I'm using a simple .htaccess file with the contents
Options -Indexes
to try and hide directory listings. However, when I try to load any page from the browser it gives me a 403 error for any page. Any ideas what the problem is?
For context, .htaccess is in the root folder that contains php files and folders of other php files included/required etc. by those in root.
Thanks in advance
Ben
Make sure that you have a proper directory index setting. The Indexes option simply tells apache to display the contents of the directory as the index if there isn't a default index in that directory.
So if you have the file:
/index.php
Make sure you have:
A valid index file
it is part of the list defined by DirectoryIndex
It is readable by apache.
If your index.php is the file you want serves when the request is for the directory, then make sure it is readable by apache (644 is good enough), then make sure it's in the list defined by the directory index:
DirectoryIndex index.php
One other thing that may be happening, and it's very specific to someone's website setup. If you have DirectorySlash Off somewhere, meaning apache won't automatically redirect the browser when a trailing slash is missing when a reqeust is for a directory, and you have Indexes turned off, then your index file will get ignored.
Example, if I have directory slash off, and a request for the directory is made:
/folder
without the trailing slash, it doesn't matter if you have a valid index file, it will get ignored without a trailing slash. If this is the case, make sure you really want to have trailing slashes removed for accesses to directories and this is a limitation of apache.
I had this problem and it was due to permissions. CHMOD it to 777 or whatever.
Also, consider this rule is run for each page load. For speed purposes you can create .htaccess for each folder.
Maybe your folder permissions, you should check them
Related
I want safe links and hide files from persons who dont know about the exact file. (like a dropbox link to a file)
I have question about security of apache2 related to this:
if i want to have access on files, if i know the filename, but dont want other people to have access via "browsing" this file, is it safe if i create a index.php in every folder without content and set apache2 to show index.php for the default index-page?
if i browse www.mytestpage.com/secretfolder/ i get without the empty index.php a list of all secretfiles12345.zip there.
if i specify index.php apache2 shows a emtpy page but i can still access mytestpage.com/secretfolder/secretfiles12345.zip .
guarantees this, that only persons who know the exact filename of secretfiles12345.zip has access to the file?
(very sorry for my bad english :) )
You need to set
Options -Indexes
in Apache2 configuration to prevent directory listings. You can do this in the global configuration file or in .htaccess.
Background: An empty index file (this need not be a php file, it could be a .html as well) only prevents access if you access the url without a trailing slash. Then Apache uses the default (index). If you have this trailing slash, it assumes that you really want to know what files are in the directory and retrieves the list - if you do not instruct it otherwise (with Options -Indexes, see above).
Ok so my current sites is on the .htaccess method to block user access to the directory
e.g. http://www.example/_directory/ via Options All -Indexes
Question should I stick with that or is putting an index file e.g. index.php in every directory better? I'm thinking of an index.php that will redirect to the homepage rather than giving users an error 403 page.
Opinions?
It would be clever to build your web site in a way that these subdirectories also have content (e.g. about/ also shows some information, when about/history/ and about/our-company/).
If the directories contain only files, it's IMHO totally fine to just have a 403.
Answers to your questions might be very biased.
If you're on a Unix/Linux server, you don't need to have blank index files at all in your directories. Just create a .htaccess file and put the following code in it:
Code:
Options -Indexes
When anyone tries to access the contents of a directory that doesn't have an index file, they'll get a 403 error.
Ref : http://wildlifedamage.unl.edu/manual/mod/core.html#options
How can I restrict the user into the root directory and not able to get access to the parent directory of the root.
I have EasyPHP installed and following I am considering as root:
http://127.0.0.1/projects/Web%20Developement/aureus/files/
I don't want user to able to move to the parent directory but when I add "dot dot slash" ../ at the end of above URL I can access "aureus" directory. How can I stop this by .htaccess or any other way?
You can't do correctly with .htaccess. You'll need to edit the configuration for the domain in the main config file. When you go into your httpd.conf file or your included file for the virtual hosts you need to look for the DocumentRoot you're setting for the server. The web server only has access to what you grant it.
