I have a site and I want to create a log.txt file which includes all user logs.For example a user logged in anytime and logged out. That is to say,time which users logged in and out. I can make this with database but there would many rows and I don't want it. If I put log.txt file to /logs/log.txt,any user who writes domain.com/log/log.txt to address bar will see that file. How can I prevent this. (I use PHP)
It's true that you can hide files from website visitors using .htaccess, or by putting similar rules in other Apache configuration locations. But this kind of thing is not trivial, and it's easy to make mistakes. The best way to hide files from site visitors is through the directory structure of your project. For instance:
A directory www/ to contain all files website visitors DO need to visit directly with a browser. This will the the directory used as we website root in your Apache configuration. If browsers don't need to fetch a file, it should not be here.
Other directories, like logs/ for logs, lib/ for source code that gets included in your scripts, config/ for settings and configuration files, etc. Since they're not inside of the website root (www/), users cannot point their browsers at any of these files.
If you're on shared hosting, and they only give you one folder that is your website root, then you can't do this. I wouldn't purchase a hosting account from such a company, though, because there are plenty that DO let you put files outside your web root.
Use a .htaccess with
<Files "log.txt">
order deny,allow
deny from all
allow from 1.2.3.4
</Files>
Where 1.2.3.4 is your IP, if you want to be able to acces it from your browser via the site. Else remove that line, so you will only be able to access via FTP or script
You can prevent http access to your log folder by using an .htaccess file that contains
deny from all
Related
I'm coding a small website with login for members. Every member have a dedicated folder and I'd like to know how to deny all access to this folder from everyone except form the user when he's logged in.
For now, I've set up things like that:
1) Every folder have an .htaccess with deny from all
2) When a user logged in, I use PHP to identify the user and get his folder. I get the user's IP address and I edit the .htaccess with
order deny,allow
deny from all
allow from 178.197.XXX.XXX
3) Once the user logged out, I reset the .htaccess to deny from all again
Is there a better way? And is there security risks?
Don't use IP. One user is not equal to one IP.
Store the folders outside the document root of your web server. This way, the files can never be served directly by the web server itself.
I.e., do not serve the files directly like http://my.site.com/path/to/actual/file. Instead require that the file be requested through a proxy PHP script like http://my.site.com/getfile.php?file=name. The script would check that a user is logged in, check that a file named name exists in that user's directory, and then spew it with readfile() or similar.
Also, in general, your files should never be writable by the user that the web server process runs as -- especially your .htaccess files.
I have several folders in my website directory which contains textfiles called "secure.txt".
For security reasons the URL of these files are never shown in the webbrowser but my website searches for these files (PHP code), which contains sensitive information.
How can I make the PHP code allowed to read these files but restrain access through the url, so a potential hacker wouldn't be able to read the content of these files?
put them out side your document root folder and place the following .htaccess file in the folder you want to protect. Also if you don't want to access it through a particular IP remove the last line.
order deny, allow
deny from all
allow from 192.168.0
[EDIT:]
To allow php scripts, etc. allow localhost (127.0.0.1)
order deny, allow
deny from all
allow from 127.0.0.1
You should put them in another folder and make the .htaccess deny from all, allow from 127.0.0.1
Old trick for that: Prefix the files with <?php die("I'm a fraid I can't do that, Jim"); ?>, and call them *.php. On parsing, ignore the prefix.
Edit
Why do this? The rationale behind it is, that you avoid a dependency on some special webserver configuration, which acn be forgotten (on moving to a new server), unavailable (many cheap hosts don't give you .htaccess), not applicable to some webserver software (IIS) etc.
So the reasoning is to trade some computational overhead against flexibility, portability and platform independence.
Can you move them out of your website directory altogether? If so, then make sure PHP has access to that directory! (The open_basedir value will need to include it.)
I'd suggest moving the files out of the webroot to be on the safe side
If you use Apache, deny access to all files named secure.txt from within httpd.conf:
<Files secure.txt>
deny from all
</Files>
You may do the same via .htaccess files as well (if your server is configured to allow override access rights from htaccess).
But a better solution would be to include the sensitive information into your PHP scripts themselves, or to store it in a database.
Apologies if my question is unclear, but I'm not quite up with the jargon. By 'resource directories' I mean my css, php scripts, images, javascript ect.
I used an .htaccess file in my images directory that contained
deny from all
to do this. Though this prevented people from typing "www.example.com/images" into their browser and accessing my images directory, the images stopped appearing on my website.
I assume this is because the .htaccess file is even denying my source code from accessing the images. How can I let my source code access directories? I also have a cron job running a php script every night. The cron job also needs to be allowed to access the scripts directory.
Also, is using .htaccess files even the best way to secure a site?
To prevent someone to view your images directory, you need to disallow Directory Listing.
http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
You cannot use deny from all, because nothing can be loaded from that directory from a web browser, so your images which you load with on your website won't load either.
Options -Indexes will disallow people to list files in your images directory. Please see http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
For securing data from being viewed by people who shouldn't you can use a authentication. You can setup a login field with htaccess, or script one with, for example PHP or python.
Login script with htaccess:
Script:
http://www.htaccesstools.com/htpasswd-generator/
Password file:
http://www.htaccesstools.com/htaccess-authentication/
You can prevent from accessing any directory you want:
Add this snippet in your httpd.conf file (you can find httpd.conf file here C:\wamp\bin\apache\apache2.4.9\bin)
<Directory "c:/wamp/www/directory_A/">
Options -Indexes
</Directory>
In this case you can access www directory but can't inside directory_A.
or
<Directory "c:/wamp/www/directory_A/uploads/">
Options -Indexes
</Directory>
In this case you can access 'directory_A/' directory but can't inside 'uploads/'.
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.
Looking some frameworks like Code Igniter I see they use a "defined" check on the syspath to prevent users opening the files from the subfolders, and also an index.html placed on every folder.
Can't I just use a mod_rewrite and get rid of these checks?
Is the mod_rewrite enough to let the users access only the index.php of the entire application?
You can move all the files for your application out of the web root and only have those files there that should be accessible by users.
Place all non-accessible files in folders and then put a new .htaccess file in each folder containing:
order deny,allow
deny from all
This will prevent HTTP access to those folders in Apache (other servers will have equiv. options). We use this to prevent access to incldue/, which contains the libs, static config etc.