问题
Today I've been struggling with this for a while. What I am trying to accomplish is that I need to block all users from acessing a certain php files and images and more things (they are in a separate folder).
I am using WAMP-server.
I do not want the users to be able to go to just that site, like "www/images/crazy-cat-picture.jpg" (or more like "www/phpScripts/sign-up-user.php") but I still want the users ta be able to see the pictures on my website and call the php scripts.
I tried 3 different ways, and none have been working good.
1: Place the folder outside of the www directory
This did not work since the php and html pages can not find the data and it will simply not display it.
2: .htaccess file, where I wrote this:
Deny from all
Allow from 127.0.0.1
Allow from 192.168
This did not work since it's blocking the acess completely, and the users can not view the content even if they are on a seperate website.
3: .htaccess file, where i wrote this:
IndexIgnore *
This will remove the standard, and instead of displaying the folder it will place the user to index.php, I then have made this file re-directing to the error 403 page, this works pretty good. But the problem here is that users can still access the data if they have the whole path, like "www/images/crazy-cat-picture.jpg"
Then I have been thinking about creating complicated names on all my php script files and the pictures that the users upload, this will make it very hard to be able to find the images and files. But I wonder if there is not a better way of doing this, like block all the content in a specific folder if the users are not calling it from one of my websites.
The question is: Do someone know how I can make it impossible to find content in a folder but still make users able to use it on my website?
Sorry for making this to a long post, but I hope there are someone who can answer my question. Thank you!
回答1:
Protecting only certain files and folders
1st solution
Next example shows how to protect two .php files, two folders and two .jpg images. Everything else should remain accessible.
Create an .htaccess file and place it within the folder there the protected assets are
# .htaccess
<FilesMatch ^((001|002)\.php$|folder-001|folder-002|(image-001|image-002)\.jpg)$>
AuthUserFile /absolute-path-to-the-password-file/.htpasswd
AuthName "Private Area"
AuthType Basic
Require valid-user
</FilesMatch>
Then create an encrypted password - use this site htpasswd generator
Create an .htpasswd and place it outside of your public_html folder. It contains an username and password generated from the service mentioned above.
# .htpasswd
username:j9mKJ6TCrsbSk
As you can see, the files above will be password protected
2nd solution
You may use the next solution as well
# .htaccess
<FilesMatch ^((001|002)\.php$|folder-001|folder-002|(image-001|image-002)\.jpg)$>
Deny from all
</FilesMatch>
This solution doesn't need the .htpasswd part but files listed in FilesMatch directive will be inaccessible for anyone.
Tested on Debian 7 / Apache 2
来源:https://stackoverflow.com/questions/24716823/protecting-certain-files-and-folders-from-view-within-a-public-folder