Deny access to subfolder and file with .htaccess

Question

I need to deny access to configuration files under some subfolder. Currently I have this rule but it doesn't work:

<Files ~ "((foo|bar))$">
  Order deny,allow
  Deny from all
</Files>

If I go to www.mysite.com/foo/foo2/file.xml, I can view the file. I need to deny all file accesses into fooand bar recursively

UPDATE

I have tried this this configuration but have an Internal Error

<FilesMatch ".foo\.(*)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

score 2 · Answer 1 · answered Aug 06 '15 at 16:05

"<Files> [...] will be applied to any object with a basename (last component of filename) matching the specified filename". It's not what you want.

Directory* don't work in .htaccess

You have to use mod_rewrite. For example:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule ^(foo|bar) - [F]
</IfModule>

score 2 · Answer 2 · answered Apr 13 '17 at 11:12

2

Instead of file directive try using location :

<Location "path/to/folder-or-file">
    Order Allow,Deny
    Deny from all
</Location>

answered Apr 13 '17 at 11:12

BOUKANDOURA Mhamed

328
3
13

1

The Location directive isn't valid in .htaccess files, as the author requested. This will cause a 500 error. – EricP Jan 16 '20 at 16:25

Drav Sloan · Answer 3 · 2015-08-06T15:56:15.227

1

I would do regex matching inside the apache config. Then

use <DirectoryMatch> instead of <File> (you are regular expression matching on a directory)
correct your regex's strictness (specifically the $)

simplify your regex (too many brackets)

<DirectoryMatch "/path/to/toplevel/(foo|bar)">
    Order deny,allow
    Deny from all
</DirectoryMatch>

Note that /path/to/toplevel/ is the file system location of your WWW directory where foo and bar reside.

However, If you want to do it via .htaccess only, create a .htaccess file in every directory that you want to deny (foo, bar, foo/bar etc), and put the line

Deny from all

inside.

edited Aug 06 '15 at 15:56

answered Aug 06 '15 at 14:46

Drav Sloan

14,145
4
45
43

1

If i use DirectoryMatch like you have described, i have Internal Server Error, the folder are in the same directory oh .htacces (/) – stecog Aug 06 '15 at 15:12
Are you doing this via the `.htaccess` file? In which case you will require `AllowOverride Limit` set on that directory by your main apache configuration. – Drav Sloan Aug 06 '15 at 15:17
Yes, i need put into .htaccess file, i have `AllowOverride All` in apache configuration – stecog Aug 06 '15 at 15:20
What is your apache error log showing? – Drav Sloan Aug 06 '15 at 15:28
`DirectoryMatch not allowed here` – stecog Aug 06 '15 at 15:30
It has to be inside your main apache config. – Drav Sloan Aug 06 '15 at 15:33
2

To the title i have specified "whit .htaccess" – stecog Aug 06 '15 at 15:34
updated answer. – Drav Sloan Aug 06 '15 at 15:48
Yes i know, but i need make an unique .htaccess file, i resolved partially with `RewriteRule ^foo(/|$) - [L,NC]` , now i have a `Forbidden` to directory but i can view the files inside directories foo/foo2/file.xml (example) – stecog Aug 06 '15 at 15:52
You need the .htaccess file inside foo/foo2 (as they are not recursively applied), hence the suggestion to do it more cleanly inside the apache config. – Drav Sloan Aug 06 '15 at 15:54

Deny access to subfolder and file with .htaccess

3 Answers3