Sign in to follow this  

[web] .htaccess - only allow access to certain files

This topic is 3594 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hi everyone. I've got a bit of a problem (for me anyway seeing as I know very little about the workings of .htaccess). Essentially I am going to have a series of directories containing text files. I dont want anyone to be able to access these text files directly via the url (i.e. if they type http://www.mysite.com/files/user/file.txt I want an error to be displayed), However, I do wish to allow certain files (namely 2 particular .php and .swf files) to have full access to the .txt files so they can read and output them. The .php and .swf files will be sitting in the root of the server. Does anyone have any suggestions? I appreciate any help offered.

Share this post


Link to post
Share on other sites
I don't think that's possible.

The PHP files is easy. .htaccess file blocking only blocks HTTP requests to the files, not regular local filesystem access. The PHP is run on the server. That means that they access the files locally so a .htaccess file doesn't stop them. So far, so good.

The SWF is a problem however. I presume that the SWF is sent to the client to be run in the browser, then opens a HTTP connection back to the server to fetch the TXT files (AJAX style). If so, it will be blocked by the .htaccess file. There is no way to set it up in such a way that the SWF can fetch the files over HTTP while a browser cannot. At least, not in such a way that is trivially to hack around by anyone with a little understanding of a HTTP request and a half-decent packet sniffer.

There are solutions, but they're a lot more complicated than a few .htaccess rules.

Share this post


Link to post
Share on other sites
An .htaccess file containing something along the lines of:


<FilesMatch "\.(txt)$">
order deny, allow
deny from all
</FilesMatch>




should work. Though, it's probably better to do it from within a directory directive if you have access to the apache configuration.

You can also add an "allow from 10.10.10.12" (or whatever your server's ip is) to explicitly allow the server to access the files locally. However, that's probably unnecessary even for the AJAX thing - the client would just make the request to your php gateway which then has filesystem access to your text files already.

Share this post


Link to post
Share on other sites

This topic is 3594 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this