I need to completely block the access of some directories of my PHP application.
This is how my application file system looks like:
www
├── core
│ ├── .htaccess
│ └── many .php files
│
├── logs
│ ├── .htaccess
│ └── many .log files
│
├── .htaccess
├── index.php
└── web.config
both www/core/.htaccess and www/logs/.htaccess look exactly the same:
deny from all
www/.htaccess is as described:
# Friendly-url definitions
RewriteEngine On
RewriteCond %{REQUEST_URI} /+[^\.]+$
RewriteRule ^(.*[^/])$ %{REQUEST_URI}/ [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /index.php [L]
Also, my web.config for IIS servers:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="core"/>
<add segment="settings"/>
<add segment="logs"/>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Is this enough?
I used to put in all my PHP include files a "index.php existence" verification before any other code to make sure it wouldn't be directly accessed. If the file were directly accessed, it'd return 404. But I want to get rid of those annoying verification lines.
Now, with all those .htaccess files, when I try to directly access a file in one of those folders my request is completely "ignored" and www/index.php is executed - much better than a 404-error.
But, is this enough? Can I fearless rely on .htaccess and remove all those index-verification repetitiveness? What about web.config for IIS?
PS: As the application is being made to run in all server configurations possible, I cannot guarantee the possibility of putting those directories outside www. Also, it is required to work in both Apache and IIS servers.
