Is it possible to hide a folder from the www directory so that the php files will not be seen if you access it through a web browser?
I'm doing this because I'm not yet good enough to secure those files and the mysql database that they are manipulating.
Or even a trick that would make the web browser not to be able to access the localhost is fine. Please
If you have a directory and you don't want Apache being able to serve any file that's in it, you can create a .htaccess file in that directory, containing :
Deny from all
This will make sure Apache refuses serving any file from that directory -- but they will still be accessible by PHP scripts running from another directory or from the command-line.
If you want Apache to be able to serve the files, but not list the content of the directory when a user accesses that directory without any filename in the URL, you can use this in your .htaccess file :
Options -Indexes
This will disable listing of files inside the directory that contains the .htaccess file -- but will not prevent Apache from serving the files themselves.
Just put the files outside of the document root and include them from there.
A very simple trick if you don't have Apache, hence no access to .htaccess (that sounds like I'm repeating myself), just create a file index.htm or index.html containing NOTHING. Any attempt to access that folder will just show a blank page.
Related
Let's assume we have a shared host. The web root is located in /home/username/www/. Now, I have a PHP application which reads a configuration file, located at /home/username/www/include/config.json. This configuration file stores passwords and other configuration information. Assuming that access to /home/username/ or any directory outside the web root is not possible, how would I go about securing config.json from people directly GETting it?
If storing configuration information in a plaintext file is not feasible, please advise on other ways to do so.
There are two ways for secure your directory structure and prevent reading other files and content in your directory.
Disable directory content listing
Using htaccess
Putting the following the .htaccess file shall disable directory listing.
Options -Indexes
Using index.html
If the server does not allow this, then the easiest way is to put a dummy index.html file in all directories.
So that when directory path is accessed, the index.html will open up.
Keep resources outside WEB_ROOT
When hosting applications on a server , the path is generally like this :
/var/www/
OR
/home/username/www/
All web content is kept inside www , then only it is accessible on a website. But those contents which are not meant to be directly accessible from a url , can be kept outside the /www.
For example uploaded images , or resource files , or files containing database connection parameters or anything.
php files to be called by browser in
/var/www/
Other resource files in
/var/outside/
By doing this the files automatically become invisible to outside world even if directory listing is enabled.
You need a .htaccess file in your include directory that will make it unavailable from outside:
Options -Indexes
Order allow,deny
Deny from all
or for apache 2.4
Options -Indexes
Require all denied
Another solution would be to move the include to /home/username/include
So I am creating a template system that is the same across multiple sites, the only thing that changed is the configuration file. I am making so all the files are getting fetched from the root directory. I can do it with all my php and html files, but I can't see to figure it out on my .htaccess file. How the directory is set up is /home/user_name/template and then there are also folders like /home/user_name/site1.com and all off the sites. So how can I make all of the site use the same .htaccess file. I hope that makes sense!
According to Wikipedia
A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration. They are placed inside the web tree, and are able to override a subset of the server's global configuration for the directory that they are in, and all sub-directories
From Oracle-Docs :
If you enable .htaccess files, the server checks for .htaccess files before serving resources. The server looks for .htaccess files in the same directory as the resource and in that directory's parent directories, up to and including the document root.
For example,
if the Primary Document Directory is set to /oracle/server/docs
and a
client requests /oracle/server/docs/reports/index.html,
the server will check for :
.htaccess files at /oracle/server/docs/reports/.htaccess and /oracle/server/docs/.htaccess.
suppose you have 2 sites and you want to setup .htaccess for both your both sites using a single file
then just create the file structure like following
parent
site1
site2
.htaccess
Here upload all data of site1 into the site1 folder and so on.
If the server is a linux/posix system, you can create a symbolic link to the root .htaccess file.
This should be something like
cd /home/user_name/site1.com
ln -s ../template/.htaccess .
Beware the file permissions, so only you can write to it.
How can I restrict the user into the root directory and not able to get access to the parent directory of the root.
I have EasyPHP installed and following I am considering as root:
http://127.0.0.1/projects/Web%20Developement/aureus/files/
I don't want user to able to move to the parent directory but when I add "dot dot slash" ../ at the end of above URL I can access "aureus" directory. How can I stop this by .htaccess or any other way?
You can't do correctly with .htaccess. You'll need to edit the configuration for the domain in the main config file. When you go into your httpd.conf file or your included file for the virtual hosts you need to look for the DocumentRoot you're setting for the server. The web server only has access to what you grant it.
If you can access a folder you're trying to lock down via the web or a browser on another machine, you'll need to look at a variety of permissions settings depending on the OS you're running. You can restrict access to folders and prevent the users in Linux for example from seeing the files with chmod. In Windows (if that's what you're running) you would right-click on the folder, select properties, and change the permissions under the security tab.
Not sure what the point of all this is, but if you simply don't want any ../ in your URLs, then you can try adding this to your htaccess file:
RewriteEngine On
RewriteRule ^(.*)\.\./(.*)$ /$1$2 [L,R=301]
I think rather than specifically try to stop the use of ../ in the url, you should have htaccess in folders you do not want people/bots/other to be in.
This
Options -Indexes
in a .htaccess file will stop directory listing in whatever folder the htaccess file is in. It'll serve a 403, but you can use htaccess to serve 404 or redirect based on what you need (other than "stop user to able to move to the parent directory" I'm not 100% sure what you want)
Cheers
Which is the best way to prevent certain directories of a web site from being directly accessed?
1- Creating and placing a .htaccess file in each directory we want to protect and place the next line in it:
Deny from all
2- Creating and placing a index.php file in each directory we want to protect and place only the next line of code in it (which will redirect to homepage of the website):
<?php header("Location: http://" . $_SERVER['HTTP_HOST']); ?>
3- Something else (what is it?)
As mentioned in the comments, the safest way is to place content or directories outside the web server's public document root. This will ensure that content will not be served even if an .htaccess file is deleted or if the server does not allow .htaccess overrides.
To determine your document root you can just echo the PHP $_SERVER['DOCUMENT_ROOT'] variable. So if your root is /var/www/html, you can create a folder /var/www/protected_folder and Apache (or other web server) will never serve it (unless the http.conf file is altered to modify the document root folder).
If the folder must be in the document root, then using an .htaccess file to either DENY or redirect is a good alternative.
As TerryE mentioned, you could also use OS-level file permissions to deny the Apache user access to the folder (set a different user as the owner and then set permission on the folder to 700, for example). If they try to access the folder they'll get a 403 Forbidden Error which you may not want to show (though you could set up a custom 403 error handler in http.conf or htaccess). Depending on specifically what you are trying to do you may want this approach, as it will also let you prevent access from scripts (i.e. PHP include() etc) if you want to, as PHP runs under the webserver user by default. The major downside of this approach is that file permissions are often not preserved during migrations (if they're not done correctly) and file permissions can sometimes be reset inadvertently when altering parent folder permissions with a recursive flag (whereas it's unlikely that someone would inadvertently move a folder into the document root).
Is it possible to set the .htaccess file to deny all users but allow includes such as PHP functions or CSS?
Thanks
Yes, that's one of the most popular uses of the .htaccess file. Set up .htaccess to deny all. Nobody can download the pages in that directory, but you can include php files from this directory in your other directories. You can't really host css files in the directory and then deny all, because the user has to download these directly. Same goes for images and javascript files. Basically, anything the client has to read shouldn't go in a "deny-all" directory, but stuff that only needs to be read by the server, like php includes are fine.
If you don't want something to be downloadable, then don't put it into a public-facing directory. Put those files in a different directory outside the webroot.
This way they don't get exposed if the .htaccess gets disabled somehow.