How to exclude specific file (eg txt file) from RedirectMatch 404 in .htaccess file?

Question

[Edit: Answered by CBroe below in comments]

I've read countless threads on this and nothing is working for me. I am in the process of hardening our www.mta-sts.[maindomain].com subdomain. For this subdomain, we only want one single page to be accessible, being www.mta-sts.[maindomain].com/.well-known/mta-sts.txt.

This file sits in a hidden directory (being the .well-known directory). We would like to forbid access to all hidden files and directories across the entire the subdomain, while excluding the mta-sts.txt file from that rule.

The following rule works well to remove access to hidden files and directories (source):

# deny access to hidden files and directories
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RedirectMatch 404 /\..*$ [L]

How do we exclude the mta-sts.txt file from this rule?

We tried a popular answer (amongst many others) and it did not work:

# deny access to hidden files and directories
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteCond %{REQUEST_URI} !^/.well-known/mta-sts\.txt$
RedirectMatch 404 /\..*$ [L]

`RewriteCond` and `RedirectMatch` have nothing whatsoever to do with each other. (They are not even provided by the same Apache module.) A `RewriteCond` works on the following `RewriteRule` - on `RedirectMatch`, it has no influence at all — CBroe, Aug 25 '22 at 12:13
Thanks @CBroe, seems I misunderstood the source. So my option then is to use the "RewriteRule "(^|/)\." - [F]" instead and apply the exclusion? I will try that now. — perryghf, Aug 25 '22 at 12:16
@CBroe, thank you, the following code worked just fine: " RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteCond %{REQUEST_URI} !^/.well-known/mta-sts\.txt$ RewriteRule "(^|/)\." - [F]" This gives a 403 forbidden code and a 404 would be preferable, however, this should be sufficient. — perryghf, Aug 25 '22 at 12:20
@perryghf You should write your answer in the answer box below (and later "accept it"), rather than posting a _comment_. (And unformatted code in comments can omit special characters, particularly when using regex.) If you want to trigger a 404 then use the `R=404` flag instead. — MrWhite, Aug 25 '22 at 16:03

score 2 · Accepted Answer · answered Aug 28 '22 at 09:30

2

Credit to @Cbroe and @MrWhite in the comments.

Here is the snippet that works for me (404 redirect for all hidden files except the mta-sts.txt file):

# deny access to hidden files and directories (except mta-sts.txt)
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteCond %{REQUEST_URI} !^/.well-known/mta-sts\.txt$
RewriteRule "(^|/)\." - [R=404,NC,L]

answered Aug 28 '22 at 09:30

perryghf

43
4

1

You don't really need to check whether the request maps to a directory or file (the first two _conditions_ / `RewriteCond` directives), since if it doesn't exist it will naturally result in a 404 anyway (with one exception). And filesystem checks are relatively expensive, so best avoided if possible. (The exception to this is if a _directory_ is requested, since this will likely result in a 403 not a 404 - so your rule overrides this response.) _Aside:_ The `NC` and `L` flags are not required here. The `L` flag is _implied_ when using a non-3xx response code. – MrWhite Aug 28 '22 at 10:16

How to exclude specific file (eg txt file) from RedirectMatch 404 in .htaccess file?

1 Answers1