I have a file in a publicly accessable folder which is run by a cron job. I need to block direct access to it so it won't be run by regular users/spiders etc. On my own server, this works: if ($_SERVER['REQUEST_METHOD'] != "CRON") { exit("Access denied!"); } PHP: But other server are not having it. Do you have any suggestions to solve this? How would I do it via htaccess? How about: if ($_SERVER['REMOTE_ADDR'] != $_SERVER['SERVER_ADDR']) { exit("Access denied!"); } PHP: Any ideas on what would be the neatest solution?
Is your cron job calling the file via wget (hence, via the web server) or via the command line? If it's via the command line then you could just move the file outside of your webroot. Other than that, I guess something like your second option is going to be your easiest / cleanest / best bet.
You could deny access based on IP address? Your localhost IP is something like 127.0.0.1, therefore deny access if $_SERVER['REMOTE_ADDR'] != "127.0.0.1" However, you should first tweak the script so that it writes the ip address used to a file so that you can be certain about what, if any, ip address fills that variable. Then only allow access from that ip address. But, since you are running the script via cron, the most secure way to run scripts you do not want anyone else to access is to move them outside the web tree or into a directory where you are the only user who has password access.
Had a few weird things with this. I run cron via Webmin, via command line. No Wget. Running it in the Webmin window $_SERVER['SERVER_ADDR'] is empty and $_SERVER['REMOTE_ADDR'] gives my WAN IP as oppose to the server's IP (which executes the cron). Both have me stumped. Putting it outside the root is an idea but makes including files inside that file an ugly business. What I've done is simply calling the cron with a GET variable which is also defined inside the file and if they don't match it aborts. Like a secret code only the user knows.
Security through obfuscation is not always the best solution (if you are afraid they can get to your cron file name why shouldn't they be able to get to your GET query too? Otherwise, why bother from the start?) Why don't your just 401 the directory where the script is? Accessing it through the command line shouldn't be a problem, and wget knows how to handle authentication ( http://www.gnu.org/software/wget/manual/wget.html#Invoking ) Just my .2 €... Cheers
Approaching the same problem but from a slightly different direction you could disregard who is accessing the script and instead just check whether it is the right time for the script to execute. As long as the script doesn't return any sensitive data it wouldn't really matter who is accessing the script.
Hi, Below is a wget setup I use to request a private cron file every two hours with .htaccess authentication. 0 */2 * * * wget -O- -q --http-user=username --http-passwd=password http://www.somedomain DOT com/priv/cron.php >> /dev/null 2>&1 Code (markup): Then all you need to do is setup a .htaccess on the directory where the script is. HTH