.htaccess allow only php

Im trying to write a .htaccess file which will block access to .inc files on my apache web server.

At the moment a user can type in http://myserver/dbConf.inc and they get all my database credentials, not a great idea :-S

So after reading about .htaccess Ive done the following:-
<Files *.inc>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.png>
    Order Deny,Allow 
    Deny from all
</Files>


<Files *.swg>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


Which successfully blocks access to my dbConf.inc file, but also my index.php file :-S

What Im trying to do is only allow access to *.php, *.png, *.swg and block access to everything else, which I thought would be acomplised by:-
<Files *.*>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


What am I doing wrong?
tonelm54Asked:
Who is Participating?
 
hieloConnect With a Mentor Commented:
To allow access only to files with specific extensions try:
Order Deny, Allow
Deny from all
Allow from 127.0.0.1

<FilesMatch "\.(?i:css|js|php|gif|png|jpg)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

Open in new window


To deny access only to files with specific extensions try:
Order Deny, Allow
Allow from all

<FilesMatch "\.(?i:inc|dat|ini|conf)$">
    Order Allow,Deny
   Deny from all
</FilesMatch>

Open in new window

0
 
darron_chapmanCommented:
Is there a reason your credentials are in an .inc file? They really should be in a PHP file and not in a plain text, downloadable file.  You can include the file with the content below and name it dbConf.php ... it won't show up when someone goes to  http://myserver/dbConf.php
<?php
$userName = "admin";
$passWord = "mypassword";

Open in new window

0
 
Dave BaldwinFixer of ProblemsCommented:
Standard practice is what darron suggests, make it a *.php file.  You will see it done that way in Wordpress, phpMyAdmin, and many other applications including mine.
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
tonelm54Author Commented:
Ok, done that, which has worked.

What Im now looking at is to stop the user being able to access some .dat files in a subdirectory, is it possible to block access in the .htacess file to .dat?
0
 
msifoxCommented:
Problem with just putting them into a php file is that when the php interpreter doesn't run, the web server will show the php source instead of interpreting it.

You could configure your web server to use a different root directory and place the php files with passwords outside of this.

For example when I see that default root is /var/www, I setup /var/www/htdocs and declare this as root, then I create /var/www/php and put my php-files with passwords there. Other php files can include them with
   include '../php/passwords.php'
but the web server will refuse to deliver
   http://../php/password.php

Another option is to use htaccess to refuse access to anything that has a name that begins with a dot. Then you can do
   include '.passwords.php'
but the web server will not show it.
0
 
darron_chapmanCommented:
Try this in your .htaccess file

<Files ~ "\.dat$">
	Order allow,deny
	Deny from all
</Files>

Open in new window

0
 
skullnobrainsCommented:
- you seem to deny access on all files, but i guess you noticed already

- the simplest, safest, and best practice way is to start by sticking those files in a place that the web server user can use but that is not in the web server's root

then you may want to try

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow
    Allow from all
</Files>

<Files *.png>
    Order Deny,Allow
    Allow from all
</Files>


<Files *.swg>
    Order Deny,Allow
    Allow from all
</Files>

or rather

<Files *>
    Order Allow,Deny
    Allow from all
</Files>

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.