开发者

How to hide certain file type using apache .htaccess?

开发者 https://www.devze.com 2022-12-30 13:23 出处:网络
Its been a long time since I\'ve needed to crack open an .htaccess file... What is the simp开发者_运维知识库lest way to 40x prevent access to a specific file extension through out the entire site?<

Its been a long time since I've needed to crack open an .htaccess file...

What is the simp开发者_运维知识库lest way to 40x prevent access to a specific file extension through out the entire site?


<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Loaded with some common extensions, add more as you need.


If you really want a 404 (and not a 403), you can use mod_rewrite:

RewriteEngine on
RewriteRule \.ext$ - [R=404]


<FilesMatch "\.ext$">
    Deny from all
</FilesMatch>

See the Apache documentation on FilesMatch and Deny

EDIT: Artefacto makes a good point, this will return 403, not 404, if that's important for your purposes


You can also deny access to file extensions using RedirectMatch directive :

RedirectMatch 403 ^/.+\.(php|html|gif)$

This will return a 403 forbidden error for clients if they request any uri that ends with .php or .html or .gif . You can add more extensions to the pattern using a bar | .


I like both @Chris Lawlor's and @starkeen's answers and since OP asked about "40x" I'm going to suggest redirecting to a 404 error since it doesn't give away the fact the files exist.

This is what I'm currently using in one of my projects:

# Hide files not concerning the user
RedirectMatch 404 \.(htaccess|htpasswd|ini|log|sh|inc|bak|bkp|sql)$


@Dário has the right idea for File Types, and it can also be used for specific files and directories as well. The only thing that is missing is to manage case sensitivity.

I came across this article that gives some detail about case-sensitive RedirectMatch, and also suggests being character case non-sensitive.

When it comes to redirecting most requests, its all lowercase anyway. Or you can use RewriteRule to establish case-insensitivity. But for some situations, it’s good to know that you can also roll with RedirectMatch by simply adding the (?i) to the rule.

RedirectMatch 403 /\$\&
RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar)
RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|timthumb|tz|visit|webshell|wp-signup).php
RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$
RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|userfiles)
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号