Board index   FAQ   Search  
Register  Login
Board index System Administration Server installation and configuration

Restrict user access using .htaccess

Discuss server installationa nd configuration issues here

Moderators: macek, egami, gesf

Restrict user access using .htaccess

Postby thandono » Sat Jan 21, 2012 1:09 am

Under the root directory, I have the following directory structure;

index.php
phpmyAdmin/
application_1/
application_2/

I want to restrict user access. So if not from the localhost, all users are forced to access index.php and not allowed to access all the directories (phpMyAdmin, and so on).

I think about using .htaccess but haven't found the right code.

Is there any bad effects if you use "AllowOverride All" in httpd.conf ?
thandono
New php-forum User
New php-forum User
 
Posts: 44
Joined: Sun Jan 01, 2012 3:06 am

Re: Restrict user access using .htaccess

Postby thandono » Sat Jan 21, 2012 7:19 am

Ok, I found this:

Code: Select all
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REMOTE_HOST}!^127\.0\.0\.1
RewriteCond %{REQUEST_URI}!/index\.php$
RewriteRule \.html$ /index.php [R=302,L]


and I'm gonna test it
thandono
New php-forum User
New php-forum User
 
Posts: 44
Joined: Sun Jan 01, 2012 3:06 am

Re: Restrict user access using .htaccess

Postby TheProdigyGuy » Sun Jan 22, 2012 7:51 pm

Well, it depends for which configuration element it applies(httpd.conf it has several)

Code: Select all
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    # enabled dir listing disabled by me : # Options Indexes FollowSymLinks
     Options Includes FollowSymLinks MultiViews

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
   AllowOverride All
    #AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

</Directory>


As you can see:
AllowOverride All
uncommented

and it has a bit security risk(Why?)
Because attacker can force any extension using .htaccess force to execute!
This is a well known 'hacking' way of web servers( for execute CGI,Perl etc etc nasty things!)
+ It doesn't depends on web servers OS (It will be WIndows,Linux as well!)

Regarding of your question:
It should do it for you:(.htaccess)
Code: Select all
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^127.0.0.1$
RewriteRule ^(dir1/|dir2/)(.*)$ /$1 [F,NE,L]


#[F,NE,L] you can simply change that F (forbidden) flag to R (redirect aka HTTP MOVE 302)
#+ You have to change that dir1/ and dir2/ to your in ex: phpmyadmin/ etcdir/
Place it to root of htdocs and save thats all!
But it is a best practice(do not use default MYSQL root password which comes with LAMP WAMP VERTIGO) and change it immediately)
Because that 'wholes' can compromise completely your OS+execute some nasty virii's on your system)
And yes it is real!

Cheers.
TheProdigyGuy
New php-forum User
New php-forum User
 
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm

Re: Restrict user access using .htaccess

Postby llj000 » Mon Apr 09, 2012 7:24 am

Well, it depends for which configuration element it applies(httpd.conf it has several)
llj000
New php-forum User
New php-forum User
 
Posts: 1
Joined: Mon Apr 09, 2012 7:02 am


Return to Server installation and configuration

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron