Welcome Guest, Not a member yet? Register   Sign In
Suggested .htaccess rewrite is not hiding system folder
#1

[eluser]helloworldly[/eluser]
I'm using the suggested modrewrite rules which work great in removing index.php from the url but do not also remove access to the system folder as it suggests it should: (From Codeigniter wiki: http://codeigniter.com/wiki/mod_rewrite/)

I also have config/config.php set as suggested with:
$config['index_page'] = "";
$config['uri_protocol'] = "QUERY_STRING";

Everything works fine locally using MAMP and remotely using GoDaddy server re: removing index.php from the url, but I am still able to view the system folder and its contents on both MAMP and GoDaddy. So, as an example, going to http://example.com/folderWhereFullAppRes...e_view.php will display the view contents rather than redirecting to app's index.php as htaccess implies it should.

As an alternative to using htaccess rules: I'd love to move the system outside the public www view, but that is not possible with GoDaddy from what I can see and so am bound to using .htaccess rules.

Seems this part of the suggested htaccess file is not functioning as intended in my environments:

#Removes access to the system folder by users.
#Additionally this will allow you to create a System.php controller,
#previously this would not have been possible.
#'system' can be replaced if you have renamed your system folder.
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]

If it matters: the client is using the "deluxe" GoDaddy setup where multiple domains / sites can be hosted from 1 account.

Any thoughts? Thanks much.
#2

[eluser]Rick Jolly[/eluser]
You could try this and make sure it is above any other rules.
Code:
RewriteCond $1 ^system [NC]
RewriteRule ^(.*)$ /index.php?/$1 [L]

Edit: removed the not ("!")
#3

[eluser]helloworldly[/eluser]
Thanks Rick. Yes, it's preventing access to system folder now, though it couldn't find the index.php:

"The requested URL /index.php was not found on this server."

So originally it was:
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]

And you added this similar rule above other rules:
RewriteCond $1 ^system [NC]
RewriteRule ^(.*)$ /index.php?/$1 [L]

What's the difference between the two? Why would two rules be needed?

Thanks Rick!
#4

[eluser]Rick Jolly[/eluser]
Well that can't be your only rule, or all urls besides those starting with "system" wouldn't work. For example, you could use rules that look something like this:
Code:
RewriteCond $1 ^system [NC]
RewriteRule ^(.*)$ /index.php?/$1 [L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?/$1 [L]
Since "system" is a directory, if the first rule was last, it wouldn't get matched since RewriteCond %{REQUEST_FILENAME} !-d would be true. That says if the REQUEST_FILENAME is a directory, execute the rule.

Quote:What’s the difference between the two?

For you, probably nothing. But I think it is better to not use REQUEST_URI in .htaccess if your RewriteBase is a subdirectory - which apparently doesn't apply to you. Otherwise you'd have to include your subdirectory before the "system" in the REQUEST_URI RewriteCond. It's a subtle difference and only applies if you are working in a subdirectory and using .htaccess.

So I don't think the rewrite rule by itself was the problem. I suspect some other rule above it matched so that rule wasn't executed. The [L] means last - "if this rule matched, don't execute another".

Quote:Why would two rules be needed?
One rule must match, or your script won't be found.
#5

[eluser]Rick Jolly[/eluser]
If you are not aware, on most hosts you move your system directory above the web root so that it cannot be accessed through a url. Also, as opposed to sending requests to "system" through CI, you could just disallow those requests entirely.
#6

[eluser]helloworldly[/eluser]
Quote:"If you are not aware, on most hosts you move your system directory above the web root so that it cannot be accessed through a url."

Yeah I wish Go Daddy gave me that freedom but they don't. At least not on the plan my client has -- or not that I can see anyway.

Re: my htaccess - i had the exact copy of the recommended htaccess from that codeigniter wiki post i linked to in my first post. The only difference wasthat i commented out the rewritebase:

Code:
<IfModule mod_rewrite.c>
    RewriteEngine On
    # Allow or disallow use of RewriteBase
    # RewriteBase /
    
    RewriteCond $1 ^system [NC]
    RewriteRule ^(.*)$ /index.php?/$1 [L]

    #Removes access to the system folder by users.
    #Additionally this will allow you to create a System.php controller,
    #previously this would not have been possible.
    #'system' can be replaced if you have renamed your system folder.
    RewriteCond %{REQUEST_URI} ^system.*
    RewriteRule ^(.*)$ /index.php?/$1 [L]

    #Checks to see if the user is attempting to access a valid file,
    #such as an image or css document, if this isn't true it sends the
    #request to index.php
       RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>

<IfModule !mod_rewrite.c>
    # If we don't have mod_rewrite installed, all 404's
    # can be sent to index.php, and everything works as normal.
    # Submitted by: ElliotHaughin

    ErrorDocument 404 /index.php
</IfModule>
#7

[eluser]Rick Jolly[/eluser]
Notice the "/" before index.php on the first 2 rules? I thought that was specific to GoDaddy, but I see your last rule doesn't have it. Remove the "/" in front of index.php for all rules and you should be good to go.
#8

[eluser]Johan André[/eluser]
Correct me if I'm wrong, but doesn't CI limit the direct access to core-files if the constant BASE is not defined?
#9

[eluser]helloworldly[/eluser]
Yeah just seems like a path issue... this helped - isntead of giving a php error - it directs to the stylized 404 page. Though I thought it was to go to the index.php and display the home page...

Just a path issue i guess...
#10

[eluser]Rick Jolly[/eluser]
[quote author="helloworldly" date="1263270474"]Yeah just seems like a path issue... this helped - isntead of giving a php error - it directs to the stylized 404 page. Though I thought it was to go to the index.php and display the home page...

Just a path issue i guess...[/quote]
Expected behavior. If you typed example.com/fsdfjsdlfjj you'd get the 404 page. If the url can't be resolved to a controller/method, then 404.




Theme © iAndrew 2016 - Forum software by © MyBB