Restrict user access using .htaccess

A

Anonymous

Guest
Under the root directory, I have the following directory structure;

index.php
phpmyAdmin/
application_1/
application_2/

I want to restrict user access. So if not from the localhost, all users are forced to access index.php and not allowed to access all the directories (phpMyAdmin, and so on).

I think about using .htaccess but haven't found the right code.

Is there any bad effects if you use "AllowOverride All" in httpd.conf ?
 
Ok, I found this:

Code: 
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REMOTE_HOST}!^127\.0\.0\.1
RewriteCond %{REQUEST_URI}!/index\.php$
RewriteRule \.html$ /index.php [R=302,L]

and I'm gonna test it
 
Well, it depends for which configuration element it applies(httpd.conf it has several)

Code: 
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    # enabled dir listing disabled by me : # Options Indexes FollowSymLinks
     Options Includes FollowSymLinks MultiViews

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
   AllowOverride All
    #AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

</Directory>

As you can see:
AllowOverride All
uncommented

and it has a bit security risk(Why?)
Because attacker can force any extension using .htaccess force to execute!
This is a well known 'hacking' way of web servers( for execute CGI,Perl etc etc nasty things!)
+ It doesn't depends on web servers OS (It will be WIndows,Linux as well!)

Regarding of your question:
It should do it for you:(.htaccess)
Code: 
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^127.0.0.1$
RewriteRule ^(dir1/|dir2/)(.*)$ /$1 [F,NE,L]

#[F,NE,L] you can simply change that F (forbidden) flag to R (redirect aka HTTP MOVE 302)
#+ You have to change that dir1/ and dir2/ to your in ex: phpmyadmin/ etcdir/
Place it to root of htdocs and save thats all!
But it is a best practice(do not use default MYSQL root password which comes with LAMP WAMP VERTIGO) and change it immediately)
Because that 'wholes' can compromise completely your OS+execute some nasty virii's on your system)
And yes it is real!

Cheers.
 
You must log in or register to reply here.
Back
Top