In this post, I will talk about how to protect non-critical but sensitive directories from accessing by visitors. For real critical directories, such as /wp-admin for WordPress or /phpmyadmin for administrating MySQL, I would recommend a stronger protection solution which can protect directories by Apache digested passwords.
For further information about digested passwords, you may refer to my post: How to Password Protect Web Directories by HTDIGEST.
Now go back to our topic. Let's say you have 10 virtual hosts running on your server, in which 5 of 10 contains system status in directory /status, and you want to block all visitors except specific clients from accessing the directory. There're several ways can achieve this:
By file system path directive <Directory>
You can specify the access order and permissions in the directives like this:
[root@test ~]# vi /etc/httpd/conf/httpd.conf ... <Directory /var/www/html/vhost01.com/status> Order Deny,Allow Deny from all Allow from 10.46.0.0/16 </Directory> ... <Directory /var/www/html/vhost05.com/status> Order Deny,Allow Deny from all Allow from 192.168.12.0/24 </Directory>
It looks cumbersome, but works.
By URL string path directive <Location>A simplified approach is to use directive <Location> to match the URL string path (e.g. http://www.example.com/status) and apply to all virtual hosts at once:
[root@test ~]# vi /etc/httpd/conf/httpd.conf ... <Location /status> Order Deny,Allow Deny from all Allow from 10.46.0.0/16 192.168.12.0/24 </Location>
It looks neat and fine.
Since Allow and Deny are all permission directives, so we expect 403 Forbidden will be returned to our clients. You can test the results after restarting httpd.
You don't have permission to access /status on this server.
Apache/2.2.26 (CentOS) Server at www.example.com Port 80
Another issue that we should be aware of, is the return code "403 Forbidden" itself. Malicious sniffers know 403 means there's an existent, sensitive and maybe important directory in your server. They may try harder to break the security.
A better way is to return visitors "404 Not Found" instead of 403. I will talk about it in the post: How to Return "404 Not Found" Instead of "403 Forbidden".