保护某些文件和文件夹以防公用文件夹中的显示 [英] Protecting certain files and folders from view within a public folder
问题描述
今天,我已经为此苦苦挣扎了一段时间.我要完成的工作是,我需要阻止所有用户访问某些php文件和图像以及更多内容(它们位于单独的文件夹中).
Today I've been struggling with this for a while. What I am trying to accomplish is that I need to block all users from acessing a certain php files and images and more things (they are in a separate folder).
我正在使用WAMP服务器.
I am using WAMP-server.
我不希望用户只能访问该网站,例如"www/images/crazy-cat-picture.jpg"(或更喜欢"www/phpScripts/sign-up-user.php")但我仍然希望用户能够看到我网站上的图片并调用php脚本.
I do not want the users to be able to go to just that site, like "www/images/crazy-cat-picture.jpg" (or more like "www/phpScripts/sign-up-user.php") but I still want the users ta be able to see the pictures on my website and call the php scripts.
我尝试了3种不同的方法,但都没有很好的工作.
1 :将文件夹放置在www目录之外
1: Place the folder outside of the www directory
这没有用,因为php和html页面无法找到数据,并且将无法显示数据.
This did not work since the php and html pages can not find the data and it will simply not display it.
2: .htaccess文件,我在其中编写了此文件:
2: .htaccess file, where I wrote this:
Deny from all
Allow from 127.0.0.1
Allow from 192.168
这没有用,因为它完全阻止了访问,即使用户在单独的网站上,用户也无法查看内容.
This did not work since it's blocking the acess completely, and the users can not view the content even if they are on a seperate website.
3: .htaccess文件,我在其中编写了此文件:
3: .htaccess file, where i wrote this:
IndexIgnore *
这将删除标准,并且不显示文件夹而是将用户放置到index.php,然后我将该文件重定向到错误403页面,效果很好.但是这里的问题是,如果用户拥有完整的路径,例如"www/images/crazy-cat-picture.jpg",则仍然可以访问数据
This will remove the standard, and instead of displaying the folder it will place the user to index.php, I then have made this file re-directing to the error 403 page, this works pretty good. But the problem here is that users can still access the data if they have the whole path, like "www/images/crazy-cat-picture.jpg"
然后,我一直在考虑在我的所有php脚本文件和用户上传的图片上创建复杂的名称,这将使得很难找到图像和文件.但我想知道是否还有更好的方法,例如,如果用户未从我的网站之一调用它,则将所有内容阻止在一个特定的文件夹中.
Then I have been thinking about creating complicated names on all my php script files and the pictures that the users upload, this will make it very hard to be able to find the images and files. But I wonder if there is not a better way of doing this, like block all the content in a specific folder if the users are not calling it from one of my websites.
问题是:有人知道我如何无法在文件夹中查找内容,但仍然使用户能够在我的网站上使用它吗?
很抱歉,这篇文章很长,但我希望有人可以回答我的问题.谢谢!
Sorry for making this to a long post, but I hope there are someone who can answer my question. Thank you!
推荐答案
仅保护某些文件和文件夹
第一个解决方案
下一个示例显示了如何保护两个.php文件,两个文件夹和两个.jpg图像.其他所有内容均应保持可访问性.
Next example shows how to protect two .php files, two folders and two .jpg images. Everything else should remain accessible.
创建一个.htaccess文件并将其放置在受保护资产所在的文件夹中
Create an .htaccess file and place it within the folder there the protected assets are
# .htaccess
<FilesMatch ^((001|002)\.php$|folder-001|folder-002|(image-001|image-002)\.jpg)$>
AuthUserFile /absolute-path-to-the-password-file/.htpasswd
AuthName "Private Area"
AuthType Basic
Require valid-user
</FilesMatch>
然后创建一个加密的密码-使用此网站 htpasswd生成器
Then create an encrypted password - use this site htpasswd generator
创建一个.htpasswd 并将其放置在public_html文件夹之外.它包含从上述服务生成的用户名和密码.
Create an .htpasswd and place it outside of your public_html folder. It contains an username and password generated from the service mentioned above.
# .htpasswd
username:j9mKJ6TCrsbSk
如您所见,上面的文件将受到密码保护
As you can see, the files above will be password protected
第二个解决方案
您也可以使用下一个解决方案
You may use the next solution as well
# .htaccess
<FilesMatch ^((001|002)\.php$|folder-001|folder-002|(image-001|image-002)\.jpg)$>
Deny from all
</FilesMatch>
此解决方案不需要.htpasswd部分,但任何人都无法访问 FilesMatch 指令中列出的文件.
This solution doesn't need the .htpasswd part but files listed in FilesMatch directive will be inaccessible for anyone.
在Debian 7/Apache 2上测试
Tested on Debian 7 / Apache 2
这篇关于保护某些文件和文件夹以防公用文件夹中的显示的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
