php_value auto_prepend_file, and php_value auto_append_file execute php files before or after every php file

PHP provides two special configuration options that allow you to automatically run PHP code before or after every PHP script on your website:

auto_prepend_file → runs before every PHP script

auto_append_file → runs after every PHP script

These are often set in .htaccess, php.ini, or Apache VirtualHost.

1. What is auto_prepend_file?
This directive forces PHP to automatically include a PHP file before running any script.

php_value auto_prepend_file "/home/user/public_html/firewall.php"

Before running index.php, login.php, api.php, blog.php, etc., PHP will FIRST execute firewall.php.

Purposes
1. Load Global Config (edit as needed) /home/user/public_html/firewall.php 

$FIREWALL_CONFIG = [
    "rate_limit_requests" => 30,           // max requests
    "rate_limit_seconds"  => 60,           // in 60 seconds
    "log_directory"        => __DIR__ . "/fw-logs",
    "blocked_ip_file"      => __DIR__ . "/blocked-ips.txt",
    "track_user_activity"  => true,
];

this Loads global settings safely

2. Blocked IPs System

$blocked_ips_file =  __DIR__ . "/blocked-ips.txt",
if (!file_exists($blocked_ips_file)) {
    file_put_contents($blocked_ips_file, "");
}

$blocked_ips = file($blocked_ips_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);

$ip = $_SERVER['REMOTE_ADDR'] ?? 'UNKNOWN';

if (in_array($ip, $blocked_ips)) {
    header("HTTP/1.1 403 Forbidden");
    exit("Access Denied");
}

Reads blocked-ips.txt, Immediately blocks any banned IP, Auto-adds bad bots to block list

3. Basic Attack Filtering

$bad_user_agents = [
    'curl', 'wget', 'python', 'bot', 'crawl', 'spider',
    'scan', 'sqlmap', 'nmap', 'masscan'
];

$ua = strtolower($_SERVER['HTTP_USER_AGENT'] ?? '');

foreach ($bad_user_agents as $bad) {
    if (strpos($ua, $bad) !== false) {
        exit("Access Denied (Bad Bot)");
    }
}

Basic Attack Protection : curl, python scripts, sqlmap, spiders, bots, scanners, scrapers

4. Rate Limiting (per IP)

$rate_file = __DIR__ . "/fw-logs" . "/rate_" . str_replace('.', '_', $ip) . ".json";

$time_now = time();
$rate_data = [
    "count" => 0,
    "start" => $time_now
];

// Load previous rate data
if (file_exists($rate_file)) {
    $rate_data = json_decode(file_get_contents($rate_file), true);
}

// Reset window if expired
if ($time_now - $rate_data["start"] > 60) {
    $rate_data["count"] = 0;
    $rate_data["start"] = $time_now;
}

// Count this request
$rate_data["count"]++;
file_put_contents($rate_file, json_encode($rate_data));

// If limit exceeded → Block IP
if ($rate_data["count"] > 30) {
    file_put_contents($blocked_ips_file, $ip . "\n", FILE_APPEND);
    header("HTTP/1.1 429 Too Many Requests");
    exit("Too many requests. You are temporarily blocked.");
}

Allows 30 requests per minute per IP, Exceeds limit → auto-ban + 429

5. Start Session Globally

if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

>>>>>>>>>>>>>>>>>>

auto_append_file: Used to include a PHP file after every PHP script finishes executing.

php_value auto_append_file "/home/user/public_html/footer.php"

The path must be absolute, not relative