2

I want to hide my website structure and redirect all possible requests to one file (index.php) with .htaccess.

Right now I use .htaccess to deny permission to read images and directories and redirect requests to index.php. If anybody requests forbidden dir/file, it shows E403. I want to redirect the request to index.php in that case, no E403.

So basically: I want to start processing every possible request (existing/non-existing page, .php file, image, other file, dir..., except css and js) in a single file (index.php), no matter what, so the user will see my index.php content every time (generated from many files on server side, depending on URI). My .htaccess can hide image content, but not the structure and PHP files. If anybody requests invalid URI, it's working (index.php shows error message), but if somebody requests for an existing PHP, it's executing it.

Order allow,deny
Deny from all
</Files>

<FilesMatch "\.(log|jpg|png|jpeg|gif|ico|jfif|pdf|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>

Options -Indexes

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !\.(css|js)$ index.php [L]

AddType application/x-httpd-php .php .phtml
TSGR
  • 35
  • 2

1 Answers1

4

You can define specific error page in php or html format. and you can redirect your visitor to specific page

    ErrorDocument 404 /errors/404.php
    ErrorDocument 403 /errors/403.php

For example in 404.php you can use these code :

header("Location: http://example.com/index.php");

or if you wanna use index.htmlyou can do this :

<html>
    <head>
<meta http-equiv="refresh" content="0; url=http://example.com/" />
    </head>
</html>

or also can do something like this :

    ErrorDocument 404 /index.php
    ErrorDocument 403 /index.php

this link is also helpful

and for your new comment you the answer is "Yes". you can process an extension as another extension, take look at this code :

AddType application/x-httpd-php .mp3
RewriteEngine On
RewriteRule /load.mp3 /load.php

this code will add mime-type and will proccess .mp3 files as .php you also can use this code :

Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteRule ^(.+).mp3$ /$1.php [NC,L]

and this link is useful too

GameO7er
  • 2,028
  • 1
  • 18
  • 33
  • Good idea with E404/E403, thanks. Any idea about running single PHP scripts from subfolders? My only idea is to rename them as something like "ScriptName.XXX", add rule to process XXX as PHP and deny access to XXX files (as I do with images). – TSGR Jun 22 '19 at 18:46
  • This is a great answer all around, kudos to @GameO7er. Yet I'd add this obligatory thing: if possible, better move your file out of web root for maximum protection. Apache config can be broken (by upgrade, or typo in main http.conf, or whatever else reason), and your files will suddenly become available to the world. – alx Jun 22 '19 at 19:04
  • @alx What do you mean? Move the whole web to some subfolder with impossible-to-guess name? – TSGR Jun 22 '19 at 19:11
  • Move it outside of webroot, e.g. if webroot is `/var/www/html`, put sensitive files in `/var/www`. That's the best way to defend. But not always possible, I must admit. – alx Jun 22 '19 at 19:15