Using htaccess, how to restrict seeing directory contents, but allow server to use the contents?

More specifically, I have an htaccess file that restricts anyone from seeing the directory contents. Such that, nobody can see my 1000s of images in www.example.com/images by using:

deny from all
allow from 127.0.0.1

However, I want to use these images on www.example.com such that, <img src="images/thisimg.jpg" /> works.

I hope I'm in the right direction, but I 开发者_开发问答appreciate any insight/re-direct. This is similar to: How to protect all directory contents, but gain access to php script but I want to link to these images in that directory, and using deny from all does not allow me to do that.

Thanks in advance for your help.

in .htaccess

Options -Indexes

http://httpd.apache.org/docs/current/mod/core.html#options

All you need to keep people from seeing the directory contents is an index.php or .html file in that folder. Any requests for yoursite.com/images will load index.php, which you'll set to a dummy page.

index.html could be something like:

<html><title>Forbidden!</title><body>Nothing to see here...</body></html>

or a redirect script index.php:

<?php header('Location: /index.php'); exit(); ?>

Don't use .htaccess for blocking directory listings, it blocks access to everything.

Option 1 (Easy but not Preferable)-

You do not need to create an index file like this-

<html>
  <title>Forbidden!</title>
  <body>
    <h1>Access Denied !!</h1>
  </body>
</html>

And place it in each resource directories and directories you don't want to show users.

Option 2 (More Preferable)-

You can just add this at the end of your .htaccess file-

Options -Indexes

So, your .htaccess file may be like this-

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ /$1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    Options -Indexes
</IfModule>

If you do that and try to go to a directory, you would get something like this-

So, no one will be able to discover any directory in server.

More can be found here.

Simplest solution : create a blank page name index.html in your image folder :)

Use something like this in .htaccess file:

 #
 ###################################################################
 ###                                                             ###
 ###                    Currently protection                     ###
 ###              images (jpg, jpeg, gif, png, bmp)              ###
 ###                       JavaScript (js)                       ###
 ###                Cascading Style Sheets (CSS)                 ###
 ###                                                             ###
 ###################################################################
 #
 <IfModule mod_rewrite.c>
 RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
 RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com$ [NC]
 RewriteRule .*\.(jpg|jpeg|gif|png|bmp|js|css)$ http://access-                    denied.us/hotlinks.html [NC,L]
 </ifModule>
 #

This will allow your pages to load the documents and images you want while stoping everyone elses pages from doing it. I use this on all my sites and it works great.

deny from all allows files to be used by server side scripts but restricts complete web access.

To me I feel the easiest way of getting it done is with a redirect. On the images directory, just create an index page and in the index page you have a redirect to your site index page i.e

<?php
   header( 'Location: http://www.yoursite.com' ) ;
?>

So that whenever anyone tries to access the image page directly they end up going to your site's root.

If it were me I'd just make sure that the referrer is www.example.com, that's kinda one of it's main uses.

Magicianeer's suggestion is the best for this problem. If your images are broken into subfolders you'd have to put an index file in each one. 'Options -Indexes' only needs to be done once at the root.

in that folder which you want to show access forbidden create a file with name index.php and paste this code

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access This Folder
on this server.</p>
</body></html>

I use a trick which makes people think they've accessed a folder which doesn't exist.

Create a HTML file and add this:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
</head>

<body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>

</body>
</html>