mod-rewrite redirect but prevent direct access

Question

I want to redirect all content to:

www.example.com/public/...

but prevent direct access to

www.example.com/public/file1/
ww         


        

Answer 1

Maybe you should clarify what's the expected behaviour when user tries to reach the real URL:

www.example.com/public/file1/

If by prevent you mean forbid, you could add a rule to respond with a 403

RewriteEngine On

RewriteCond %{REQUEST_URI} !/public/
RewriteRule ^(.*)$ /public/$1 [L]

RewriteCond %{REQUEST_URI} /public/
RewriteRule ^(.*)$ / [R=403,L]

Update: The solution above doesn't work!

I realized my previous solution always throws the 403 so it's worthless. Actually, this is kinda tricky because the redirection itself really contains /public/ in the URL.

The solution that really worked for me is to append a secret query string to the redirection and check for this value on URL's containing /public/:

RewriteEngine On

RewriteCond %{REQUEST_URI} !/public/
RewriteRule ^(.*)$ /public/$1?token=SECRET_TOKEN [L]

RewriteCond %{REQUEST_URI} /public/
RewriteCond %{QUERY_STRING} !token=SECRET_TOKEN
RewriteRule ^(.*)$ / [R=403,NC,L]

This way www.example.com/file1/ will show file1, but www.example.com/public/file1/ will throw a 403 Forbidden error response.

Concerns about security of this SECRET_TOKEN are discussed here: How secure is to append a secret token as query string in a htaccess rewrite rule?

---

If your URL's are expected to have it's own query string, like www.example.com/file1/?param=value be sure to add the flag QSA.

RewriteRule ^(.*)$ /public/$1?token=SECRET_TOKEN [QSA,L]