Apache Tips & Tricks: Deny access to certain file types
Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_access
Scope: global server configuration, virtual host, directory, .htaccess
Type: security
Description: How to deny access to certain file types.
Useful: to deny access to certain files that contain private information (log files, source code, password files, etc.).
I a previous tip (Hide a file type from directory indexes) I have showed how we can hide some files from appearing in directory indexes. Even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser… How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes). So if there are ‘special files’ that you want to not be served in any case to remote users then you will have to deny access to them.
In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (<Directory>, <Files>, and <Location> sections). In this case we will be interested in the <Files> section.
Allow/Deny Directive in
Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:
<Files ~ "^\.htaccess">
Order allow,deny
Deny from all
</Files>
This is a simple example of how we can deny access to a single file by its name. If you don’t have such a configuration, then it might be a good idea to add it :-).
Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
Similar to this we can deny access to whatever files we might need…