blocks|key|241507|text|我只需将includes文件夹移出web根目录，但如果您想阻止对整个includes文件夹的直接访问，您可以在该文件夹中放置一个仅包含以下内容的.htaccess文件：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|241508|deny+from+all|code-block|syntax|javascript|241509|这样你就无法打开该文件夹中的任何文件，但你可以将它们包含在php中而不会出现任何问题。|241510|entityMap^0|4|8|Y|8|20|9|0|0|0^^$0|@$1|2|3|4|5|6|7|O|8|@$9|P|A|Q|B|C]|$9|R|A|S|B|C]|$9|T|A|U|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|V|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|W|8|@]|D|@]|E|$]]|$1|M|3|-4|5|6|7|X|8|@]|D|@]|E|$]]]|N|$]]

I would just move the <code>includes</code> folder out of the web-root, but if you want to block direct access to the whole <code>includes</code> folder, you can put a <code>.htaccess</code> file in that folder that contains just:

<pre><code>deny from all
</code></pre>

That way you cannot open any file from that folder, but you can include them in php without any problems.

blocks|key|238599|text|这是一个纯基于mod_rewrite的解决方案：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|238600|RewriteRule+%5E(includes/%7Csubmit\.php)+-+[F,L,NC]|code-block|syntax|javascript|238601|如果URI包含/includes/或/submit.php，这将显示要使用的禁止错误|238602|entityMap^0|7|B|0|0|7|A|I|B|0^^$0|@$1|2|3|4|5|6|7|O|8|@$9|P|A|Q|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|R|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|S|8|@$9|T|A|U|B|C]|$9|V|A|W|B|C]]|D|@]|E|$]]|$1|M|3|-4|5|6|7|X|8|@]|D|@]|E|$]]]|N|$]]

This is pure <code>mod_rewrite</code> based solution:

<pre><code>RewriteRule ^(includes/|submit\.php) - [F,L,NC]
</code></pre>

This will show forbidden error to use if URI contains either <code>/includes/</code> or <code>/submit.php</code>

blocks|key|2906234|text|可以使用files指令并禁止访问所有文件，然后再次使用它来设置可访问的文件：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2906235|<Files+~+"%5E.*">
++Deny+from+all
</Files>

<Files+~+"%5Eindex\.php%7Ccss%7Cjs%7C.*\.png%7C.*\.jpg%7C.*\.gif">
++Allow+from+all
</Files>|code-block|syntax|javascript|2906236|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:

<pre><code>&lt;Files ~ "^.*"&gt;
 Deny from all
&lt;/Files&gt;

&lt;Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif"&gt;
 Allow from all
&lt;/Files&gt;
</code></pre>

blocks|key|3120535|text|1基于线性mod_alias的解决方案：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3120536|RedirectMatch+403+%5E/folder/file.php$|code-block|syntax|javascript|3120537|这将显示/folder/file.php的禁止错误|3120538|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

1 liner mod_alias based solution :

<pre><code>RedirectMatch 403 ^/folder/file.php$
</code></pre>

This will show forbidden error for /folder/file.php

blocks|key|238595|text|如果我理解正确的话，你只是想拒绝访问includes文件夹？|type|unstyled|depth|inlineStyleRanges|entityRanges|data|238596|在includes文件夹中放置一个带有“DENY+FROM+ALL”指令的.htaccess就可以做到这一点。|238597|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

If I understand correctly you just want to deny access to the includes folder?

An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.

blocks|key|241528|text|你的问题分为两部分，jeroen和anubhava的解决方案都适用于第一部分--拒绝访问/includes。anubhava也适用于第二部分。我更喜欢后者，因为我无论如何都使用DOCROOT/.htaccess，这样可以将所有这些控制保存在一个文件中。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|241529|然而，我想讨论的是“拒绝访问submit.php”的概念。如果你不想使用submit.php，那为什么还要用DOCROOT呢？我怀疑这里的答案是，您在某些表单中将其用作操作目标，并且只希望它在表单提交时触发，而不是直接从垃圾邮件中触发。|241530|如果这是真的，那么你就不能使用anubhava的第二部分，因为这会导致你的表单失败。您在这里可以做的是(i)使用.htaccess检查以确保引用是您自己的索引页：|241531|RewriteCond+%25{HTTP_REFERRER}+!=HTTP://www.domain.com/index.php+++[NC]
RewriteRule+%5Esubmit\.php$++++-+++++++++++++++++++++++++++++++++++[F]|code-block|syntax|javascript|241532|(ii)在PHP表单生成器中，包含一些用于时间戳和验证的隐藏字段。例如，验证可以是时间戳的MD5的前10个字符和一些内部秘密。在处理提交时，您可以(i)验证时间戳和验证是否匹配，以及(ii)时间戳在当前时间的15分钟内。|241533|这可以防止垃圾邮件，因为垃圾邮件发送者可以获得有效的时间戳/验证对的唯一实际方法是解析表单，但这种擦除只有15分钟的生命周期。|241534|entityMap^0|2G|H|0|E|A|10|A|0|1K|9|0|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@$9|V|A|W|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|X|8|@$9|Y|A|Z|B|C]|$9|10|A|11|B|C]]|D|@]|E|$]]|$1|H|3|I|5|6|7|12|8|@$9|13|A|14|B|C]]|D|@]|E|$]]|$1|J|3|K|5|L|7|15|8|@]|D|@]|E|$M|N]]|$1|O|3|P|5|6|7|16|8|@]|D|@]|E|$]]|$1|Q|3|R|5|6|7|17|8|@]|D|@]|E|$]]|$1|S|3|-4|5|6|7|18|8|@]|D|@]|E|$]]]|T|$]]

Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a <code>DOCROOT/.htaccess</code> anyway and this keeps all such control in one file.

However what I wanted t discuss is the concept of "denying access to <code>submit.php</code>". If you don't want to use <code>submit.php</code> then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.

If this is true then you can't use anubhava's part II as this will cause your form to fail.
What you can do here is (i) with the <code>.htaccess</code> check to ensure that the referrer was your own index page:

<pre><code>RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php [NC]
RewriteRule ^submit\.php$ - [F]
</code></pre>

And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.

This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.

blocks|key|3120431|text|根据可能在更高级别设置的其他选项，您可能需要将以下内容放入includes目录的.htaccess文件中：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3120432|Satisfy+all
Order+deny,allow
Deny+from+all|code-block|syntax|javascript|3120433|当上面的目录定义了基本身份验证时，我遇到了这个问题，包括下面这行：|3120434|Satisfy+any|3120435|这阻止了我的deny+from+all生效，因为用户是经过身份验证的。|3120436|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|O|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|P|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|Q|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|R|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|S|8|@]|9|@]|A|$]]|$1|M|3|-4|5|6|7|T|8|@]|9|@]|A|$]]]|N|$]]

Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:

<pre><code>Satisfy all
Order deny,allow
Deny from all
</code></pre>

I ran into this when the upper directory defined basic authentication including the line:

<pre><code>Satisfy any
</code></pre>

This was preventing my deny from all to take effect because the users were authenticated.

blocks|key|239948|text|您可以将以下命令添加到.htaccess文件中|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|239949|Deny+from+all
ErrorDocument+403+"nothing+is+here"|code-block|syntax|javascript|239950|它将显示"nothing+is+here“消息，以防发生未经授权的访问。|239951|如果您希望通过错误代码重定向到某个页面，则可以按如下方式定义命令：|239952|ErrorDocument+404+"/errors/404.html"|239953|它将重定向到/errors/404.html并显示自定义页面未找到屏幕。|239954|entityMap^0|B|9|0|0|0|0|0|6|G|0^^$0|@$1|2|3|4|5|6|7|U|8|@$9|V|A|W|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|X|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|Y|8|@]|D|@]|E|$]]|$1|M|3|N|5|6|7|Z|8|@]|D|@]|E|$]]|$1|O|3|P|5|H|7|10|8|@]|D|@]|E|$I|J]]|$1|Q|3|R|5|6|7|11|8|@$9|12|A|13|B|C]]|D|@]|E|$]]|$1|S|3|-4|5|6|7|14|8|@]|D|@]|E|$]]]|T|$]]

You can add the below command to <code>.htaccess</code> file

<pre><code>Deny from all
ErrorDocument 403 "nothing is here"
</code></pre>

It will display the "nothing is here" message in case of the unauthorised access.

If you want to redirect by an error code to a certain page then you can define a command as follows:

<pre><code>ErrorDocument 404 "/errors/404.html"
</code></pre>

It will redirect to the <code>/errors/404.html</code> and show the custom page not found screen.

Here is the scenario:

<ul>
<li>There is a <code>index.php</code> file in root folder</li>
<li>some files are included in <code>index.php</code> which are in the <code>includes</code> folder.</li>
<li>1 other file (<code>submit.php</code>) is in the root folder for form submit action.</li>
</ul>

I want to restrict direct user access to the files in <code>includes</code> folder by htaccess. also for <code>submit.php</code>. But include will work for <code>index.php</code> file. 
Like, if user types <code>www.domain.com/includes/somepage.php</code>, it will restrict it (may be redirect to a error page).

deny direct access to a folder and file by htaccess

以下是场景：根文件夹中有一个index.php文件 index.php中包含的某些文件位于includes文件夹中。1其他文件(submit.php)位于表单提交操作的根文件夹中。我想通过htaccess限制用户直接访问includes文件夹中的文件。也适用于submit.php。但include将适用于index.php文件。例如，如果用户输入www.domain.com/includes/so

问拒绝通过htaccess直接访问文件夹和文件
EN

回答 8

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问拒绝通过htaccess直接访问文件夹和文件EN

回答 8

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问拒绝通过htaccess直接访问文件夹和文件
EN