I have multiple laravel projects in my htdocs folder:
htdocs/laravelProjectA
and
htdocs/laravelProjectB
So that if i want to access a laravel route of lets say laravelProjectA the corresponding url will be:
localhost/laravelProjectA/public/myRoute
The problem is that all the laravel files and folders are inside the htdocs folder and therefore accessible to the Web, meaning that i can enter, for example:
localhost/laravelProjectA/.env
and view all the sensible data.
How can I hide all the files and folders but the public folder from each project using Apache? So that localhost/laravelProjetA/.env, localhost/laravelProjectA/.gitignore, and every request for the other files result in a 404 error, or similar.
I know i can leave only the public folder inside the htdocs folder for each project and move the other files and folders somewhere else and then change the public/index.php file, but I want to use apache to hide those files in order to have each project in a single directory.
You have to edit the /etc/apache2/apache2.conf
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
to
<Directory /var/www/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Server will stop showing files
I want to setup a download folder on HTTPD so that the folder it self is indexed and the files are downloaded when clicked.
I tried this, but didn't work:
# Downloads
<Directory /var/www/html/downloads>
Allow from all
Options Indexes
<Files "?*">
ForceType application/octet-stream
Header set Content-Disposition attachment
</Files>
</Directory>
Browsing to /downloads gives me the index of the folder. But clicking the files doesn't open download prompt.
Any ideas?
Regards,
--
Edit:
There seems to be something about my browser. Indeed it IS working.
I have a problem in configuring my Apache. This litte indian is something headstrong.
My Application is located under /var/www/myapp/
There are 3 Elements:
./index.cgi - a python cgi script correctly working
./Application/ - a directory, which should be not public. contains include packages for index.cgi
./Public/ - a directory, public. contains javascripts, css files, images e.q.
My current VirtualHost configuration looks like:
DocumentRoot /var/www/myapp/
Alias /Public/* "/var/www/myapp/Public/*"
<Location "/myapp/*">
Options FollowSymLinks
Order allow,deny
Allow from all
</Location>
ScriptAlias "/index.cgi" "/var/www/myapp/index.cgi"
So /Public is public as wished, index.cgi runs. But: /Application is accessible. How do I lock this directory?
Second thing is: index.cgi should run, when I call www.mydomain.com/ or www.mydomain.com/index.cgi. Nothing else but URI parameters. How do I do that?
Thanks in advance,
BigM
You can verify the permissions in the files, but I think that the problem is that you don't have an alias for the Application folder in your Apache Configuration File.
I'm trying to deny users from accessing the site/includes folder by manipulating the URL.
I don't know if I have to deny everything and manually make individual exceptions to allow, if I can just deny this one folder, or if there's a rewrite function that can be used.
Specific example: I don't want to see the directory files by typing in localhost/site/includes into the URL.
Create site/includes/.htaccess file and add this line:
Deny from all
You can also deny access to a folder using RedirectMatch
Add the following line to htaccess
RedirectMatch 403 ^/folder/?$
This will return a 403 forbidden error for the folder ie : http://example.com/folder/ but it doest block access to files and folders inside that folder, if you want to block everything inside the folder then just change the regex pattern to ^/folder/.*$ .
Another option is mod-rewrite
If url-rewrting-module is enabled you can use something like the following in root/.htaccss :
RewriteEngine on
RewriteRule ^folder/?$ - [F,L]
This will internally map a request for the folder to forbidden error page.
In an .htaccess file you need to use
Deny from all
Put this in site/includes/.htaccess to make it specific to the includes directory
If you just wish to disallow a listing of directory files you can use
Options -Indexes
We will set the directory to be very secure, denying access for all file types. Below is the code you want to insert into the .htaccess file.
Order Allow,Deny
Deny from all
Since we have now set the security, we now want to allow access to our desired file types. To do that, add the code below to the .htaccess file under the security code you just inserted.
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
your final .htaccess file will look like
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Source from Allow access to specific file types in a protected directory
You can create a .htaccess file for the folder, wich should have denied access with
Deny from all
or you can redirect to a custom 404 page
Redirect /includes/ 404.html
Just put .htaccess into the folder you want to restrict
## no access to this folder
# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Apache 2.2
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
Source: MantisBT sources.
Creating index.php, index.html, index.htm is not secure. Becuse, anyone can get access on your files within specified directory by guessing files name. E.g.: http://yoursite.com/includes/file.dat
So, recommended method is creating a .htaccess file to deny all visitors ;). Have fun !!
You can also put this IndexIgnore * at your root .htaccess file to disable file listing of all of your website directories including sub-dir
On Apache 2.4 you can use an Apache <If> expression in the root .htaccess file to block direct access to this specific subdirectory and everything within it.
For example:
<If "%{REQUEST_URI} =~ m#^/site/includes($|/)#">
Require all denied
</If>
You can do this dynamically that way:
mkdir($dirname);
#touch($dirname . "/.htaccess");
$f = fopen($dirname . "/.htaccess", "w");
fwrite($f, "deny from all");
fclose($f);
For some reasons which I did not understand, creating folder/.htaccess and adding Deny from All failed to work for me. I don't know why, it seemed simple but didn't work, adding RedirectMatch 403 ^/folder/.*$ to the root htaccess worked instead.
I don't like how if you go to certain folders on my website that don't contain a .html file that it will list all the files in it. I don't want to give access to that. Such as: http://christianselig.com/css
How do I hide these?
You need to tell your webserver to stop directory listings. For apache, add this to your httpd.conf or any other related config file
<Directory /path/to/directory>
Options -Indexes
</Directory>
If placed in a .htaccess file, AllowOverride Options must be enabled for the desired directory.
If you are using Apache webserver and have access to httpd.conf you can set "Options -Indexes" for directory which content you want to hide.
If you have no access to httpd.conf you can create .htaccess file in directory which content you want to hide with "IndexIgnore *"