[Edit: Answered by CBroe below in comments]
I've read countless threads on this and nothing is working for me. I am in the process of hardening our www.mta-sts.[maindomain].com subdomain. For this subdomain, we only want one single page to be accessible, being www.mta-sts.[maindomain].com/.well-known/mta-sts.txt.
This file sits in a hidden directory (being the .well-known directory). We would like to forbid access to all hidden files and directories across the entire the subdomain, while excluding the mta-sts.txt file from that rule.
The following rule works well to remove access to hidden files and directories (source):
# deny access to hidden files and directories
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RedirectMatch 404 /\..*$ [L]
How do we exclude the mta-sts.txt file from this rule?
We tried a popular answer (amongst many others) and it did not work:
# deny access to hidden files and directories
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteCond %{REQUEST_URI} !^/.well-known/mta-sts\.txt$
RedirectMatch 404 /\..*$ [L]
CodePudding user response:
Credit to @Cbroe and @MrWhite in the comments.
Here is the snippet that works for me (404 redirect for all hidden files except the mta-sts.txt file):
# deny access to hidden files and directories (except mta-sts.txt)
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteCond %{REQUEST_URI} !^/.well-known/mta-sts\.txt$
RewriteRule "(^|/)\." - [R=404,NC,L]