Apache: How To Deny Access To Certain File Types

By | April 21, 2008

Sometimes we need to close access to cerain file types. We often deny directory listings and think that’s enough. But even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser. How can someone find out about the location of the private file? Well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or anything else.
So if there are ’special files’ that you want to not be served in any case to remote users then you will have to deny access to them.

In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (<Directory>, <Files>, and <Location> sections). In this case we will be interested in the <Files> section.
Allow/Deny Directive in <Files>

Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:

<Files ~ "^.htaccess">
Order allow,deny
Deny from all
</Files>

Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):

<Files ~ ".inc$">
Order allow,deny
Deny from all
</Files>

Similar to this we can deny access to whatever files we might need. This does not refer to folder protection, it works just for defined file types. You can protect a directory from being viewed using Directadmin Ditectory Password protection page.