I'm having problems with my Apache2 WebServer. I run LAMP on a VPS (Debian 9, 64bit).
I have two VirtualHosts, Alpha and Beta.
Each VirtualHost has a different DocumentRoot: Alpha has /var/www/A, and Beta has /var/www/B.
The problem is that I don't want Beta can include /var/www/A/index.php on his files, and the same is for Alpha: I don't want he can include /var/www/B/index.php (and all other documents) in his files.
How can I do this? I already tryed lots of method using .htaccess but nothing worked, for example:
Order Allow, Deny
Deny from All
Allow from mydomain.com
Thank you! Hope in an answer...is so important :)
if you speak about PHP's include it is not possible to achieve this with htaccess, since you could include any file in the whole file system that can be read by the Apache user.
A solution would be to have a program that can run Apache with different user access depending on the document root, so you can only include (read) the files inside the document root defined for the virtual host, I think it is possible using an Apache module or some other Unix program (I don't remember), it is the same solution that is used by web hosting providers when they give you a folder inside the file system and you can only read the files inside this folder, they usually give you a user name (a Unix user) which have only read access to a specific folder and also Apache run with the rights with this user and so on for PHP.
Related
I am just starting to look at PHP and Apache servers (at the moment use Ruby on Rails). I am looking to get two simple index.php files rendering in the browser, but they will be two separate sites. I have installed everything I need to I believe.
So if I go to localhost I get the Apache2 Ubuntu Default Page. This might be such a simple question but where do I store my files and directories? I have been looking in /var/www/.
I would like to create 2 sample sites as previously said. Could anyone point out where I should be looking and how I differentiate the two sites?
/var/www/ is your root folder for apache so your localhost is pointing to www. To create 2 different website you will require to create 2 new folder in www folder e.g web1 and web2 then localhost/web1 will point to /var/www/web1 same will goest for web2.
You can also set virtual host to make your web url like web1.com and web2.com check here on how to set virtual host in ubnuntu https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts
First, I would like to welcome you in this beautiful world of PHP :)
Now look into this file : /etc/apache2/httpd.conf and locate for this config DocumentRoot "THIS_IS_YOUR_DOC_ROOT_RICHLEWIS".
You can change it to your favorite document root an d restart Apache, or simply put your files here(php, html, images...
This might seem like a duplicate question but I have tried the solution given in the similar questions.
I want to limit access to files in a few folders on my apache server so that they can only be served through a php script to only the users logged in to the part of my system that should have access to any particular folder.
Other solutions suggest using the .htaccess
deny from all
allow from 127.0.0.1
But that seems to deny the files from everywhere.Including the local php scripts.
Im considering .htpasswd but that is an extra level of user credentials that needs to be handeled and I'd prefere to avoid that.
How should I get around this? Is there any better way of storing the files?
htaccess cannot deny access to files via php using include/require functions. If your php include is not accessing the file then the problem is the path to the file.
Somehow php was restricted by the
deny from all
allow from 127.0.0.1
to include and require files in the affected folders. This goes against what I can read from the apache documentation how this should work and I have no real answer why. The problem persisted both on my localhost using Xampp and on the webhotel one.com.
My original question was badly formed since I used require to test if I had read access to the folder when I actually wanted to use readfile.
My main concern was that I wanted to serve files for download from an inaccessible directory.
And the
readfile($filename);
could still access the files.
The soultion to this problem was that I realized that readfile() and include() somhow gets different permissions. I could not find this in any documentation.
can php require any php file in my pc?
I set the apache www root folder to be d:\phpnow\htdocs, I thought that php can only require php files under this folder before ,such as require('laji/hello/a.php');
today I found it php can load any php file in my PC ,only need the full path.
how to prevent ? it should not safe for web server.
can php require any php file in my pc?
Any file that the user whom the PHP program runs as has permission to access. (That is to say, filesystem permissions).
how to prevent?
Limit the permissions on the file system or chroot the server so it runs in a sandboxed environment. (I've no idea if chrooting is possible on Windows)
it should not safe for web server.
It is perfectly safe unless either:
You allow untrusted users to install their own PHP programs on your PC (but see also What do you recommend for setting up a shared server with php)
You allow file paths on your filesystem to be selected via unfiltered user input
PHP can include any file on the server within its jailed limits, if any. In this case your computer is the server. It's not a security issue, since a remote server has no way of accessing your file system.
You can deny access to a directory using .htaccess file since you run php with Apache.
If you want to block direct access to the whole includes folder, you can put a .htaccess file (the file has only extension, and no filename. You may use notepad to type code and save it as ".htaccess" with quotes, called absolute naming) in that folder that contains;
deny from all
If you want to disable directory listing, here is a tutorial:
Directory listing in htaccess. Allow, Deny, Disable, Enable Directory Listing in .htaccess
and you may refer this Stack Overflow question .htaccess deny access to folder
Just Google for folder access deny using htaccess and you can find lots of stuff.
Sorry if this is a trivial question.
I am a kind of new to PHP and I'm creating a project from scratch. I need to store my application logs (generated using log4php) as files, and I don't want them to be public.
They are now stored in a subfolder under my PHP application folder, (/myAppFolder/logs) so they are served by Apache.
Where shall I store them, or what shall I do to keep them away from being served as content by Apache?
You can either have them in a directory above the root, or, if you're on shared host/ can't have the files above the root for whatever reason, you can have them in a directory that denies all HTTP access.
So you could have a folder called "secret_files" with a .htaccess file sitting inside:
.htaccess:
deny from all
Which will prevent HTTP access to files/subfolders in that folder.
Somewhere not under the public root!?
This is more a server config question as it depends on your server, but in apache you could use the custom log directives to set the location, so if you have
/www/myapp
Create
/www/log
and put them there instead. You need control over the config to do this so look up your web hosts docs to find out how.
I'm starting to unravel the mysteries of PHP and I configured the pre-installed Snow Leopard PHP and activated the Apache server in the system preferences. So far so good: it works if you put a PHP file in your ~/Sites directory.
Since I've my projects in a code/projects directory I created a symbolic link from the ~/Sites dir to the code/projects/one-project/php-dir and bang!, a 403 error: access forbidden.
I've been changing the permissions of the dirs to 777, but no luck.
Is anyone using the default Snow Leoapard configuration for PHP development and if so, how do you link to your codebase?
Thanks in advance,
Juan
Off the top of my head: it might be the FollowSymLink option in the Options directive of Apache (http://httpd.apache.org/docs/2.0/mod/core.html#options).
That might work if you set FollowSymLinks in your Apache config, but I suggest putting the PHP files under the web root directly.
One good method is to put the presentation files under the web root, and include/require any libraries directly from where they are in the code/projects directory (assuming that dir is readable by the web server user). The include dir shouldn't be writable by the web server, for security. Keep it owned by your user account, and set the permissions to 744.
I presume you have ~/code/projects/projectA/php-dir and ~/sites/php-dir
You need to make sure that the directory above the directory you're sym-linking is readable by the webserver. In this case you need to set the permissions on the folder to 755. Or at least that solved things for me.
you'll most likely need to add a Directory directive to your httpd.conf file as well...
<Directory code/projects/one-project/php-dir>
order allow,deny
allow from all
</Directory>
Above configuration allows access from all IP's, all hosts.
I myself use macports, I find it better since it isolates everything in the /opt directory. But it's a bit of work to get it running...