How to disable the download of files in an Apache2 webserver? - apache

I took over a website which I'm supposed to admin and somebody brought to my attention that certain Indexes and Files are available, which shouldn't be. I will be using dummy names.
You were able to access example.com/intern before, but I changed a line in /etc/apache2/apache2.conf according to this https://stackoverflow.com/a/31445273 . This worked partly, as I get a 403-Forbidden when I now navigate to example.com/intern and that's basically what I want.
However the directory intern governs a file called file.php.bak aswell as file.php. When I navigate to example.com/intern/file.php I get a white website. I am however not sure, if you are able to access file.php in another way, because the site does load and I don't get a 403 like before. What is way worse and the reason I am struggling with this is: If I go to example.com/intern/file.php.bak then my Browser (Firefox) offers me to download file.php.bak, which I can read in plaintext. I want all files in intern to not be accessible via the website, but I have no idea how to do this. Can anybody help?
Things I've tried:
Removing the Indexes from the apache2.conf file like mentioned above. It only puts the 403 on the directory itself and not recursively for all the files in it.
Writing a .htaccess file as described here: https://fedingo.com/how-to-prevent-direct-file-download-in-apache-server/ and putting it in intern with the same result as in 1)
Putting an empty index.html file in the intern directory. This leads to no more 403 in example.com/intern, but the download on example.com/intern/file.php.bak is still possible. I've also tried index.php with the same result.
File System:
The application runs from /var/www/application which is also the folder for the /var/www/application/index.php I want to use. The /var/www/application/intern directory is also there. While it isn't browsable anymore, the files in it still are accessible. /var/www/application/intern/file.php can be navigated to via example.com/intern/file.php, but it seems like it can't be downloaded or read as it results in a white page. /var/www/application/intern/file.php.bak can however be downloaded via example.com/intern/file.php.bak.

Let's say Apache document root is set to DocumentRoot "/folder_one/folder_two"
Placing files in a folder_one will prevent people browsing your apache server and requesting the files directly.
Place index file in folder_two and include some code such as PHP to tell apache to include whatever files you want from folder_one.
In this manor Apache will still be able to serve whatever files you want from folder_one and people will not be able to request the files directly as the are located in a directory above the Apache document root.

Related

Apache is forbidden some very specific pages

I have a Sites folder inside my user directory, where I put all of my apache project files, the weird thing is that I can access all of my folders, except for the main route "localhost/" which, of course, has no index.html document on it, its just folders, but I know I should be able to see something like this:
Index of Sites.
.project1
.project2
.project3
Instead, I get this
403 Forbidden
On my new job I was assigned to this Mac PC that belonged to someone else, and this person of course needed the same tools that I have been asked to download, they told me to uninstall all of that software and install it all over again (which I did), mainly the software that I'm using is an apache server with homebrew.
I have always had this problem, but I ignored it because I thought, well, do I really need to see an "index of Sites" page when I can manually change to whatever folder I want? my answer was, not really.
But yesterday they asked me to download webpack and nodeJs, and I did, so I made a dummy project with webpack that contained all of the js and config files, but it didn't have an index.html file. And surprise surprise, I got a 403 forbidden error when entering the dummy folder in localhost.
So I'm guessing that my apache for some reason is giving me 403 errors when I do not have an index.html file or an index.php file to show.
Have you ever experienced something like this?

Contao is redirecting to non existend development subdirectory

Im currently trying to move a website to production that has been designed using contao. The website has been developed in a subdirectory of the current website. Now when I change the DocumentRoot to the contao directory the application automatically forwards me to the /development directory which in that situation does not exist anymore.
I did a database dump and searched it for "/development" to find the variable that is storing this information but I didn't find a match. I then did the same with the configuration files but it didn't show up any results too. How is redirecting handeled in contao?
It sounds like your pathconfig.php is wrong. After deploying/moving a Contao installation, you should always execute and log into the Install Tool under contao/install.php. This will correct your pathconfig.php.
Also make sure the RewriteBase in the .htaccess is set to the correct value (probably / in your case).

Magento: .htaccess files

I am running Magento Community Edition version 1.7.0.2.
I would like to know, how come are there two .htaccess
files in my installation, one in the magento root directory,
and another one in the magento app directory just beneath
the magento root directory?
On my system the first one is 209 lines long whereas the
second one only contains two directives.
Can anyone please explain how come there are two files
instead of one. Are both parsed or just one of them?
Normaly each .htaccess-File paresed, cause they could be used additional.
The last .htaccess-File may overwrite or enhanced previuos ones.
The .htaccess file in app/ is used to "deny" all access to any file under app. Without this someone could access http://yourdomain.com/app/etc/local.xml and see your database credentials, among other bad things. A similar file should be present in var/ as well (to prevent viewing logs, etc)
Delete the existing file and try adding default new .htaccess file
Magento default htaccess file

Prevent access to files from Apache without .htaccess

(LAMP server configuration)
As a workaround for another problem, I need PHP to be able to access local files, but prevent these files from being served over http by Apache.
Normally, I would just use .htaccess to accomplish this, however due to institutional restrictions, I cannot. I also can't touch php.ini, although I can use php_ini_set within php.
As a creative solution, I thought that if php executes as its own linux user (not as apache) I could use normal chown's and chmod's to accomplish this.
Again, the goal is simply to have a directory of files that apache will not display, but php can access.
I'm open to any suggestions.
Put the files outside of your web accessible root (DocumentRoot), but keep them accessible via PHP.
Suggestion:
/sites
/sites/my.site.com
/sites/my.site.com/data // <-- data goes here
/sites/my.site.com/web // <-- web root is here
Here's a thought. Set the permissions on the files to be inaccessible to even the owner, then when PHP needs them, chmod() then, read them, then chmod() them back to inaccessible.

Access error uploading file using winsp

I am trying to upload two files to a webserver so my teacher can see it. I am using winsp since my filezila doesnt work. But for some reason it is telling me that i don't have access to that page. Can anyone tell me why is it doing that.Here is a picture of my screen.
I am just not understanding why it is telling me that i don't have to access it.
If I had to take a guess, that public_html folder is your public directory where you should put things that anybody can get to (like through a browser). You have your files outside of that directory, so your page can't access them.
edit:
It's an educated guess, as I have seen a fair amount of server configurations that name the public web folder as such (other common names are "www" and "httpdocs")
Problem definitly isn't in code. There is error while uploading files. Can you connect to FTP regulary? If you can. Look for Active or Passive file transfer to FTP. Also if you can upload files, files must be in public_html folder to be visible from browser.
Active or passive
First read Neal comment.
second, you should probably copy the files into the /public_html folder, instead of the / (root) folder.