Skip to content

Instantly share code, notes, and snippets.

@iAugur

iAugur/about-rewrite-access-php.md

Last active December 19, 2015 16:19
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save iAugur/5983325 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save iAugur/5983325 to your computer and use it in GitHub Desktop.
Download ZIP
Control access to sensitive files
Raw
about-rewrite-access-php.md

See http://technology.blue-bag.com/apache-rewrites-control-access-php-files

There are certain PHP files that you want access to but don't want to make public. Common examples of these are:

  • PHPInfo.php
  • APC.php
  • memcache.php

You also don't really want to deploy these on all of your sites on a server nor have them in your git repositories for sites. A neat way of dealing with this is to use rewriting in your web server config files (e.g. Apache, NGINX, IIS etc) to do the following:

  • password protect these files
  • deny access to all but a limited set of IP addresses
  • point all requests to these files to a default set so they don't have to be duplicated in every site.

##Blocking access to all php files other than index.php.

Note that this is specific to CMSs such as Drupal and Wordpress that pass all page requests through index.php. Also in this example I refuse access to all TXT files other than robots.txt - This saves you having to delete them from your Drupal install as is often recommended for security - this saves you having to do that everytime you update core.

Raw
rewrite-access-php.conf
# require password for admin files or allow from an IP
#<FilesMatch "^(phpinfo.php|apc.php|memcache.php)$">
<FilesMatch "([^index].php|[^robots].*\.txt)$">
AuthName "Development"
AuthUserFile {location of your password file}
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from {your-ip}
Allow from 127.0.0.1
Satisfy Any
</FilesMatch>
Raw
rewrite-access-php.md

##Use a default set of instrumentation files (phpinfo.php, apc.php etc

Next let's look at rewriting all requests to these standard php files to a set of default files. Say we have site X (www.example.com) /var/www/sitex/htdocs/ - this is your site root and we have the default files in a folder: /var/www/default/ - this contains phpinfo.php, apc.php etc What we want is requests to www.example.com/phpinfo.php actually serve /var/www/default/phpinfo.php. To do this, set up file aliases in Apache and rewrite all requests to the files to their defaults:

Raw
rewrite-phpinfo.conf
Alias /default-phpinfo.php /var/www/default/phpinfo.php
Alias /default-apc.php /var/www/default/apc.php
Alias /default-memcache.php /var/www/default/memcache.php
<FilesMatch "(apc\.php|memcache\.php|phpinfo.php)$">
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} phpinfo\.php$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* /default-phpinfo.php [L]
RewriteCond %{REQUEST_FILENAME} apc\.php$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* /default-apc.php [L]
RewriteCond %{REQUEST_FILENAME} memcache\.php$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* /default-memcache.php [L]
</FilesMatch>
Raw
xit_about-rewrite-access-php.md

The rules say: If someone asks for phpinfo.php and it doesn't exist at the url they ask for it - return the default. This allows you to 'override' the rule by placing a phpinfo.php in the root of your site should you want to. Using this technique means that any new site you have on your server will have access to these files without having to duplicate them. all over the place and they will be protected from general access. Note: The files referred to in the aliases must exist or you will get a 500 error when you visit them. These rules can go in .htaccess in the root of your site - but as always for performance reasons they are better placed in your vhosts / HTTPD.conf files is you have access to that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment