I have a website that is working properly.I dont know when I do "Domain-name.com/images" It shows me all the images in the images folder present at my site.I dont know why is this.may be this is due to the Directory permissions?But I want to ask know the actual reason behind it
Help will be appreciated.
Note:I am tagging Php and Html because these people might faced this thing while creating website.
This is because there is no index file in the folder, and Apache (assuming Apache) is set to do directory indexes.
Either create an empty index.html or add the following in either apache2.conf (or httpd.conf) or in a htaccess file:
Options -Indexes
You can restrict the folders using .htaccess.
Create .htaccess file in you website root folder and add the following code in it.
RewriteEngine on
RewriteCond $1 !^(css|js|images)
RewriteRule ^(.*)$ index.php/$1 [L]
This is a problem with the configuration of your web server which allows directory listing for your image folder. E.g. on Apache, the most common server software, you would switch it off in the httpd.conf with the directive Options -Indexes in a directory section.
To answer your question: yes. If it's a web accessible directory meaning it resides in the typical webroot folder such as public_html, www, etc and the permissions on the folder are open then anyone can see the contents.
Related
I had a site set up on one server, and it has subsequently been moved.
I had a subdomain that processed a link and forwarded it on. However, with the server move the files now sit in a different place!? Let me explain
SERVER A
example.com (run main site)
my.example.com
I was able to create a subdomain and run files in it with no problem. The main domain and subdomain run like separate sites. My .htaccess file on that worked and had the following lines of code:
RewriteEngine On
RewriteRule ^([0-9a-zA-Z]*)$ index.php?profileId=$1
SERVER B
example.com (run main site)
my.example.com (the files now sit in a subfolder in the root of my main domain so example.com/my.example.com.)
This affects my .htaccess file now and although the subdomain is set up. When I run the page I get a "no input file specified error".
How do I resolve this? Its just a simple file to process but my issue is I have 10000 pre printed QR files that I am unable to change so need to resolve my issue.
RewriteEngine On
RewriteRule ^([0-9a-zA-Z]*)$ index.php?profileId=$1
This should still work OK, assuming...
this .htaccess file is now in the document root of your subdomain (assumed to be example.com/my.example.com) and not the main domain's document root.
The index.php file (referenced in this directive) is located at my.example.com/index.php (not example.com/index.php).
Also, make sure that MultiViews is disabled. You might need to add the following to the top of your .htaccess file:
Options -MultiViews
I am installing Yii2 on a shared hosting environment,Apache, (Godaddy),
here is what I did as per the docs:
Renamed web folder to www
copied all the folders, now the directory structure looks like this:
public_html\
assets
commands
config
controllers
model
modules
views
www\index.php
.htaccess (this is both in public_html and www)
but when I access my domain, I get the following error:
You don't have permission to access / on this server. Additionally, a
404 Not Found error was encountered while trying to use an
ErrorDocument to handle the request.
Here are the contents of my .htaccess which I have copied in both public_html and www.
Options +FollowSymLinks
IndexIgnore */*
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php
is the htaccess creating problem? Is index.php not being run from the right folder? What else should I look for? any help is much appreciated.
Update:
The actual problem with the above error was that It was a Permissions issue.
Set the permissions from 644 to 755, and now the system is accessible.
BUT
the to access index.php I still need to navigate to it manually by typing in the url : www.example.com/www/index.php
UPDATE
As I don't have prettyurl's enabled, just to make it work, I deleted all the contents of the .htaccess, then I copied the contents of basic folder in the home folder (for future visitors it should be like home/your_user _name
CAVEAT EMPTOR
I know almost nothing about .htaccess. Also my this project is just for learning, this solution may not be useful in production settings.
Question is still open for expert advice on best practices in such scenario.
You need to move your domain pointer to www instead of htdocs, its probably somewhere under domain -> root folder. Your .htaccess looks fine.
I still don't quite understand why we must keep index.php in a public directory instead of in the root directory.
root/of/project
public/
index.php
.htacess
(html, image, css, etc)
Then, write the following in our virtual host file:
DocumentRoot /path/to/myapp/app/public
<Directory "/path/to/myapp/app/public">
# other setting here
</Directory>
The .htaccess file then redirects all non-existing URLs to index.php:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
I notice that most frameworks do so, such as Symfony and Zend, just as this tutorial. What is the actual benefits really by having the trouble of modifying the virtual host file?
Why shouldn't we do have this below instead without modifying the virtual host file? Is it a security risk or something?
root/of/project
index.php
.htacess
public/
(html, image, css, etc)
If keeping index.php and modifying the virtual host file is better, how can we modify the virtual host file in the live server then? Let's say I have this domain name, http://my-website.com/ and I access it on my browser, what I see first is not the web page but the directories below untill I click the public directory then I see the home page,
root/of/project
public/
index.php
.htacess
(html, image, css, etc)
I assume that this is the same for Zend or Symfony project as well without being able to modify the virtual host file in the live server. I am no good at these frameworks, I will see this below if I upload my Zend project to the live server,
So, how do you deploy your Zend or Symfony project to your live server to see your web page right away?
It is a very good idea to keep index.php outside of your project root directory because of one simple reason:
You don't want your user to access any files other that one in public folder (index.php, css, js etc). When you will put index.php in root folder you will be also able to access composer.json file for example which is a security risk - a potential hacker will know what packages are you using, in which versions so it's easier for him to perform attack.
When it comes to your hosting - you should have some public_html folder on your root directory which is meant to be public folder (web) of your Symfony app and you should also be able to keep files outside of public folder. If you don't - you really need to think about changing hosting partner
EDIT:
Answering your comment. Let's assume you have public_html folder on your hosting and you want to deploy Symfony app which should be accessible directly on http://your-domain.com. Then you should put whole Symfony project anywhere (but outside of public_html folder) and make a public_html folder a symbolic link to web folder of your Symfony project. This action is equivalent of editing virtual host and changing DocumentRoot which, I assume, you are not able to do.
You can also check my answer on another question to get more clarification
How can I restrict the user into the root directory and not able to get access to the parent directory of the root.
I have EasyPHP installed and following I am considering as root:
http://127.0.0.1/projects/Web%20Developement/aureus/files/
I don't want user to able to move to the parent directory but when I add "dot dot slash" ../ at the end of above URL I can access "aureus" directory. How can I stop this by .htaccess or any other way?
You can't do correctly with .htaccess. You'll need to edit the configuration for the domain in the main config file. When you go into your httpd.conf file or your included file for the virtual hosts you need to look for the DocumentRoot you're setting for the server. The web server only has access to what you grant it.
If you can access a folder you're trying to lock down via the web or a browser on another machine, you'll need to look at a variety of permissions settings depending on the OS you're running. You can restrict access to folders and prevent the users in Linux for example from seeing the files with chmod. In Windows (if that's what you're running) you would right-click on the folder, select properties, and change the permissions under the security tab.
Not sure what the point of all this is, but if you simply don't want any ../ in your URLs, then you can try adding this to your htaccess file:
RewriteEngine On
RewriteRule ^(.*)\.\./(.*)$ /$1$2 [L,R=301]
I think rather than specifically try to stop the use of ../ in the url, you should have htaccess in folders you do not want people/bots/other to be in.
This
Options -Indexes
in a .htaccess file will stop directory listing in whatever folder the htaccess file is in. It'll serve a 403, but you can use htaccess to serve 404 or redirect based on what you need (other than "stop user to able to move to the parent directory" I'm not 100% sure what you want)
Cheers
I accessed a 'superfolder's .htaccess file and accidentally added
Rewrite / http://google.com/
This was done using php. Now I can't access php files in any directory to revert the change.
Is there anything I can do in a subdirectory of root to stop the redirect inside that folder?
Thank you.
And please don't ask more details about the 'accident'.. stupid mistake
I contacted server admin, both laughed at it.. Still interesting though how to stop it redirecting although it shouldn't happen if I use mod_rewrite.
With mod_alias' Redirect, you're screwed. That directive is applied across the board, starting from the path-node where the htaccess file sits (if it's in an htaccess file), or the path-node of the <Directory> block that it sits in. So the only solution is to get an admin to remove it.
With mod_rewrite however, with an htaccess file, it doesn't act the same as within a <Directory> block. Rules inside an htaccess file in a path-node inside a directory has precedence over rules inside an htaccess file in the parent directory. So if you had 2 htaccess files:
/.htaccess:
RewriteEngine On
RewriteRule ^/? http://google.com/
and in /tmp/.htaccess:
RewriteEngine On
RewriteRule ^/?tmp/ http://stackoverflow.com/
And you go to http://yourdomain.com/tmp/, you'll get redirected to http://stackoverflow.com/ because the rules in the tmp directory has precedence over the rules in the parent directory. In face, the rules in the parent directory aren't applied at all unless you've used the RewriteOptions Inherit directive to inherit any rules from the parent directory.
Because of this, you can simply create an htaccess file with the following:
RewriteEngine On
Use FTP to upload it to your subdirectory, and upload the php file that you used to change the parent directory's htaccess file. Then just use your browser and go to that php file in the subdirectory.
Having simply turned on the rewrite engine in your subdirectory, without any rules, means:
I have mod_rewrite active in this directory
Since the rewrite engine is turned on in this directory, ignore all rules in the all parent directories.
Since the mod_rewrite ruleset is blank (no actual RerwiteRule's) nothing happens at all
Accessing this directory, eventhough the rewrite engine is on, mod_rewrite does nothing so it's as if the rewrite engine is turned off.
Sounds counter-intuitive, but that's just how it works.
Connect using your FTP client. Enable hidden files in your FTP client (try FileZilla, this one lets you do that). Delete .htaccess in your superdirectory. If this file has other data in it, copy it to your local computer, make changes and upload it again.
Here is some more help: http://www.intrepid.com.au/how-to-view-htaccess-with-filezilla/