Blocking access to a subfolder

PHP
1

Hi Guys,

I was hoping to have some assistance with an IIS7 web.config issue I was having.

I am working on a PHP framework and wish to have most of the URL’s passed to my index.php as the PATH_INFO. I would like not to invoke my index.php if the file exists (so go direct), but I would like to protect a sub-folder which is named WEB-INF (and all the contents below it).

I currently have the web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
     <system.webServer>
         <rewrite>
             <rules>
                 <rule name="Go direct on files and folders" stopProcessing="true">
                     <match url="^.*$" />
                     <conditions logicalGrouping="MatchAny">
                         <add input="{REQUEST_FILENAME}"
                             matchType="IsFile" pattern=""
                             ignoreCase="false" />
                         <add input="{REQUEST_FILENAME}"
                             matchType="IsDirectory"
                             pattern="" ignoreCase="false" />
                     </conditions>
                     <action type="None" />
                 </rule>
                 <rule name="Pass PHP the request PATH_INFO" stopProcessing="true">
                     <match url="^(.*)$" />
                     <action type="Rewrite" url="index.php/{R:1}" />
                 </rule>
             </rules>
         </rewrite>
     </system.webServer>
</configuration>

I saw a reference website: http://learn.iis.net/page.aspx/143/use-request-filtering/ which looks like it might have some of the details in it, but I am not sure which particular function to use. Is it something to do with filtering out hidden segments?

Thanks for the assistance.

2

Can someone assist by maybe suggesting where I should be posting this if this is not appropriate for this forum category? thanks!

3

IMHO this is the best place here to ask about this. The Microsoft Rep comes by at least every third Friday so you may have to wait a while. Maybe another member that knows (there’s a few) will stop by to help. Sorry, I’d try to help but I’m clueless about this one.

4

I’ve queried a very nice acquaintance of mine…

Who kindly suggested…

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{URL}" pattern="/**!!FOLDER NAME!!**" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" />
                </rule>
                <rule name="Imported Rule 1" stopProcessing="true">
                    <match url="^(.*)$" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" pattern="" ignoreCase="false" />
                    </conditions>
                    <action type="Rewrite" url="app.php" appendQueryString="true" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Which actually makes sense when you look at it. It’s always the way! :slight_smile:

5

Awesome, thanks heaps!