If you can access a folder you're trying to lock down via the web or a browser on another machine, you'll need to look at a variety of permissions settings depending on the OS you're running. You can restrict access to folders and prevent the users in Linux for example from seeing the files with chmod. In Windows (if that's what you're running) you would right-click on the folder, select properties, and change the permissions under the security tab.
Not sure what the point of all this is, but if you simply don't want any ../ in your URLs, then you can try adding this to your htaccess file:
RewriteEngine On
RewriteRule ^(.*)\.\./(.*)$ /$1$2 [L,R=301]
I think rather than specifically try to stop the use of ../ in the url, you should have htaccess in folders you do not want people/bots/other to be in.
This
Options -Indexes
in a .htaccess file will stop directory listing in whatever folder the htaccess file is in. It'll serve a 403, but you can use htaccess to serve 404 or redirect based on what you need (other than "stop user to able to move to the parent directory" I'm not 100% sure what you want)
Cheers
I accessed a 'superfolder's .htaccess file and accidentally added
Rewrite / http://google.com/
This was done using php. Now I can't access php files in any directory to revert the change.
Is there anything I can do in a subdirectory of root to stop the redirect inside that folder?
Thank you.
And please don't ask more details about the 'accident'.. stupid mistake
I contacted server admin, both laughed at it.. Still interesting though how to stop it redirecting although it shouldn't happen if I use mod_rewrite.
With mod_alias' Redirect, you're screwed. That directive is applied across the board, starting from the path-node where the htaccess file sits (if it's in an htaccess file), or the path-node of the <Directory> block that it sits in. So the only solution is to get an admin to remove it.
With mod_rewrite however, with an htaccess file, it doesn't act the same as within a <Directory> block. Rules inside an htaccess file in a path-node inside a directory has precedence over rules inside an htaccess file in the parent directory. So if you had 2 htaccess files:
/.htaccess:
RewriteEngine On
RewriteRule ^/? http://google.com/
and in /tmp/.htaccess:
RewriteEngine On
RewriteRule ^/?tmp/ http://stackoverflow.com/
And you go to http://yourdomain.com/tmp/, you'll get redirected to http://stackoverflow.com/ because the rules in the tmp directory has precedence over the rules in the parent directory. In face, the rules in the parent directory aren't applied at all unless you've used the RewriteOptions Inherit directive to inherit any rules from the parent directory.
Because of this, you can simply create an htaccess file with the following:
RewriteEngine On
Use FTP to upload it to your subdirectory, and upload the php file that you used to change the parent directory's htaccess file. Then just use your browser and go to that php file in the subdirectory.
Having simply turned on the rewrite engine in your subdirectory, without any rules, means:
I have mod_rewrite active in this directory
Since the rewrite engine is turned on in this directory, ignore all rules in the all parent directories.
Since the mod_rewrite ruleset is blank (no actual RerwiteRule's) nothing happens at all
Accessing this directory, eventhough the rewrite engine is on, mod_rewrite does nothing so it's as if the rewrite engine is turned off.
Sounds counter-intuitive, but that's just how it works.
Connect using your FTP client. Enable hidden files in your FTP client (try FileZilla, this one lets you do that). Delete .htaccess in your superdirectory. If this file has other data in it, copy it to your local computer, make changes and upload it again.
Here is some more help: http://www.intrepid.com.au/how-to-view-htaccess-with-filezilla/
It's been a while since I created a new directory on my domain (call it my/domain/dir3). I have others, each containing a index.php (dir1/index.php - dir2/index.php), each index is called if the directory URL is called (thus a URL of my/domain/dir1 will call my/domain/dir1.index.php).
No the embarrasing part ... I've completely forgotten how I did this! ... blank .... nothing ... no recollection. Please somebody enlighten me.
If you use Apache, it does this automatically. You can tweak the settings in httpd.conf though.
Well if it's a standard Apache/PHP installation then putting an index.php file in the directory would make it the default page in a directory.
Oh, if you want a different file to be the index. Create a .htaccess file in the directory and enter this:
DirectoryIndex index.html index.htm index.php something.php
Replace something.php with the file you want and presto ;). You can't have two indexes.
If index.php is seen by Apache as the default index file, my/domain/dir1/ will see my/domain/dir1/index.php. If you want something more complex, You'll need mod_rewrite.