthName "For Registered Users Only"


AuthType Basic


AuthUserFile /pub/site.com/.htpasswd


require valid-user```

In this example, the user requesting this directory will read the message “For Registered Users Only”, the file with passwords for access must be stored in the directory /pub/site.com/ and it must be named .htpasswd . The directory is specified from the server root. If you specify the directory incorrectly, Apache will not be able to read the .htpasswd file and nobody will get access to this directory.

Password for one file only:

Similar to protecting a whole directory with a password, you can set a password for one file only. An example of setting a password to the file private.zip:

<Files private.zip><br></br>
AuthName "Users zone"<br></br>
AuthType Basic<br></br>
AuthUserFile /pub/home/your_login/.htpasswd<br></br>
</Files>```

[]()Password for a group of files:

Similarly, you can use `<Files ~ "\.(inc|sql|...other_extensions...)$">` to set password for files by mask. An example of setting a password for accessing all files with the “sql” extension:

<Files ~ ".(sql)$">


AuthName "Users zone"


AuthType Basic


AuthUserFile /pub/home/your_login/.htpasswd


```

Checking access rights

Task: there is a directory named a1 containing two subdirectories (a2, a3), there are two access levels for users. The first group can access only a1 and a2, the second group can access all three directories. You should perform authentication only once – when accessing a1, but observe access rights for а2 and а3.
The username and password are requested only once while accessing а1 – if the user has access to а2, the password it not requested again. If the user has no access to а3, he will see the message “Enter the password”.

www.site.com/a1
www.site.com/a1/а2
www.site.com/a1/a3

a1 – common and protected at the same time
а2 and а3 only for certain users.

The .htaccess file for the directory а1:

AuthName "Input password"<br></br>
AuthType Basic<br></br>
AuthUserFile "/pub/home/your_login/htdocs/closearea/.htpasswd"<br></br>
<Files *.*><br></br>
require valid-user<br></br>
</Files>```

The .htaccess file for the directory а2:

AuthName "Input password"


AuthType Basic


AuthUserFile "/pub/home/your_login/htdocs/closearea/.htpasswd"


<Files .>


require user user1 user2 user3


</Files .>```

The .htaccess file for the directory а3:

AuthName "Input password"<br></br>
AuthType Basic<br></br>
AuthUserFile "/pub/home/your_login/htdocs/closearea/.htpasswd"<br></br>
<Files *.*><br></br>
require user user1 user4 user5<br></br>
</Files *.*>```

**How to redirect a visitor?**

[]()Redirecting to another URL:

To redirect a visitor to http://site.com, add the following to .htaccess

`Redirect / http://www.site.com`

[]()Displaying different pages depending on the visitor’s IP address:

SetEnvIf REMOTE_ADDR <required_IP> REDIR="redir"


RewriteCond %{REDIR} redir


RewriteRule ^/$ /another_page.html```

For example, redirecting visitors with IP 192.12.131.1 to the page about_my_site.html:

SetEnvIf REMOTE_ADDR 192.12.131.1 REDIR="redir"<br></br>
RewriteCond %{REDIR} redir<br></br>
RewriteRule ^/$ /about_my_site.html```

[]()Redirecting a visitor when he request certain pages:

It is already for all network viruses and scanners. Now any request with the address /_vti_bin will be automatically redirected to Microsoft:

redirect /_vti_bin http://www.microsoft.com


redirect /scripts http://www.microsoft.com


redirect /MSADC http://www.microsoft.com


redirect /c http://www.microsoft.com


redirect /d http://www.microsoft.com


redirect /_mem_bin http://www.microsoft.com


redirect /msadc http://www.microsoft.com


RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1```

How to change the default page?

To change the page that will be displayed when a visitor access a directory, write:

DirectoryIndex <necessary page>

It is possible to specify several pages:

DirectoryIndex index.shtml index.php index.php3 index.html index.htm

How to make Apache process SSI directives?

SSI allows you to “assemble” a page using its parts. You have the code of the menu in one part, the code of the header in another part and the footer in a third part. And the visitor sees a usual page consisting of the code stored in your parts.

Some settings in httpd.conf are required.

Add Includes to the Options directive in the block starting with <Directory/> and ending with </Directory>.

After that add the following to the .htaccess file:

AddHandler server-parsed .shtml .shtm .html .htm

If you want to use some kind of GUI for managing Apache server and do all these manipulations easily (using the special wizards and managers) then we advise you to use the program ApacheConf

How to process Apache errors yourself?

The most interesting and useful Apache errors are 403-404, 500.

403 – the user has not been authenticated, access denied (Forbidden).
404 – the requested document (file, directory) is not found.
500 – internal server error (for example, an error in the syntax of the .htaccess file).

For the user to see your own error messages for these error, add the following to .htaccess:

ErrorDocument 403 /errors/403.html<br></br>
ErrorDocument 404 /errors/404.html<br></br>
ErrorDocument 500 /errors/500.html```

If error 404 occurs, the user receives the file errors/403.html.

It is convenient to create your own handler for some errors. Add the following to .htaccess:

ErrorDocument 403 /errors/error.php?403


ErrorDocument 404 /errors/error.php?404


ErrorDocument 500 /errors/error.php?500```

Determine the document that caused error in error.php using $HTTP_SERVER_VARS[‘REQUEST_URI’] and process it then. If .htaccess contains the file with the full path for ErrorDocument (http://site.com/error.php), $HTTP_SERVER_VARS[‘REQUEST_URI’] will contain this file instead of the one that caused the error.

Internet Explorer 5.0 incorrectly processes the error file if it is smaller than 1 kilobyte. It opens the standard IE 404 page.

How to forbid the contents of a directory to be displayed if it has no index file?

Suppose all graphics used on your site is stored in the ‘img’ directory. A visitor can type the address of this directory in his browser and see the list of all your image files. Of course, it will not cause any damage, but you might forbid the visitor to view this directory as well. Add the following to .htaccess:

Options -Indexes