how to protect server directory using .htaccess

Question

I have designed a website, and within it I have a range of PHP scripts which interact with my system. For example, if a user uploads an image, this is processed by the script

Answer 1

A lot of applications just put files like your scripts not in the public (like /public_html/ or /www/) folder but in the same root folder as your public folder.

so not root/public_html/ and root/public_html/scripts/

but root/public_html/ and root/scripts/

Anything in a folder above the public folder can't be accessed by visitors, but by specifying in for example /public_html/index.php the file '../scripts/yourscript.php' PHP can access these files and visitors can't. (the folder ../ means "go up one step in the folder hierarchy")

Answer 2

You can't really prevent direct requests to the files, and still have them remain accessible to other requests. The best you can do is mask their location, and control how they are accessed.

One way you could go is to create a PHP "switch" script, which would include the scripts for you, rather than have Apache request them directly.

For example, if you had your scripts/image.php rule target switch.php?file=image.php instead, somewhat like:

RewriteRule ([^\.]+\.(jpe?g|png|gif)$ switch.php?file=image.php&rw=1&meta=$1 [L,QSA]

You could add deny from all to the scripts/.htaccess file and do this in your switch.php file.

<?php
/** File: switch.php **/
$allowed_files = array(
    'login.php',
    'image.php'
);
$script_dir = 'scripts/';
if(isset($_POST['rw']) && in_array($_REQUEST['file'], $allowed_files)) {
    include $script_dir . $allowed_files[$_REQUEST['file']];
}
else {
    header('HTTP/1.1 404 File Not Found');
    include 'error404.html'; // Or something to that effect.
}
?>

The $_POST['rw'] there is a weak check, to see if the rule came from a RewriteRule, meant to prevent direct requests to the file. Pretty easy to bypass if you know it is there, but effective against random requests by bots and such.

This way, direct requests to either scripts/image.php and switch.php?file=image.php would fail, but requests to any image file would trigger the scripts/image.php script.

Answer 3

I want to ensure the PHP pages will accept post values, get values and can redirect to other pages, but not be directly accessed via the address bar or downloaded?

As long as Apache is configured to associate all .php files with the PHP application, no one can download the PHP content itself. So, if someone browsed to "mysite.com/image.php", PHP will run. The user will NOT see your PHP content.

This should already by done in your httpd.conf file as :

• AddType application/x-httpd-php .php .phtml

Now, image.php will be expecting certain post parameters. Short of implementing an MVC architecture as Atli suggested above, you could gracefully and securely deal with any missing parameters if they aren't provided. Then, users can get to the page directly but not do anything with it.

Answer 4

Blocking files with htaccess makes the files inaccessible to the requestor, e.g. the visitor of the page. So you need a proxy file to pass the visitor's request to the files. For that, have a look at the MVC pattern and the Front Controller pattern.

Basically, what you will want to do is route all requests to a single point of entry, e.g. index.php and decide from there, which action(your scripts) is called to process the request. Then you could place your scripts and templates outside the publicly accessible folder or, if that is impossible (on some shared hosts), protect the folders with htaccess like you already did (DENY FROM ALL) then.

To use the upload script you'd have a URL like http://example.com/index.php?action=upload.

A supersimple FrontController is as easy as

$scriptPath      = 'path/to/your/scripts/directory/';
$defaultAction   = 'action404.php';
$requestedAction = $_GET['action']; // you might want to sanitize this

switch($action) {
    case 'upload':
        $actionScript = 'image.php';
        break;
    case 'login':
        $actionScript = 'login.php';
        break;
    default:
        $actionScript = $defaultAction;
}
include $scriptPath . $actionScript;
exit;

Your actionScript would then do everything you need to do with the request, including redirection, db access, authentication, uploading stuff, rendering templates, etc - whatever you deem necessary. The default action in the example above could look like this:

<?php // action404.php
    header('HTTP/1.1 404 File Not Found');
    fpassthru('path/to/template/directory/error404.html');

There is numerous implementations of the FrontController pattern in PHP. Some simple, some complex. The CodeIgniter framework uses a lightweight MVC/FrontController implementation that might not be too overwhelming if this is new to to you.

Like Atli above suggested, you could use mod_rewrite to force all requests to index.php and you could also use it to pretty up your URLs. This is common practice with MVC frameworks and has been covered extensively here and elsewhere.

Answer 5

You can set deny from all on .htaccess and include these files from some accessible directory