How to deny the web access to some files?

Question

I need to do an operation a bit strange.

First, i run on Debian, apache2 (which 'runs' as user www-data)

So, I have simple text file with .txt ot .ini, or whatever extension, doesnt matter.

These files are located in subfolders with a structure like this:

www.example.com/folder1/car/foobar.txt www.example.com/folder1/cycle/foobar.txt www.example.com/folder1/fish/foobar.txt www.example.com/folder1/fruit/foobar.txt

therefore, the file name always the same, ditto for the 'hierarchy', just change the name of the folder: /folder-name-static/folder-name-dinamyc/file-name-static.txt

What I should do is (I think) relatively simple: I must be able to read that file by programs on the server (python, php for example), but if I try to retrieve the file contents by broswer (digiting the url www.example.com/folder1/car/foobar.txt, or via cUrl, etc..) I must get a forbidden error, or whatever, but not access the file.

It would also be nice that even accessing those files via FTP are 'hidden', or anyway couldnt be downloaded (at least that I use with the ftp root and user data)

How can I do?

I found this online, be put in the file .htaccess:

<Files File.txt>
 Order allow, deny
 Deny from all
</ Files>

It seems to work, but only if the file is in the web root (www.example.com / myfile.txt), and not in subfolders. Moreover, the folders in the second level (www.example.com/folder1/fruit/foobar.txt) will be dinamycally created.. I would like to avoid having to change .htaccess file from time to time.

It is possible to create a rule, something like that, that goes for all files with given name, which is on *www.example.com/folder-name-static/*folder-name-dinamyc/***file-name-static.txt*, where those parts are allways the same, just **that one change ?

EDIT:

As Dave Drager said, i could semplify this keeping those file outside the web accessible directory. But those directory's will contain others files too, images, and stuff used by my users, so i'm simply try to not have a duplicate folders system, like:

/var/www/vhosts/example.com/httpdocs/folder1/car/[other folders and files here]
/var/www/vhosts/example.com/httpdocs/folder1/cycle/[other folders and files here]
/var/www/vhosts/example.com/httpdocs/folder1/fish/[other folders and files here]

//and, then for the 'secrets' files:

/folder1/data/car/foobar.txt
/folder1/data/cycle/foobar.txt
/folder1/data/fish/foobar.txt

Not sure if this recently changed in Apache 2.4 but the line above `Order allow, deny` trips up Apache. It needs to be `Order allow,deny`, i.e. no spaces between 'allow,' and 'deny', otherwise Apache classes it as `AH00526 Syntax error` — Dave White, Jun 27 '23 at 14:58

rkthkr · Accepted Answer · 2009-06-09T14:33:56.367

34

You could use Files/FilesMatch and a regular expression:

<Files ~ "\.txt$">
    Order allow,deny
    Deny from all
</Files>

This is how .htpasswd is protected.

or redirect any access of .txt to a 404:

RedirectMatch 404 \.txt$

edited Jun 09 '09 at 14:33

answered Jun 09 '09 at 13:41

rkthkr

8,618
28
38

I tryed to use that way, but seems that dont works on file in sub-folders – Strae Jun 09 '09 at 13:56
I fixed my regexps, sorry... – rkthkr Jun 09 '09 at 14:39
ok.. can works. But.. the regexp should be like RedirectMatch 404 \myfilename.txt$, right? The files will allways be the same name, but in different folders. And this solution wont affect the FTP method, right? – Strae Jun 09 '09 at 14:46
That looks correct... – rkthkr Jun 09 '09 at 15:33
Yes, i confirm it works... but my regexp RedirectMatch 404 \myfilename.txt$ must be wrong.. it works if i use RedirectMatch 404 \.txt$, blocking all the .txt files, but not if i use the filename in the regexp. Any help? im not a genuis with regexp ;) – Strae Jun 10 '09 at 14:14
Try: RedirectMatch 404 myfilename.txt :) – rkthkr Jun 10 '09 at 14:25
I don't have a setup to test it, but I noticed in the regexp you did not put the backslash in front of the "." Normally, in regexp a . by itself is a wildcard for anything not end of line, so use \. to represent an actual period only. myfilename\.txt$ That said, no backslash should also work; however, it is risky putting a backslash in front of the m since \m might mean something special, so I would take that one out. – Jose_X Apr 03 '21 at 02:48

score 2 · Answer 2 · answered Jan 10 '19 at 05:04

From the Order documentation section:

Keywords may only be separated by a comma; no whitespace is allowed between them.

So the following is incorrect:

<Files File.txt>
Order allow, deny
Deny from all
</ Files>

The following is (more) correct

<Files "File.txt">
Order allow,deny
Deny from all
</Files>

score 1 · Answer 3 · answered Jun 09 '09 at 13:40

Yes, this is all possible. However if you have programs on the server that need to access text files, they should reside out of the web root. For example, if your web files are in ~/public_html/, you should store them in ~/data. There is no reason to place them in the public html folder.

In addition to removing them from the web folder, make sure unix permissions are set correctly on them. The user of the scripts would need to have read (write?) access but anyone else does not have to have this access.

If you DO need to have these files in a web accessible folder, there are ways to do what you are asking via mod_rewrite. See the follow site for many examples, one of which should fit the bill.

http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

The files will be created via python or php, then, never edited again, just read. — Strae, Jun 09 '09 at 14:00

score 0 · Answer 4 · edited Jun 08 '21 at 14:46

0

Why not use standard Unix file permissions to deny access to the file?

There is a decent explanation on Wikipedia about Unix file permissions

edited Jun 08 '21 at 14:46

Andrew P.

103
3

answered Jun 09 '09 at 13:36

cyberkni

29
2

How can i set permissions to let php, python, root user handle those files and the browsers-access not? – Strae Jun 09 '09 at 13:39
As an editor on Wikipedia since 2004, I would counsel that one should trust NOTHING found therein without checking other sources. – Andrew P. Jun 06 '21 at 03:13

score 0 · Answer 5 · answered Jun 09 '09 at 13:37

0

Put the .htaccess file in the subdirectory and in the statement, set AllowOverride All

answered Jun 09 '09 at 13:37

Matt Simmons

20,396
10
68
116

So i'll need a .htaccess to every 2° level folder? mmh.. can be a solution.. would be better with 1 .htacces.. – Strae Jun 09 '09 at 13:55

score 0 · Answer 6 · answered Jun 09 '09 at 14:08

0

You can use Linux ACLs.

answered Jun 09 '09 at 14:08

Alakdae

1,233
8
21

Istn that the simple file permissions? like rwx? How can i do what i need with this? – Strae Jun 10 '09 at 09:49

score 0 · Answer 7 · edited Apr 11 '16 at 16:47

After reading you all, I noticed that the .htaccess file can be the way for me: only affect the files in the folder where it is.

But my folders are dynamically generated. I don't think that copy the .htaccess file or recreate it every time I create a new folder is a reliable way.

As Dave said, the logical way should be storing the config text files outside the web-accessible folder.

But in every folder i have to store other files, images for examples, that must be web-accessible... and I still dont think that replicate the folders structure, in and out the web-root direvtory, is a reliable way as well. Therefore, I'll need to change even the apache configuration to include the config folder in the php allowed path.. this shouldnt be a problem, anyway.

So, if I dont have the better, I have to chose the less worse one.

I'll use the multiple .htaccess files solution, for now, hoping to not have regrets in future.

Every other solution is appreciated.

How to deny the web access to some files?

7 Answers7

Linked