I have a number of files stored in a folder outside of the publicly accessible portion of my website.
For example, the file 'abcd.jpg' is stored (in terms of the server) in '/home/private_files/' and the website is in '/home/public_html/website.com/'
When I go to provide a link to view the file, I use
Download however this doesn't work.
Any suggestions?
If you are using Apache as the server, you can set it to alias a directory in httpd.conf...
Alias /images/ "/home/private_files/"
<Directory "/home/private_files/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</IfModule>
and you can use this
Download
You can not access to directory that located in out of www.
use symlink to link to file:
ln -s /home/private_files/abcd.jpg /home/www/abcd.jpg
and delete the link after deadline(something like rapidshare)
or use file downloader like this
Related
Talking about my project I am working, its just a simple website in localhost.I am Xampp server rand inside htdocs my website is in file creative which contains index.php file and another sub directory themes which further contains themes folder which contain all the necessary html php and css files that builds my websites.
When a user enters I want to redirect him from the index.php in localhost/creative to the index.php in localhost/creative/themes/theme-folder. I tried to use require_once('creative/themes/theme-folder/index.php'); but in most of cases it fails. is there any other way to do so.
You can modify the .httpd file.
Then you add:
#The path of your repositories:
DocumentRoot "C:/xampp/htdocs/creative"
#then you make an alias:
Alias /creative "C:/xampp/htdocs/creative/themes/theme-folder"
<Directory "C:/xampp/htdocs/creative/themes/theme-folder">
#Modify this data according to your needs
Options Indexes FollowSymLinks
AllowOverride all
Order Allow,Deny
Allow from all
</Directory>
I have moved website from one hosting to another and due to security, PCI and HIPPA reason, I need to move some (files and images) directories outside html folder.
Previous structure : /public_html/uploads
Current structure : /var/www/uploads
For Files : /var/www/html/
I want to know how I can handle uploaded images and images get to display on front page.
Thanks
You could use symbolic links e.g.:
in /var/www/html execute ln -s /var/www/uploads image_uploads then all your images can be referenced with <img src="/image_uploads/some_image_name.jpg">
Be aware than you may need to set alternative permissions in a <Directory> section in your site configuration (I am assuming that you are using Apache).
Something like
<Directory "/var/www/uploads">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
See the Apache documentation for Directory for more information.
I have a php application located in /var/www/phpapp and I need to create links to download files located in the /home/myuser folder. The complete path to the files is stored in a database, so the goal is for the app to place a link like Download 1 and be able to download it. I access the php app using http://localhost/phpapp. I know I can do this using alias in apache but I still haven't figure it out.
For anyone having this same problem, I got it working using this:
In Ubuntu: I went to /etc/apache2/sites-enabled/ and edit the site file
In Centos: Go to /etc/httpd/conf.d/ and add a new xxxx.conf file
And I added this into the file:
Alias /home "/home/user/"
<Directory "/home/user">
Options None
AllowOverride None
Order allow,deny
Allow from all
Options Indexes FollowSymLinks
MultiViews Require all granted
</Directory>
We all have php files like 'connect_db.php' for include purposes only.
Suppose I have all those inclusive .php files in "www/html/INC"
And I have index.php
I want index.php accessible from browser to everyone, but I want to prevent users' direct access to "www/html/INC" folder. (e.g. when type in the browser 'www.domain.com/INC/' -> 404 error etc)
How do I achieve this?
Preferrably using .htaccess file in the root directory please.
Something like
<Directory /INC>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
should work.
How do I achieve this?
Don't. As per my previous answer, it's much more secure to put connect_db.php in /www/, not in /www/html/INC/. If you are going to do so, then you'd use /www/html/.htaccess:
<Directory "/www/html/INC">
order allow,deny
deny from all
</Directory>
Google searches have brought me here so I figured I'd post what I found in the apache docs today. I'm not positive what versions of apache it is available in, but do a search for your version to verify.
Now you can just use Require local. I'd recommend putting an .htaccess in the folder that you want to restrict access to with just that line. However, if you must do it in the root directory then here's what it would be:
<Directory "www/html/INC">
Require local
</Directory>
As of Apache 2.4, Require is the way to go.
E.g. the following denies access to the /www/html/INC directory by anyone except localhost:
<Directory "/www/html/INC">
Require all granted
Require ip 127.0.0.1
</Directory>
Move connect_db.php to the more high level in directories tree, than public directory.
And all scripts, which should not be executable - too.
/home/user/project/incs/ -- here your inclusive scripts
/home/user/project/www/html -- here your index.php and other executable scripts.
I'm loading my files (pdf, doc, flv, etc) into a buffer and serving them to my users with a script. I need my script to be able to access the file but not allow direct access to it. Whats the best way to achieve this? Should I be doing something with my permissions or locking out the directory with .htaccess?
The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.
However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,
Order deny,allow
Deny from all
Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.
That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccess file on root. (no need to create extra folder)
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
my settings.ini file is on the root, and without this code is accessible www.mydomain.com/settings.ini
in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives.
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
to test your config before restarting apache
service httpd configtest
then (graceful restart)
service httpd graceful
Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.
If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccess file in the specific directory. That is (for example):
ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>
Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.
This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccess files.
To prevent .ini files from web access put the following into apache2.conf
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
How about custom module based .htaccess script (like its used in CodeIgniter)? I tried and it worked good in CodeIgniter apps. Any ideas to use it on other apps?
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>