I want safe links and hide files from persons who dont know about the exact file. (like a dropbox link to a file)
I have question about security of apache2 related to this:
if i want to have access on files, if i know the filename, but dont want other people to have access via "browsing" this file, is it safe if i create a index.php in every folder without content and set apache2 to show index.php for the default index-page?
if i browse www.mytestpage.com/secretfolder/ i get without the empty index.php a list of all secretfiles12345.zip there.
if i specify index.php apache2 shows a emtpy page but i can still access mytestpage.com/secretfolder/secretfiles12345.zip .
guarantees this, that only persons who know the exact filename of secretfiles12345.zip has access to the file?
(very sorry for my bad english :) )
You need to set
Options -Indexes
in Apache2 configuration to prevent directory listings. You can do this in the global configuration file or in .htaccess.
Background: An empty index file (this need not be a php file, it could be a .html as well) only prevents access if you access the url without a trailing slash. Then Apache uses the default (index). If you have this trailing slash, it assumes that you really want to know what files are in the directory and retrieves the list - if you do not instruct it otherwise (with Options -Indexes, see above).
Related
I'm using a simple .htaccess file with the contents
Options -Indexes
to try and hide directory listings. However, when I try to load any page from the browser it gives me a 403 error for any page. Any ideas what the problem is?
For context, .htaccess is in the root folder that contains php files and folders of other php files included/required etc. by those in root.
Thanks in advance
Ben
Make sure that you have a proper directory index setting. The Indexes option simply tells apache to display the contents of the directory as the index if there isn't a default index in that directory.
So if you have the file:
/index.php
Make sure you have:
A valid index file
it is part of the list defined by DirectoryIndex
It is readable by apache.
If your index.php is the file you want serves when the request is for the directory, then make sure it is readable by apache (644 is good enough), then make sure it's in the list defined by the directory index:
DirectoryIndex index.php
One other thing that may be happening, and it's very specific to someone's website setup. If you have DirectorySlash Off somewhere, meaning apache won't automatically redirect the browser when a trailing slash is missing when a reqeust is for a directory, and you have Indexes turned off, then your index file will get ignored.
Example, if I have directory slash off, and a request for the directory is made:
/folder
without the trailing slash, it doesn't matter if you have a valid index file, it will get ignored without a trailing slash. If this is the case, make sure you really want to have trailing slashes removed for accesses to directories and this is a limitation of apache.
I had this problem and it was due to permissions. CHMOD it to 777 or whatever.
Also, consider this rule is run for each page load. For speed purposes you can create .htaccess for each folder.
Maybe your folder permissions, you should check them
Ok so my current sites is on the .htaccess method to block user access to the directory
e.g. http://www.example/_directory/ via Options All -Indexes
Question should I stick with that or is putting an index file e.g. index.php in every directory better? I'm thinking of an index.php that will redirect to the homepage rather than giving users an error 403 page.
Opinions?
It would be clever to build your web site in a way that these subdirectories also have content (e.g. about/ also shows some information, when about/history/ and about/our-company/).
If the directories contain only files, it's IMHO totally fine to just have a 403.
Answers to your questions might be very biased.
If you're on a Unix/Linux server, you don't need to have blank index files at all in your directories. Just create a .htaccess file and put the following code in it:
Code:
Options -Indexes
When anyone tries to access the contents of a directory that doesn't have an index file, they'll get a 403 error.
Ref : http://wildlifedamage.unl.edu/manual/mod/core.html#options
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.
I'm working on a solution to a problem where users could potentially access images (in this case PDF files) stored in a folder off the server root. Normally, my application validates users through PHP scripts and sessions. What isn't happening right now is preventing non-logged in users from potentially accessing the PDFs.
The solution I'm looking for would (I think) need to be tied in with Apache. I saw an interesting solution using RewriteMap & RewriteRule, however the example involved putting this in an .htaccess file in the PDF directory. Can't do that with Apache (error: RewriteMap not allowed here). I believe the rewrite directives need to go in my httpd.conf, which I have access to.
So the example I found (that resulted in 'rewritemap not allowed here') is here:
RewriteEngine On
RewriteMap auth prg:auth.php
RewriteRule (.*) ${auth:$1}
auth.php just checks PHP session and redirects to a login script if needed.
I'm reading that I have to place this in my httpd.conf. How would I specify that the RewriteMap should only occur on a specific directory (including subdirectories)?
1st, be sure that you have to put that directly in httpd.conf. On Debian system, for instance, you have 1 file by virtualhost (a virtualhost usually is a website)
So, you have to put your rewriteMap in a "directory" like this:
<Directory /full/path/to/your/pdfs>
RewriteEngine on
...
</Directory>
I believe I'm looking for the Apache setting or mod that accomplishes this behavior because I need to turn it off or alter it in some fashion. Here's the deal:
I have my own CMS that has its own router to handle redirects, includes, 404 errors, and pretty URLs. The mod_rewrite rules work perfectly to direct the appropriate requests to this router, but there's a strange case that causes Apache to freak out and never even send the request to the router.
File located at www.example.com/contact.form.php
CMS content located at www.example.com/contact/contact-us
Requests for the CMS content should be going to the router because it does not match a file or directory that exists in the file system. What is actually happening is some sort of bizarre request that finds the contact.form.php file but somehow still causes Apache to give its own 404 error.
The router is designed to catch 404 errors, so Apache's 404 screen should never be seen. All URLs entered for this domain outside of the contact "directory" (no matter how absurd) make it to my router and either retrieve the correct content or show my 404 page.
The work-arounds I've come up with so far:
Change the filename to form.contact.php -- which disables any CMS content that may eventually exist in www.example.com/form/...
Create an empty directory at www.example.com/contact/
The conflict is clearly tied to the "directory" name matching the first part of a PHP filename. This behavior exists any time this condition is met, and it is non-existent when it is not met. Unfortunately, with a CMS, I can never guarantee that "directory" names won't collide with PHP file names. For this reason, my focus is on tweaking Apache.
I've searched with all kinds of keyword combinations, and I can't find the answer anywhere. Any ideas?
Found the answer elsewhere after a lot of searching.
The problem is Options MultiView is turned on.
For me, I am using virtual hosts, but I am configuring most of my settings in the user.conf file for apache on Mac OSX Lion. I am not sure if I added this, or if it was already there...
Here is what I did
Open Terminal App
type: cd /etc/apache2/users
type: ls
From the list that prints out, you should see a file that matches your username: USERNAME.conf, where USERNAME is your actual username
type: sudo nano USERNAME.conf
You will probably have to enter your password
Find this line: Options Indexes MultiViews
Change it to: Options Indexes
ctrl+x to exit, hit "y" when prompted to save the file and enter when it asks about the filename
Alternatives
You can add Options -MultiViews if you don't see anything there.
Also you can edit your httpd.conf file if the above does not apply.
And if you use virtual hosts, you can edit your httpd-vhosts.conf file. For each site, edit the MultiViews Option within the tags. Either by adding "Options -MultiViews" or removing "Options MultiViews" if it exists.
Hope this helps somebody else...