I am using Laravel for web app. Uploaded everything on production and found out that some of the files can be directly accessed by url - for example http://example.com/composer.json
How to avoid that direct access?
You're using wrong web server configuration. Point your web server to a public directory and restart it.
For Apache you can use these directives:
DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">
For nginx, you should change this line:
root /path_to_laravel_project/public;
After doing that, all Laravel files will not be accessible from browser anymore.
That is incorrect. composer.json sits outside of the public directory and therefore should not be accessible. This means that your VirtualHost configuration is incorrect.
Please make sure that your path to your directory ends with /public.
Point your web server to a public directory and restart it.
For Apache you can use these directives:
DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">
Also You Can Deny files in .htaccess too.
<Files "composer.json">
Order Allow,Deny
Deny from all
</Files>
for multiple files you can add above files tag multiple times in .htaccess files.
You Can Deny files in .htaccess too.
<Files "composer.json">
Order Allow,Deny
Deny from all
</Files>
Point the web server to the public directory in the project's root folder
project root folder/public
but if you don't have the public folder and you are already pointing to the root folder, you can deny access by writing the following code in .htaccess file.
<Files ".env">
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>
in the above code, first we are denying from all and allowing only from the own server (localhost to the server) to get executed, and hence we can protect it from outside users.
Set Your document root as public directory, so other files will not be accessible directly. Look for it in Your apache/nginx/??? configuration files.
It depends on the webserver your running. With Apache it would be .htaccess files whereas with Nginx it would be handled in the server configuration file.
With Apache, you can create .htaccess file in the root directory of Laravel project to rewrite all requests to public/ directory.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(.*)$ public/$1 [L]
</IfModule>
simply create blank
index.php
file in config directory , and write message in file as you like to inform acccessor user
ex. access forbindon by server
Related
I am Working with laravel 5.4. And i have problem with .env and composer.json file. Anyone can access from any browser and anyone can see my database credentials so please help me to protect this files.
you can add following code to your .htaccess (make sure your .htaccess file should be in root folder not in public)file to deny the permission of .env file
<FilesMatch "^\.env">
Order allow,deny
Deny from all
</FilesMatch>
Simply you add below code to your .htaccess file to set permission of .env and composer.json file.
<Files .env>
Order allow,deny
Deny from all
</Files>
<Files composer.json>
Order allow,deny
Deny from all
</Files>
And below line for disabling directory browsing
Options All -Indexes
Remember that once your server is configured to see the public folder as the document root, no one can view the files that one level down that folder, which means that your .env file is already protected, as well your entire application. - That is the reason the public folder is there, security. - The only directories that you can see in your browser if you set the document root to the public folder is the folders that are there, like the styles and scripts.
You can make a test like this:
Enter in your project directory with the terminal and hit this:
php -t public -S 127.0.0.1:80
The -t means the document root, where the PHP built-in web server will interpreter as the document root. - see bellow:
-t <docroot> Specify document root <docroot> for built-in web server.
Now try to access the .env file, and you will see that you will get a 404 that the resource as not found.
Of course it's just an example, you will need to configure your sever to do the same.
Nobody can view these files via the browser because the root of your website is located at /public and the composer.json and .env files are outside of this scope.
The only way to view these files is actually connecting to the web server and going to the corresponding folder.
Make sure it is on your .gitignore and you create it locally on your server.
How do I prevent access to a given directory ? Here is the structure of my website :
config.php
.htaccess
classes/
|----lib/
| |----...
|----classes.php
webroot/
|----index.php
|----ctrl/
| |----...
|----pages/
| |----...
|----style/
|----...
The DocumentRoot is webroot. I want to prohibit access to the following folders : ctrl, pages, style. But the files stored in these folders still have to be available to be included in the index.php file.
In other words, there is an index.php file. Its role is to call (include) all the necessary files from pages/, ... The users can load index.php from their browser but they cannot access the other files alone.
I wrote this code is a .htaccess file but it doesn't do anything :
deny from all
<Files webroot/index.php>
allow from all
</Files>
This .htaccess file is located at the root folder for my project (before webroot/). What I try to do here is to deny access to every directory and files in the project except for the main index.php file.
What is it not working ? What went wrong ?
Thank you in advance.
I solved the problem. First of all, I had to activate .htaccess files in my httpd.conf file. Then I wrote this in my .htaccess :
<Files webroot/pages>
deny from all
</Files>
<Files webroot/style>
deny from all
</Files>
Do you want to prevent people list files in your webroot?
If so, you can add the following option in your htaccess file:
Options -Indexes
i want to deliver epub-file via online-shop.
is .htaccess + mod_rewrite the right way to manage the permission for epub-files (epub-shop)?
# .htaccess in epub-folder
# sends every file to "download.php"
RewriteEngine On
RewriteRule \.php$ - [L]
RewriteRule (.*) download.php?file=$1
download.php manage the licence part. is there any hack/trick to get the files without the licence? Directly via deeplink?
thanks for help!
You usually do access control via the directives in mod_authz_host. This document outlines how you can do this.
If you have access to the main configuration file of Apache (httpd.conf or something alike), I would recommend adding a directory section to it. Afterwards you need to restart your Apache.
<Directory /a/b/c/epub/>
Order Deny,Allow
Deny from all
</Directory>
Order tells in which order directives are processed. Deny from all denies direct access from everyone.
Otherwise, you can add a .htaccess in the epub directory, then add the same 2 directives to it without the directory block.
I'm attempting to deny access to anyone surfing for PHP files in a specific directory:
example.com/inc/
I've created an example.com/inc/.htaccess file with the contents:
Order deny,allow
Deny from all
This results in a 403 Forbidden response when I try to access one of the files. For example: example.com/inc/file.php
The problem is, my web server is also denied access and my application stops working.
How can I deny access to people surfing for such PHP files but allow my shared web server access?
Note: I'm using GoDaddy shared hosting.
I would would just use a rule and block the access that is entered by the user. This will block any php file that is entered.
RewriteEngine On
RewriteRule ^.*\.php$ - [F,L,NC]
Edit based on your comment. Try this way.
<Files (file|class)\.php>
order allow,deny
deny from all
allow from 127.0.0.1
allow from 192.168.0.1
</Files>
Replace 192.168.0.1 with your server IP address.
Use proper directory structure put your files to lib/ directory for example and include them from file which is not present in this directory. This is how common frameworks works.
You can even map your url to web/ directory and put lib one directory up then you are sure that there is no access to your .php file but only index.php and assets.
You can read how it is solved for example in Symfony2 http://symfony.com/doc/current/quick_tour/the_architecture.html it'll give you some clues.
To block navigation access to all files ending in .php you can use:
RedirectMatch 403 ^.*\.php$
To only deny access to php files you can use this:
<Files *.php>
order allow,deny
deny from all
</Files>
I'm loading my files (pdf, doc, flv, etc) into a buffer and serving them to my users with a script. I need my script to be able to access the file but not allow direct access to it. Whats the best way to achieve this? Should I be doing something with my permissions or locking out the directory with .htaccess?
The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.
However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,
Order deny,allow
Deny from all
Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.
That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccess file on root. (no need to create extra folder)
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
my settings.ini file is on the root, and without this code is accessible www.mydomain.com/settings.ini
in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives.
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
to test your config before restarting apache
service httpd configtest
then (graceful restart)
service httpd graceful
Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.
If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccess file in the specific directory. That is (for example):
ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>
Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.
This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccess files.
To prevent .ini files from web access put the following into apache2.conf
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
How about custom module based .htaccess script (like its used in CodeIgniter)? I tried and it worked good in CodeIgniter apps. Any ideas to use it on other apps?
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>