Page 1 of 1

Restrict user access using .htaccess

Posted: Sat Jan 21, 2012 1:09 am
by thandono
Under the root directory, I have the following directory structure;


I want to restrict user access. So if not from the localhost, all users are forced to access index.php and not allowed to access all the directories (phpMyAdmin, and so on).

I think about using .htaccess but haven't found the right code.

Is there any bad effects if you use "AllowOverride All" in httpd.conf ?

Re: Restrict user access using .htaccess

Posted: Sat Jan 21, 2012 7:19 am
by thandono
Ok, I found this:

Code: Select all

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REMOTE_HOST}!^127\.0\.0\.1
RewriteCond %{REQUEST_URI}!/index\.php$
RewriteRule \.html$ /index.php [R=302,L]
and I'm gonna test it

Re: Restrict user access using .htaccess

Posted: Sun Jan 22, 2012 7:51 pm
by TheProdigyGuy
Well, it depends for which configuration element it applies(httpd.conf it has several)

Code: Select all

# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.

# This should be changed to whatever you set DocumentRoot to.
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs">
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    # The Options directive is both complicated and important.  Please see
    # for more information.
    # enabled dir listing disabled by me : # Options Indexes FollowSymLinks
     Options Includes FollowSymLinks MultiViews

    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
   AllowOverride All
    #AllowOverride None

    # Controls who can get stuff from this server.
    Order allow,deny
    Allow from all

As you can see:
AllowOverride All

and it has a bit security risk(Why?)
Because attacker can force any extension using .htaccess force to execute!
This is a well known 'hacking' way of web servers( for execute CGI,Perl etc etc nasty things!)
+ It doesn't depends on web servers OS (It will be WIndows,Linux as well!)

Regarding of your question:
It should do it for you:(.htaccess)

Code: Select all

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^$
RewriteRule ^(dir1/|dir2/)(.*)$ /$1 [F,NE,L]
#[F,NE,L] you can simply change that F (forbidden) flag to R (redirect aka HTTP MOVE 302)
#+ You have to change that dir1/ and dir2/ to your in ex: phpmyadmin/ etcdir/
Place it to root of htdocs and save thats all!
But it is a best practice(do not use default MYSQL root password which comes with LAMP WAMP VERTIGO) and change it immediately)
Because that 'wholes' can compromise completely your OS+execute some nasty virii's on your system)
And yes it is real!