4

I have a router on my index file in the root of my domain. It uses the directories supplied in the URL to require files needed for the domain. I can provide more detail on that if needed, however the application works if I don't modify the HTAccess beyond the default I started with, so I don't think so.

The PHP application handles errors, so I have the ErrorDocument pointing to my root.

Here's my current HTAccess file:

Options -Indexes
DirectoryIndex index.php

ErrorDocument 404 http://example.com/
ErrorDocument 403 http://example.com/

Options +FollowSymLinks
RewriteEngine On

RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f

RewriteRule ^.*$ ./index.php

Using this, example.com/folder/directory/ successfully loads example.com/index.php, but the URL remains intact, so that my routing array has

$router->dir[0] == "folder";
$router->dir[1] == "directory";

I've tried to modify the last line to exclude some directories that users are allowed into. Let's call those /users/ and /allowed/. There aren't many of these, and never will be (hopefully), so I'd prefer to list them out. There are also dependencies directories, let's call them /js/ and /css/ for ease.

There are also directories that hold code. let's call them /code/ and /not-allowed/.

Here is the modified version I've tried, removing the conditions, because I want to control the allowed and disallowed folders and files:

Options -Indexes
DirectoryIndex index.php

ErrorDocument 404 http://example.com/
ErrorDocument 403 http://example.com/

Options +FollowSymLinks
RewriteEngine On

RewriteRule ^/((?!(users|allowed|js|css).*)$) ./index.php

This kind of works. In my previous example, example.com/folder/directory loads as a 404, so it is then routed to the index page, however the URL in the browser is changed to example.com, to it's clear that a redirect actually took place.

Removing the ErrorDocument lines, I get the default Apache 404 page, and the index.php file is not loaded.

1) is there a very simple solution? typo in my regex, maybe? I have been looking on Stack Overflow all day, and I've looked through the documentation. I can't seem to accomplish both allowing some folders and disallowing others.

2) is it smarter to allow access to everything, and then mark folders that aren't allowed? if so, how should I best go about that? do i give each of these directories their own HTAccess? I think I would prefer not to do this.

Thanks!

Clayton Engle
  • 582
  • 3
  • 17
  • 1
    Is [this](https://stackoverflow.com/questions/1848500/htaccess-mod-rewrite-how-to-exclude-directory-from-rewrite-rule) one of the questions you already looked at? – Patrick Q Aug 02 '18 at 18:46
  • I hadn't seen that. Seems almost too easy. Let me try and apply it... brb. – Clayton Engle Aug 02 '18 at 18:48
  • So, I've basically got it working, however it relies on `deny from all` in each directory that's forbidden. I don't like that solution as it requires a lot of additional files as the blocked directories are added, but it is the obvious answer that immediately solves the problem. @PatrickQ, if you want to submit that, I'll accept it. – Clayton Engle Aug 02 '18 at 19:42
  • 1
    If you have a reasonably logical directory structure, I'm pretty sure that you should be able to just put the `deny from all` at the highest level directory that you want to block all access to. So instead of putting it in `/code/fold1/` _and_ `/code/fold2/`, you'd just put it in `/code/`. – Patrick Q Aug 02 '18 at 19:49
  • Yes, I've entered it into my root for the code folder, this is just a project that is going to outlive me, so I was hoping to not have to have all root folders require their own htaccess, if that makes sense. I have tried a few of the other answers in that thread, but they are throwing 500 errors. sadly, I'm not familiar enough with htaccess to unravel their answers like I normally would to solve any other problem. Thanks for your help though. :) – Clayton Engle Aug 02 '18 at 20:29
  • So what exactly is not working with your current suggested solution? Do you just not want 404 to redirect to home page? – anubhava Aug 02 '18 at 21:50

1 Answers1

1

You may use this code:

ErrorDocument 404 /
ErrorDocument 403 /

DirectoryIndex index.php
Options +FollowSymLinks -Indexes

RewriteEngine On

RewriteCond %{THE_REQUEST} !/(?:users|allowed|js|css)[/?] [NC]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.php [L]

RewriteCond %{THE_REQUEST} makes sure we operate on original web request URI not on a rewritten URI.

anubhava
  • 761,203
  • 64
  • 569
  • 643
  • 1
    Beautiful! this is exactly what I wanted. Thank you! Essentially the difference is on 403 with a `deny from all` you are redirected with my script. I don't want a 403, I just want it to load the index file, and let it work out the display. This is perfect! – Clayton Engle Aug 03 '18 at 13:25
  • 1
    I should mention here, for anyone looking for the same thing, in order for existing files and directories to not load, you need to remove `RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f`. I knew this when it was posted and should have clarified. anubhava's addition that makes it work, and the line I was looking for, is `RewriteCond %{THE_REQUEST} !/(?:users|allowed|js|css)[/?] [NC]` – Clayton Engle Aug 05 '18 at 17:30