.htaccess deny all, including the htaccess file and display 404 - how do I do it?

8
votes

How do I do this in my .htaccess file for a specific directory in my document root?:

  1. deny all access to anything (including the .htaccess too)
  2. return a 404, not a 403 error
  3. no files or subdirectories should be accessible or detected by humans or bots
  4. only php access by the local host would be allowed

Seems like it would be simple. This works but throws a 403 not a 404:

deny from all
3
phpapachesecurity.htaccess
See stackoverflow.com/questions/9692227/…xbonez
possible duplicate of Is there a way to force apache to return 404 instead of 403?Tadeck
Well I admit I'm a bit new to this area, but isn't the above referenced questions and answers not .htaccess but apache redirects? I'm really looking for a drop in place .htaccess solution, that is unless that approach is flawed in comparison... but maybe we're talking the same thing?Inator

3 Answers

3
votes

Why not create a custom error page? 

deny from all
ErrorDocument 403 /error/404.html

The server will always want to throw a 403 error if someone is not authorized to view the page and that's what you're trying to do. However, you can change the ErrorDocument for error 403 to show an HTML page that says it's a 404 error.

My example has a folder in the root directory named error and an html file in it named 404.html.

1
votes

Have you tried something like this? This will force a 403 Forbidden error when someone tries to view anything in DIRECTORY. PHP scripts can still access everything inside the directory. Obviously replace DIRECTORY with your preferred directory.

RewriteRule ^DIRECTORY - [F]

1
votes

I do not like sending some html page that says it's a 404 error when really it is just an html page that may as well be located at Iamafake404error.html

You might try this instead:

Order Deny,Allow
Deny from all
Allow from 1.2.3.4


ErrorDocument 403 /throwaREAL404error.html
ErrorDocument 404 /throwaREAL404error.html
ErrorDocument 500 /throwaREAL404error.html

### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?\throwaREAL404error.html+ - [R=404,L]

# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?\throwaREAL404error+

https://serverfault.com/a/510951/194845