I was working on a site that have “cache” folder inside DocumentRoot of Apache. Since this is a cache folder used by the PHP application, it need to be writable by apache user.
We need to prevent access to this folder. This can be done by adding .htaccess file to cache folder with following content.
deny from all
The problem with this solution is if the .htaccess file get deleted, cache folder become public again. Since it is cache folder, there is high chance it get deleted.
Another solution is to disable access from inside Apache Virtual Host configuration for the web site. This can be done by adding following code to Apache VirtualHost entry for the web site.
<Directory /path/to/folder/>
Order Deny,allow
Deny from all
</Directory>
Example VirtualHost Configuration
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/html">
Options All
AllowOverride All
Require all granted
Order allow,deny
allow from all
</Directory>
<Directory /var/www/html/cache/>
Order Deny,allow
Deny from all
</Directory>
</VirtualHost>
