Blocking external access to directory but allowing SSI access (or, How does the `FilesMatch` directive actually work?)

Question

On an old site, where i was using PHP, I had a .htaccess in directory /noaccess as follows:

# /noaccess/.htaccess


        

Answer 1

if you only wanted to not allow people to see your files if they enter it in an address bar, then you could put them in a directory with no indexes (-Indexes) and an unpublished name and if you never reveal the names of the files (which SSI does not do), then you only need worry if someone guesses one correctly. You can always block access by disallowing according to referrer, or something similar.

Answer 2

As far as I know by experience, mod_include follows the limits of the client, so you cannot do what you want with apache directives.

If you want to hide the included files you can disable directory indexes with the Options -Indexes directive on your .htaccess file, though. Also, you can name the included files in a hard to guess way.

My prefered option would be using uuids, you can generate them with online tools or install some utility on your workstation:

itorres@localhost$ uuid
6e8feb48-1a3b-11e0-a0e3-00505624a126
itorres@localhost$ vi noaccess/6e8feb48-1a3b-11e0-a0e3-00505624a126.ssi