How can I deny all but one directory name with .htaccess?

3
votes

I have this .htaccess file where I prevent users from physically accessing files from the browser (where they should only be loaded through the system)

Options -Indexes
Order deny,allow
deny from all

I have one problem though, sometimes I load files via AJAX and there I get 403 Forbidden. I have little experience with apache's mod_access. I've been reading up on the directory directive since all my AJAX based files are in one directory called ajax.

But the thing is I need to deny access to all directories except ones called ajax and my regex skills are lacking.

An example directory structure is like this.

plugins/inventory/ajax
plugins/inventory/controller
plugins/inventory/view

plugins/packages/ajax
plugins/packages/controller
plugins/packages/view

The .htaccess file sits in the plugins directory.

1
apache.htaccess

1 Answers

4
votes

That you need to do this in the first place is kind of a failure of project architecture. Script files that shouldn't ever be accessible to the Web shouldn't be inside your DocumentRoot in the first place.

That said, this will probably work:

RewriteEngine on
<DirectoryMatch "/(?!.*/ajax$)">
   Order deny,allow
   Deny from all
</DirectoryMatch>