18

Its been a long time since I've needed to crack open an .htaccess file...

What is the simplest way to 40x prevent access to a specific file extension through out the entire site?

Stevko
  • 4,345
  • 6
  • 39
  • 66

6 Answers6

30
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Loaded with some common extensions, add more as you need.

Chris Lawlor
  • 47,306
  • 11
  • 48
  • 68
13

If you really want a 404 (and not a 403), you can use mod_rewrite:

RewriteEngine on
RewriteRule \.ext$ - [R=404]
Artefacto
  • 96,375
  • 17
  • 202
  • 225
  • sorry - 403 is what I should use. I edited the question to say 40x. – Stevko May 18 '10 at 19:36
  • Note that RFC 2616 allows a 404 response when the access to a resource is forbidden (see section 10.4.4). So your original question was valid. – Artefacto May 18 '10 at 20:08
  • 2
    There is also `Redirect 404`, ref: [Requests to .htaccess should return 404 instead of 403](http://stackoverflow.com/a/7945851/367456) and `RedirectMatch 404`, ref: [Make .git directory web inaccessible](http://stackoverflow.com/a/17916515/367456) - just clustering a bit here. – hakre Jan 23 '14 at 09:18
  • Doesn't work for me. `RewriteEngine on` `RewriteRule \.lfpt$ - [R=404]` displays the file. URL rewriting works elsewhere on the site. – Steve Almond Jul 25 '14 at 10:25
  • @SteveAlmond what you wrote (`\.lfpt$`) matches everything that ends with `.lfpt`, if you have a file called `lfpt` it won't match but display it. If your file is called `anythinghere.lfpt` it is matched. `\.` is an escaped `.`. – x13 Oct 09 '15 at 19:26
  • @ThisNameBetterBeAvailable: yeah, I know, and it still doesn't work for me. FWIW, my file is meta/upload.lftp – Steve Almond Oct 13 '15 at 19:00
  • @SteveAlmond `RedirectMatch 404 "/(config\.php|\.htaccess|upload\.lftp)$"` will 404 config.php, .htaccess and upload.lftp. To add more you just use the regexp OR `|` followed by the expression which matches all pages you want to 404 – x13 Oct 14 '15 at 07:46
5
<FilesMatch "\.ext$">
    Deny from all
</FilesMatch>

See the Apache documentation on FilesMatch and Deny

EDIT: Artefacto makes a good point, this will return 403, not 404, if that's important for your purposes

Community
  • 1
  • 1
Michael Mrozek
  • 169,610
  • 28
  • 168
  • 175
2

You can also deny access to file extensions using RedirectMatch directive :

RedirectMatch 403 ^/.+\.(php|html|gif)$

This will return a 403 forbidden error for clients if they request any uri that ends with .php or .html or .gif . You can add more extensions to the pattern using a bar | .

Amit Verma
  • 40,709
  • 21
  • 93
  • 115
1

I like both @Chris Lawlor's and @starkeen's answers and since OP asked about "40x" I'm going to suggest redirecting to a 404 error since it doesn't give away the fact the files exist.

This is what I'm currently using in one of my projects:

# Hide files not concerning the user
RedirectMatch 404 \.(htaccess|htpasswd|ini|log|sh|inc|bak|bkp|sql)$
Dário
  • 2,002
  • 1
  • 18
  • 28
1

@Dário has the right idea for File Types, and it can also be used for specific files and directories as well. The only thing that is missing is to manage case sensitivity.

I came across this article that gives some detail about case-sensitive RedirectMatch, and also suggests being character case non-sensitive.

When it comes to redirecting most requests, its all lowercase anyway. Or you can use RewriteRule to establish case-insensitivity. But for some situations, it’s good to know that you can also roll with RedirectMatch by simply adding the (?i) to the rule.

RedirectMatch 403 /\$\&
RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar)
RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|timthumb|tz|visit|webshell|wp-signup).php
RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$
RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|userfiles)
arobson13
  • 59
  • 5