Htaccess exception / “deny from all except Paypal”

.htaccess

I spent my evening on this problem and I did not find how to solve/bypass it 🙁

I have in "mydomain.com/admin/" a .htaccess file with the following :

<Files ~ "[^index]\.php$">
Order Allow,Deny
Deny from All
</Files>

The goal of this .htaccess is to protect all the included files, as inc/config.php for example, from being directly called.

My problem is that I wish to make an exception for a notification php file used by paypal.
In other word, I have a file "mydomain.com/admin/paypal/notify.php" and I wish to allow paypal.com to execute it.

I tried tenth of things, as adding a "Files" authorization in the .htaccess

<Files /admin/paypal/notify.php>
Order Deny,Allow
Deny from all
Allow from paypal.com
</Files>

But succesless 🙁

… as if

<Files ~ "[^index]\.php$">

was the only followed rule.

Best Answer

<Files filename> only apply to a filename, you cannot use a path with it.

The Files directive documentation states:

The directives given within this section will be applied to any object with a basename (last component of filename) matching the specified filename.

Possible Solution:

In the directory admin/paypal, create an .htaccess with:

<Files notify.php>
  Order Deny,Allow
  Deny from All
  Allow from paypal.com
</Files>

Edit: reversed Deny and Allow.

Related Solutions

Linux – How to prevent the swf files being hotlinked, downloaded etc

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|swf)$ yourdomain.com/goaway.jpg [NC,R,L]

Php – Apache2 & .htaccess : Apache ignoring AccessFile

.htaccess files can interact with the main config in unobvious ways. In your case your problem is that you have access control bot in your httpd.conf and your .htaccess file. And they get both applied.

You have in your config:

Order allow,deny
allow from all

And in your .htaccess file:

Order Deny,Allow
Deny from all

So the end result is as if the permissions are:

Order Deny, Allow
Deny From All
Allow From ALL

Which means that everyone gets access. In this case you should use "Order Allow, Deny".

You should however not use .htaccess files at all if you have access to the main config. .htaccess files exist as a workaround for cases where you don't have the right to edit the main config (like shared hosting) but if you can edit the main config you should use that.

.htaccess files have a lot of disadvantages. They are only read at request time, and only after the server has translated the URL to a file system resource. They are not read when the server startes. This means that the .htaccess files are possibly read at every request (causing a performance hit), but sometimes not read ever.

Best Answer

Related Solutions

Linux – How to prevent the swf files being hotlinked, downloaded etc

Php – Apache2 & .htaccess : Apache ignoring AccessFile

Related Topic