Is it possible to configure Apache to disallow websurfers to access particular folders and seeing a directory listing but allow browsers to retrieve files from those folders. Let's say you have some images in a folder, you might want to allow users to see specific ones but not to view the contents of the entire folder. The user can only see the ones known to exist on the server in a particular folder.
Yes it is indeed possible using any of these directives:
Options -Indexes
OR
IndexIgnore *
Related
I am trying to decide whether to use .htaccess files in each sub-directory to deny all requests for specific files (while also denying directory indexes), or whether it is more security conscious to move all files except for essential files (index.php, .htaccess, robots.txt) outside the root directory and call them from the index file.
Are there any critical differences in security between these two methods for securing files in my web application?
Here is a view of what the .htaccess looks like in the root directory.
# pass the default character set
AddDefaultCharset utf-8
# disable the server signature
ServerSignature Off
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|lock|DS_Store|json|)$">
order allow,deny
allow from all
</FilesMatch>
# disable directory browsing
Options All -Indexes
# prevent display of select file types
IndexIgnore *.wmv *.mp4 *.avi *.etc
However, this would not stop someone from accessing a file if they knew the directory structure such as https://www.example.com/security/please_dont_look.cfg
Although that file does not print anything, I don't want anyone to know it exists, and don't want a site-specific solution like using modredirect to redirect calls to specific files.
I could use a .htaccess file in each directory such as this:
order deny,allow
deny from all
From this question and reply (Prevent access to files in a certain folder)
Is one solution more bullet-proof than the other?
As always in such complex systems, security here is about having several lines of defense, keeping things simple and attempting to prevent as many attack vectors as possible.
Theoretically both solutions should provide you with the exact same level of security - the files would not be accessible in either case.
I'd recommend moving files that should not be accessed directly into a directory outside of the web root directory. It is quite easy to screw up htaccess files and thats just not possible when you move the files outside of your webroot. This will also prevent timing attacks against the directory structure of your server: reading htaccess files comes with a time penalty and that might be measureable, especially if your htaccess files get big and you have plenty of them for each sub directory. Actually I'd recommend skipping htaccess entirely, just disable indexes directly in your vhost configuation, such that Apache does not have to look for htaccess files at all, speeding up your website.
Additionally, in case you run php via fcgi, you should disallow file access on a file system level for apache and just allow access from php. With this setup it should be outright impossible to access your files by attacking the webserver (excluding php) unless you have some privilege escalation vulnerability (in which case you are screwed anyways).
The only way to access your confidential files in this setup would be to convince PHP to read the file or to mess with the file system, i.e. by creating a hard link from your web root into your "confidential files outside web root"-directory. Preventing against that boils down to ensuring your PHP configuration is as restrictive as possible, file creation inside the webroot is disallowed and, most importantly, ensuring that the PHP application itself is not vulnerable.
I have a generic site in /var/www/ and I did put my webpages in html, including sub folder that I am planning to use to store pdf and doc files.
Now; I would like that when a user go to mysite/files/docs or mysite/files/pdf, they can see the list of files, but even if they click on the parent link on that page, or if they type the url (like mysite/files); they won't see the list.
Is possible to enable the file display feature but only for certain folders? I did check Apache manual and it has options to set in httpd.conf file, although it was not really showing how to turn on or off specific folders; just how to turn it on and off globally.
I have .htaccess files that I use for settings, but even in that case; I can't find a way to display only some folder content and not others.
Create a .htaccess file in each directory files/docs and files/pdf
Then inside each .htaccess file add
Options +Indexes
That's it. It will display the files of only those 2 directories.
Is there a way to stop people from accessing directories where all my members file's are stored.
For example, I have mysite.com/members/$mem_id and in there that particular members files are stored, such as images. Is there a way to stop all of these been accessed directly from the URL bar, without placing index.php in every folder, possibly with .htaccess?
Also, once the folders have being blocked, the site itself still needs to access the files in them to display round the site.
To disable directory listing you can use .htaccess and adding this line
Options -Indexes
I have a website running on an Amazon EC2 Linux server, and everything works fine, but when I point the address bar to something like mydomain.com/css or mydomain.com/images, it prints out a list of all the files in that directory to the brower and they're all readable and viewable. I tried chmod'ing some of the folders to have fewer permissions, and that prevented viewing of these files, but it also made them not appear on the site at all. Is there a way that I can protect my documents and server files while also keeping full functionality?
You can prevent the directory listing by disabling it in the Apache config. Just remove "Indexes" from whatever lines it appears on. For example, change from:
Options Indexes FollowSymLinks
To:
Options FollowSymLinks
Edit: Note, you can also add (or edit) the .htaccess in those directories, explicitly disabling indexing for that directory:
Options -Indexes
That's the nature of the web, these files are downloaded to the user's computer so the browser can display them. You cannot protect them from being called from your own site / URL but you can put rules into place that prevent "hotlinking," that is, it will prevent people from linking to the image in their website from your URL. But even then, they could download the file(s) then upload to their own space and carry on.
Sorry I don't have better news, hope this helps!
I would like to have any directory auto-indexing by Apache not display a link to the parent directory. In my current setup, I have only enabled access to all subdirectories, thereby implicitly denying access to the one parent directory of each of those subdirectories. Unfortunately, the auto-indexing is still displaying a link to the parent directory even though clicking on that link results in a 403 response.
IndexIgnore ..
You can read more on the Auto-Index options on Apache Docs.