0

I am trying to block access to all .php files in all my directories, but I need to keep one single file available so it can process user requests, but my RewriteRule is not working. How to make it to work?

Here is my .htaccess :

AddDefaultCharset utf-8

Options -MultiViews
Options +FollowSymLinks
Options All -Indexes

Order deny,allow
Deny from all

<Files ~ "\.(txt|xml|css|jpe?g|png|gif|js|pdf)$">
  Allow from all
</Files>

<Files ~ "start\.php$">
  Allow from all
</Files>

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_URI} ^/$ [OR]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ /start.php [QSA]

Now if I want to access for example http://localhost/test it shows an 403 Error : You don't have permission to access /test on this server.

Improve this question

2 Answers 2

Reset to default
1

One solution to this is moving all .php files outside your document root and only keep start.php inside. This effectively prevents access to any .php file, except the one you want allow to.

The other solution is configuration based, which is more expensive, because Apache must check the rules for each file requested.

Access to http://localhost/test is denied, because you have 

Order deny,allow
Deny from all

and the Files sections do not apply here. See the Order Directive for details, especially the table, where you have 

Match               Allow,Deny result   Deny,Allow result
---------------------------------------------------------
Match Deny only     Request denied      Request denied

If you want the Deny from all for the given files only, you must move it inside a FilesMatch section 

<FilesMatch "\.php$">
    Deny from all
</FilesMatch>

<FilesMatch "start\.php$">
    Allow from all
</FilesMatch>

You can use a Files section too, of course, but notice the sidenote

<FilesMatch> is preferred, however.

Improve this answer
0

This is just an idea, I haven't tested it. I have removed all the deny/allow rules.

AddDefaultCharset utf-8

Options -MultiViews
Options +FollowSymLinks
Options All -Indexes

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} -f // the request is a file
RewriteCond $1 ^.+\.php$ // the requested file has php extension
RewriteCond $1 !^start\.php // and is not that start.php file (the one you will allow)
RewriteRule ^.*$ - [F,L] // forbid request

Just remove the // comments. They are not htaccess valid comments.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.