Setup
Server: Apache 2.2.
I do have access to httpd.conf, but in case necessary the solution can be using .htaccess
The goal:
To permit directory listing only in case the request comes from a specific URL.
So only if user abled to access a specific URL in my site he/she will be able to access this directory.
Currently I only have this configuration that allows all to access this directory:
<Directory "/home/myaccount/app/Ui/policies/gray_list">
Options Indexes FollowSymLinks
</Directory>
It is possible to evaluate the ReferrerURI for this (you said requests coming from a specific url, so a page offering a link), however note that this is not reliable. The ReferrerURI is a simple http header, thus it is very easy to manipulate / spoof that.
The only reliable approach to this is using session handling. So enforcing some kind of authentication to the referring page and only grant a directory listing if the authentication process protecting the referring page has led to a valid session. This has to be done on scripting level though, I am not aware of a straight forward approach using apache features only.
Related
Wordpress has a plugin editor that allows visitors to view my plugin's source code. I have some MySQL database connections and Azure connections that would be malicious to let others look at.
$connectionstring = "DefaultEndpointsProtocol=[http|https];AccountName=[yourAccount];AccountKey=[yourKey]";
This is an example of what I do not what to show the visitor. Could I do this in an external PHP file, hidden away from their sights? Anyway I could accomplish this efficiently and securely?
It seems like there are ways to secure these settings described in 48 Ways to Keep Your WordPress Site Secure which includes:
4. Secure wp-config.php
Lock down wp-config.php—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.
To deny access to this file, you should add the code below at the top of the .htaccess file:
<files wp-config.php>
order allow,deny
deny from all
</files>
You don't ever want to expose connection strings client-side. It's like locking your front door, then hanging the keys up on a hook on the same door.
If you can't secure this sort of stuff on wordpress, you need some sort of server-side access, which would only respond to requests from your specific wordpress domain, like a RESTful API.
We have a php project / php web-application where users can create profiles which more or less looks like a website on a sub-domain URLs like robert.blogger.com. Now this user also has a domain of his own example robert.com. Now we want every request for robert.com to redirect to robert.blogger.com without changing the URL.
The URL should show robert.com/home.html, robert.com/aboutus.html etc. but actually code should be run from robert.blogger.com/index.html, robert.com/aboutus.html etc.
Please note that the project is hosted on a dedicated server with dedicated IPs & we also have access to the Control Panel of the user's domain.
We have tried htaccess but that only redirects, we want masking / mapping to work.
Is this possible? If so, how can this be done? Would appreciate much !!!
The solution would depend on what kind of server software you're running, but in Apache you'd do this by mapping the default vhost for the IP to the application (and then letting people point their domain to that host), and in your application use HTTP_HOST in $_SERVER to look up the valid domain (which you're probably already doing to map the subdomain to user accounts). This would be the exact same thing, as long as you keep all links relative in your HTML (and don't think "i mapped it to this user, so the domain should be user.example.com").
To give a more specific answer you'd have to be more concrete in your question.
It should be possible to use ProxyPass in htaccess, if you have permissions to use it. Try something like this.
ServerName robert.com
RewriteRule ^/(.*)$ http://robert.blogger.com/$1 [L,P]
Or you can map it in your application, depends if that server is yours and you can do anything you want to setup.
I'd like to have logged in users access to certain directories only. For example, have the following directory structure:
/stuff/user-a/pic.jpg
/stuff/user-b/file.doc
I'd like Apache to only give user-a access to /stuff/user-a and give a 403 if he tries to reach /stuff/user-b
Now, I've been reading and it seems to be possible to do this with REMOTE_USER and mod_rewrite. Which will make it even better, as i could rewrite it as /stuff -> /stuff/$REMOTE_USER
The problem is, I don't want the ugly browser popup. My PHP application already has a login form and a session. From what I've been reading, it is possible to use basic HTTP authentication as an auth method for PHP (to login as http://user:pass#stackoverflow.com). But the opposite (passing a web form to the HTTP authentication) doesn't seem to be possible.
I would also like to avoid using something as mod_xsendfile, as I'd rather not use any "proxy" scripts to handle this, and let Apache take care of access.
If a site has php session's in place to enforce authentication/authorization to pages on the site which are implemented in php, how does the same logic enforce access to certain files.
Lets say a repository of files in a directory. So /var/www/html/ is protected via authentication however, this PHP authentication logic won't prohibit a user from simply going to http://site.com/someDirectory/fileIShouldNotAccess.txt and pulling that file.
How do you couple the php session and authentication with apache to enforce this type of behavior?
Since PHP won't be invoked when the user requests a non-PHP file, you can't have Apache enforce PHP's access protection. You can make a very coarse and easy-to-fake check in Apache to make sure that a session ID cookie is present, but that's highly insecure. It just checks if the cookie's there, not that it represents a valid session or that the user's actually been granted access.
This other answer might help. Using PHP/Apache to restrict access to static files (html, css, img, etc). Basically, you serve up all the protected content via a PHP script, instead of providing direct access.
A couple answers:
1) make your php sessions use HTTP authentication. Then you can use a .htaccess file to control file access in directories
2) Use mod_rewrite to redirect all requests to a "front controller". Let the front controller manage whether access is allowed, denied, or forwarded to a different controller module for further processing.
You can try HTTP Authentication with PHP. This article might help.
I have a server which is online right now, but requires authentication when accessing, so it is basically closed to everyone but me.
Thing is, I don't want to "Open" the website to the public, but I need to test my website on different browsers.
One way is to do it from websites like browsershots.org, which requires access to my website. But my website is "closed" (requires authentication) from anyone except me.
I have these lines in my apache2.conf (or httpd.conf as it also is known as):
<Directory /var/www>
AuthType Basic
AuthName "Some name"
AuthUserFile "dir/to/some/file"
Require user some_user
</Directory>
These above allows only access to somebody with username "some_user" and a passwords which is located in "dir/to/some/file".
Now, is there any way to give access to the website from a host also?
My problem is like I said, when trying to cross-browser check my website from sites which requires an URL to my website, they are all blocked because of the authentication I have.
Do I have to turn off the authentication in order to be able to cross-browser check?
Thanks
If you could verify what IP address they would be hitting your website from, you could use a combination of the Allow and Deny directives to make sure that only requests originating from browsershots.org's IP address get through.
http://httpd.apache.org/docs/2.0/mod/mod_access.html
You can create a page that shows the visitors IP, visit your site from browsershots.org, then use that in your apache config.
What about if you removed the authentication, but then added PHP code to restrict access by IP, so that the site was only accessible from your own computer? Would that work for your purposes? Something like this:
http://www.wmtips.com/php/simple-ways-restrict-access-webpages-using.htm#ip
Edit: sjobe has the better plan. Same idea, but that way you can still let BrowserShots do the work.