Blocking external access to directory but allowing SSI access (or, How does the `FilesMatch` directive actually work?)

Question

On an old site, where i was using PHP, I had a .htaccess in directory /noaccess as follows:

# /noaccess/.htaccess
<FilesMatch "^.*$">
order allow,deny
deny from all
</FilesMatch> 

And I had a PHP file like,

<html>
<body>
<?php include('noaccess/blah.ssi'); ?>
</body>
</html>

This works fine and the contents of blah.ssi is visible.

However, on my current site I'm using SSI and the following:

<html>
<body>
<!--#include virtual="noaccess/blah.ssi" -->
</body>
</html>

does not work. The logs show unable to include "noaccess/blah.ssi". Remove the FilesMatch directive and it works. So I'm obviously misunderstanding how that command works, I didn't realise it would block Apache itself. So how can I block access from the web but allow SSI access? (I thought I could (and should) store the stuff I don't want accessed outside of public_html but that doesn't seem to work either in the SSI include - but anyway, even if it did, I'm interested to know how to do this).

Thanks, T.

Answer 1

As far as I know by experience, mod_include follows the limits of the client, so you cannot do what you want with apache directives.

If you want to hide the included files you can disable directory indexes with the Options -Indexes directive on your .htaccess file, though. Also, you can name the included files in a hard to guess way.

My prefered option would be using uuids, you can generate them with online tools or install some utility on your workstation:

itorres@localhost$ uuid
6e8feb48-1a3b-11e0-a0e3-00505624a126
itorres@localhost$ vi noaccess/6e8feb48-1a3b-11e0-a0e3-00505624a126.ssi

Answer 2

if you only wanted to not allow people to see your files if they enter it in an address bar, then you could put them in a directory with no indexes (-Indexes) and an unpublished name and if you never reveal the names of the files (which SSI does not do), then you only need worry if someone guesses one correctly. You can always block access by disallowing according to referrer, or something similar.