2

I have a .htaccess file with the following contents:

<IfModule mod_rewrite.c>  
    RewriteEngine on
    SetEnv HTTP_MOD_REWRITE on
    RewriteBase /wsproject/

    Options All -Indexes
    DirectoryIndex index.php

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-l
    RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
</IfModule>

I want to hide everything from the users: the directory structure and private files, while enable public files: *.js, *.html, *.css, *.swf, *.jpg and other stuff. I want .php files to be accessible only from the file system, except only the index.php in the root dir.

I only want to serve request via HTTP which are written with an (abstract) MVC URL pattern like: www.domain.com/lang/controller_name/action_name/arg1/arg2/././argn, which are being rewritten by .htaccess, and public *.html, *.js ...etc files.

While Options All -Indexes hides file listing, it will not prevent an undesirable request e.g.: www.domain.com/library/Bootstrap.php from being served. Whereas deleting/commenting out RewriteCond %{REQUEST_FILENAME} !-f would solve this, but in this case none of my public .html, .css, .js ...etc files would be served.

I tried to apply Deny from all for each php files except the index.php but I always get an 500-internal server error message. Im doing this on localhost, on windows.

Any ideas?

ACs
  • 1,325
  • 2
  • 21
  • 39

2 Answers2

3

Instead of stating that all but existing files should be directed to index.php, you can say that everything except *.js, *.html, *.css, *.swf, *.jpg should be directed to index.php.

This isn't exactly the same as denying, since you don't give a Forbidden response. Though in this case you don't give out any information about which files exist or not, so I'd argue that it's a better solution.

<IfModule mod_rewrite.c>  
    RewriteEngine on
    SetEnv HTTP_MOD_REWRITE on
    RewriteBase /wsproject/

    Options All -Indexes
    DirectoryIndex index.php

    RewriteRule \.(js|html|css|swf|jpg)(\?|$) - [QSA,L]
    RewriteRule ^index.php(\?|$) - [QSA,L]
    RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
</IfModule>

Note that rewriting to -, means no rewriting is done at all.

Arnold Daniels
  • 16,516
  • 4
  • 53
  • 82
  • This worked well for me when the above solutions did not - slight modifications for those that try it: Remove RewriteBase if you don't need it Add some additional RewriteRule exceptions for Folders / Files if necessary, like so: `RewriteRule ^administrator - [QSA,L]` `RewriteRule \.(js|html|css|swf|jpg|ico|eot|woff|ttf|svg)(\?|$) - [QSA,L]` – David H. Nov 10 '15 at 15:23
1

Rather than (or maybe as well as...) editing your .htaccess file, I'd suggest using the chmod command to modify the read/write/executability values of your files.

A relatively succinct and sensible explanation of what chmod is/does can be found in the accepted answer here, but generally the simplest way is to chmod 644 your files and chmod 755 your folders.

Community
  • 1
  • 1
d0ug7a5
  • 692
  • 4
  • 7