6

I'm attempting to deny access to anyone surfing for PHP files in a specific directory:

example.com/inc/

I've created an example.com/inc/.htaccess file with the contents:

Order deny,allow
Deny from all

This results in a 403 Forbidden response when I try to access one of the files. For example: example.com/inc/file.php

The problem is, my web server is also denied access and my application stops working.

How can I deny access to people surfing for such PHP files but allow my shared web server access?

Note: I'm using GoDaddy shared hosting.

henrywright
  • 10,070
  • 23
  • 89
  • 150
  • 1
    How is your web server "also denied access"? That is an apache directive. Unless you were including files to your other scripts via http this shouldn't be an issue. PHP works on the file system which means it ignores apache directives/rules. Another option (and usually preferred) is to just move the directory you don't to allow access outside of the web root. Then php can't be run from that directory but other scripts have access to the files for includes and such. – Jonathan Kuhn May 18 '15 at 15:47
  • There is no difference between someone trying to access `file.php` and your web server accessing `file.php`. `HTTP_REFERER` can be used probably but that is a very weak check. – anubhava May 18 '15 at 15:48
  • Possible duplicate : http://stackoverflow.com/questions/409496/prevent-direct-access-to-a-php-include-file – vard May 18 '15 at 15:49
  • @anubhava Is there a reason why your web server would ever need to access another file on the web server via http through apache? – Jonathan Kuhn May 18 '15 at 15:49
  • Web server needs to access is actually a confusing term as every access to `file.php` is via site's webserver only. Probably OP meant that there is some link to `file.php` on the website. – anubhava May 18 '15 at 15:53
  • I'm not sure if my web server is 'denied' access but when I try any of the solutions kindly mentioned here in the answers to this question I get a 403 Forbidden across my site. Any ideas why? – henrywright May 18 '15 at 19:18

4 Answers4

7

I would would just use a rule and block the access that is entered by the user. This will block any php file that is entered.

RewriteEngine On
RewriteRule ^.*\.php$ - [F,L,NC]

Edit based on your comment. Try this way.

<Files (file|class)\.php>
order allow,deny
deny from all
allow from 127.0.0.1
allow from 192.168.0.1
</Files>

Replace 192.168.0.1 with your server IP address.

Panama Jack
  • 24,158
  • 10
  • 63
  • 95
  • When I do this I get a 403 Forbidden across my site. Any ideas why? – henrywright May 18 '15 at 19:04
  • Ok I think everyone must be confused with what you are trying to accomplish. You said you wanted to block access to .php files. That does that. But if your pages are rendered using PHP, you can't block them if they user has to navigate to a php page to see your site. – Panama Jack May 18 '15 at 19:08
  • Yep, I get that, but file.php just has 4 lines of code. It handles an ajax call I'm making and echos back a response to my JavaScript. – henrywright May 18 '15 at 19:11
  • Inside /inc/ I have one more PHP file. That's all. The second file is called class.php and holds one class definition. – henrywright May 18 '15 at 19:12
  • Thanks for the update. I thought about this but I don't think my GoDaddy shared server has a dedicated IP address. – henrywright May 18 '15 at 19:19
  • @henrywright It does. All servers do. The same one your domain name points to. You can also do hostnames. `allow from yoursite.com` http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html – Panama Jack May 18 '15 at 19:21
  • Thanks, I tried hostname but no luck. I get "Failed to load resource: the server responded with a status of 403 (Forbidden)" in the console. – henrywright May 18 '15 at 19:30
  • Oh wait you are using ajax? then that is client side. It's going to see the IP address of the user. You can't block that or your ajax won't work. Who is making the ajax call? – Panama Jack May 18 '15 at 19:32
  • Thanks, I tried hostname but no luck. I get "Failed to load resource: the server responded with a status of 403 (Forbidden)" in the console. – henrywright May 18 '15 at 19:33
  • Yes, I'm using ajax. example.com/js/script.js makes an ajax call to example.com/inc/file.php – henrywright May 18 '15 at 19:34
  • When you are viewing a web page the client (Browser) will load the javascript. Then when it does a ajax call it's making the request as the user. Which is the user's IP address. If you block access to that file, then no your ajax won't work. You have to make error handling and security inside the file.php. – Panama Jack May 18 '15 at 19:37
  • Right! Thanks for the explanation, it all makes sense now. How do you suggest I add security inside file.php? Or perhaps that'll need another question? – henrywright May 18 '15 at 19:43
  • 1
    @henrywright I would ask that in another question. This one for all intensive purposes has been answered how you requested it, but because we didn't have all the info in the question about it being ajax, I just answered it as is. `Deny all php files`. In the next question provide some of your php code and let us know what you are trying to prevent from happening. – Panama Jack May 18 '15 at 19:50
2

Use proper directory structure put your files to lib/ directory for example and include them from file which is not present in this directory. This is how common frameworks works.

You can even map your url to web/ directory and put lib one directory up then you are sure that there is no access to your .php file but only index.php and assets.

You can read how it is solved for example in Symfony2 http://symfony.com/doc/current/quick_tour/the_architecture.html it'll give you some clues.

Robert
  • 19,800
  • 5
  • 55
  • 85
  • file.php is used by an ajax call, therefore I can't put it outside my web root. Thanks for the link though, interesting to see how Symphony organises file structure. – henrywright May 18 '15 at 19:06
  • it does not matter if you have proper MVC structure read more deep :) with web/ directory – Robert May 20 '15 at 09:07
1

To block navigation access to all files ending in .php you can use:

RedirectMatch 403 ^.*\.php$
Halcyon
  • 57,230
  • 10
  • 89
  • 128
1

To only deny access to php files you can use this:

<Files *.php>
order allow,deny
deny from all
</Files>
Jan
  • 2,853
  • 2
  • 21
  • 26
  • When I do this I get a 403 Forbidden across my site (The same as Panama Jack's solution). Any ideas why? – henrywright May 18 '15 at 19:07
  • 1
    Most like you have placed in top level folder's htaccess. Place it on .htaccess of folder which you wanna protect. – Azghanvi Oct 17 '17 at 10:16