1

I can't get file blocking working. If I use the following statement in .htaccess, it blocks my whole site:

order allow,deny <Files ~ ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|mp4|MP4)$"> allow from all </Files>

I'm running apache 2.2.22 (Debian)

If I comment out the above lines I can access my site again. In case it's not clear, I'm trying to block all files from being downloaded from my except for the allowed file types.

There are numerous posts on this general subject here and on other sites, but I've been at this for 2 or 3 hours now, and I can't get this problem to budge. I'm sorry if it seems obvious.

Note: AllowOverrides is definitely on. I've grepped for AllowOverrides in all of the conf directories and the included directories and it's turned on everywhere right now. I've restarted the apache2 service when conf changes have been made.

Can anyone see what I've done wrong?

mikekehrli
  • 111
  • 2
  • Why have you chosen to use `Order allow,deny`? This is the reverse of the usual order, and is not generally recommended. – Michael Hampton Mar 22 '16 at 07:12
  • I'm trying to deny access to any files except those types I've allowed. I thought the correct order to achieve that is "allow,deny". But I must admit, I don't fully understand how this processing works. I'm going to study up on it some more... – mikekehrli Mar 23 '16 at 04:34

1 Answers1

0

You can use an env based bloking system to allow and deny access to your site :

SetEnvIfNoCase request_uri (js|css|jpg|gif|png|mp4|php|html)$ allowedfiles=1
Order deny,allow
Deny from all
Allow from env=allowedfiles

SetEnvIfNocase is case insensitive, it matches both png and PNG .

You can also use mod-rewrite :

RewriteEngine on
##If the request uri doesnt end with these extensions##
RewriteCond %{REQUEST_URI} !(js|css|jpg|gif|png|mp4|php|html)$ [NC]
##forbid the request##
RewriteRule ^ - [F,L]
starkeen
  • 128
  • 5
  • Thank you for the reply. Both of those again shut down my site. I get the message: "You don't have permission to access / on this server.", when I use either of them. The same as when I try to use the method in my first post. I don't understand why the method in my first post doesn't work. It's probably the same reason your methods also don't work. I'm using php files on this site. These directives we are using won't block the output of the php files will they? I really feel I'm missing something stupid and basic on this one, but can't figure out what it is. – mikekehrli Mar 22 '16 at 06:53
  • The reason why you are getting the forbidden error is because you have blocked all requests except the these allowed files , If you want to access your php and html files you need to list their extension too. see the edit – starkeen Mar 22 '16 at 07:08
  • Again, thanks for answering. I get the same result with the edited version. The main thing I'm trying to achieve is that someone can't download the raw php files. It would seem if I include them in the permitted files list, it would allow that to occur. – mikekehrli Mar 22 '16 at 09:54