Forbid access to directory except only one subdirectory with .htaccess

.htaccessapache-2.4mod-rewrite

I have a following dir structure on file system:

/users/[uid1]/

/users/[uid2]/ etc. (UID part is dynamic in the url, like /users/abc123/ or /users/def456/)

Inside of uid-dirs I also have some subdirectories and files for example:
images-dir another-dir file1 file2

I also have a .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /index.php [L,QSA]

So I rewrite every request to index.php for routing, only if requested file doesn't exist on file system.

Can I somehow forbid access to /users/[uid]/* except images-dir?

For example, allow:

/users/123abc/images-dir/some-image.jpg

and deny :

/users/123abc/another-dir

/users/123abc/file1

I need to deny direct access to this sub directories AND if somebody tries to get contents of forbidden files I want to send request to index.php

Is it possible to do with .htaccess?

Thanks

Best Answer

I assume you have a single .htaccess file in the document root.

You could do something like the following before your existing directives:

# If the request maps to a file or directory in the /users/<uid> space
# But is not the "images-dir" then forbid access
RewriteCond %{REQUEST_URI} !^/users/\w+/images-dir/
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^users/\w+/ - [F]

\w+ matches the <uid> and includes alphanumeric and underscore characters. If the <uid> follows a specific format then you could be more specific here.

If you only reference static resources in the /users/<uid>/... space (ie. no virtual URLs) then you could remove the above filesystem checks, since you know that every request targets a filesystem resource.

Related Solutions

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

Probably the ProxyPass / directive you have in your config routes all requests to the Tomcat backend, bypassing all your mod_rewrite directives. You can try to remove the ProxyPass directive and use RewriteRule with the [P] flag after your other rewrites:

mod_rewrite: P|proxy

For the expire headers the situation is worse — in another similar question a solution was not found.

Option +FollowSymLinks would be needed for using mod_rewrite in .htaccess files; in your case it is not required, because you can put everything in the Apache config. Moving rules from config to .htaccess is pointless and can only make things slower. However, there is an important difference between .htaccess and the Apache config — in .htaccess patterns in RewriteRule are matched against relative filesystem paths (which never start with /), while in the VirtualHost context these patterns are matched against the URL path after the hostname, which always starts with /. Therefore at least one of your rules is incorrect:

RewriteRule ^content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

should be

RewriteRule ^/content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

(note the additional slash in the beginning).

Linux – How to prevent the swf files being hotlinked, downloaded etc

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|swf)$ yourdomain.com/goaway.jpg [NC,R,L]

Best Answer

Related Solutions

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

Linux – How to prevent the swf files being hotlinked, downloaded etc

Related Topic