środa, 27 maja 2020

Apache + PHP - deny policy

This is sample config for apache + php (mod_php) which by default blocks all .php and allow only specified locations:
php_admin_value engine off
<FilesMatch "\.php$">
  Deny from All
</FilesMatch>
<Location /index.php>
  Allow From All
  php_admin_value engine on
</Location>
<Location /sample/>
 Allow From All
 php_admin_value engine on
</Location>
This assume there is catch all to index.ph somewhere (.htaccess or vhost).