Deny direct access of file except server/localhost

2
votes

How can you deny direct access to files in a directory where I do not want users to access it directly but allow the server/localhost to access because the directory I am trying to avoid direct access contains HTML files that gets output/parsed by PHP.

The listing of the directory looks like this:

template
   |
   |
   +--------> acp
   |           |
   |           +------> acp_index.html
   |           +------> acp_settings.html
   |
   +--------> css
   |           |
   |           +------> stylesheet.css
   |
   +--------> js
   |           |
   |           +------> scripts.js
   |
   +---> index.html
   +---> login.html
   +---> etc...

In the template/acp I need to avoid direct access to files, but localhost/the server should be able to access and parse it.

2
apache.htaccess

2 Answers

3
votes

If i understand this right, you want to keep people out of template/acp while still allowing the server to access the files?

You could make a .htaccess and place it in template/acp, that file should contain the words deny from all, and just like that, everyone trying to get the file would not be able to, however the server still would be able to via. php or other server side scripting languages...

In php you can use functions like include() or require() to include the file in the php file and even execute php codes from the included file, or read the file with something like fread() or file_get_contents()...

But if your not using any server-side scripting there's no way you can completely avoid direct access to the files if you still need users to be able to see content from them...

Please note, that .htaccess is not supported by all types of web-servers. Apachee supports it, while other like lighttpd does not.

1
votes

If you never need direct access to these files, and only parsing from PHP then put these files out of the web directory. If the files are out of the web directory (and you do not set some alias path in Apache) then there is no way someone can access them one day.

PHP is not restricted to the web directory, PHP can access files in /tmp, /etc/ everywhere in your server (and that's a problem in fact). every file the apache user & group can read can be read by PHP.

On PHp setting will restrict this, it's the open_basedir, if this setting is set then you can opnly access files in directory tree of the directory caontined in open_basedir. So you may have to add your template directory there.

You may need as well to alter the include_dir setting to add your template place and write simplier include_once or require_once instructions.