Use .htaccess to block All access to specific folders

Question

I am not sure how to do this, but I want to block all access to a specific set of folders on my web server. Say secret01 and secret 02...

homeDir
  |- data
  |- www
  |   |- .htaccess (file)
  |   |- images
  |   |- js
  |   |- secret01
  |   |- secret02
  |   |...
  |...

What rule(s) do I need to add to my root .htaccess file to do this? I want all access from the web blocked from going into these folders, period. Only way one could get to them would be over SFTP or SSH. So what rule am I looking for? I am preferably looking for a one-liner so I can add more folders or move it to another site down the road. I really would prefer if the rule could be placed in the .htaccess root file so I don't have to jump all over the place to lock and unlock folders.

= Update for Clarity =

I do not have access to the conf file for this host (it is in a shared environment) and I need to have these folders inside the webroot for a few shell purposes. If I could I would have already moved them up out of the webroot.

I also don't want to screw with the file permissions, just have a rule in my .htaccess that blocks web traffic from accessing a folder or set of folders.

handfix · Accepted Answer · 2010-03-19T14:05:29.390

4

You can just create a .htaccess with

DENY FROM ALL

for the folders (put the file it in those).

Also with mod_rewrite on www/.htaccess:

RewriteEngine On
RewriteRule ^(secret1|secret2|asdf) - [F,L]

edited Mar 19 '10 at 14:05

answered Mar 19 '10 at 13:57

handfix

56
2

Bam, I wanted that last line right there, I have no issue adding many folders to the rule, but that blocks out everything, ends rule checking, and prevents all access from the web. Great answer! Welcome to ServerFault :) – Urda Mar 19 '10 at 14:44

score 1 · Answer 2 · answered Mar 19 '10 at 13:40

1

If you truly do not want them accessible to the Internet via HTTP, you should move them outside of the Web tree entirely.

You can also use filesystem permissions. For example, if Apache runs as the apache user, but you want the files only accessible via SSH by user23 you can have secret* owned by user2 and not publicly readable. Of course, there are nearly endless additional options here. Groups, filesystem ACLs, and more.

For ACLs, you can use mod_authz. It's best to keep the configuration in the conf and not in .htaccess. Having them in .htaccess introduces more exposure and possible for manipulation with lesser privileges.

mod_authz documentation

answered Mar 19 '10 at 13:40

Warner

23,440
2
57
69

I understand that, but I need them in the webroot for shell purposes. I just want all access to them blocked from the outside world from the web. I *do not* have access to the conf file as this is a shared environment. – Urda Mar 19 '10 at 13:42
As handfix said, `deny from all` is all it takes. – Warner Mar 19 '10 at 14:11

Use .htaccess to block *All* access to specific folders

2 Answers2

Use .htaccess to block All access to specific folders