Within apache can I restrict users to listing the contents of a directory or is it true to say that once a user has been allowed access there is nothing to restrict them from downloading the content?
<Directory "c:/[your path]">
Order Allow,Deny
Allow from all
#Options Indexes
<LimitExcept ALL>
require user [your user]
</LimitExcept>
</Directory>
Without the Option Indexes in the file *.conf, the user can't listing the content of the directory. They steal can access to a ressource of the file.
I think it was what you asking for!
Related
On our Apache server no users can upload the .htaccess file. They get a critical error when upload just this file via FTP. We can upload all other file types just fine. Is there a way I can allow this permission across all my sites?
This was fixed in the end by adding the following lines to the vhost config for the site:
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
I'd like to use settings in my .htaccess-file to exclude certain files from being displayed.
For some files (here data/important.json) I want that even authenticated users are exceluded from viewing the content those files.
For other files (here showerror.php) I'd like to give access to everyone.
The .htaccess-file in my root directory contains:
SetEnvIf Request_URI ^/showerror.php noauth=1
#SetEnvIf Request_URI ^/data/important.json noway=1
Order Deny,Allow
Satisfy any
Deny from all
Require user TestUser
Allow from env=noauth
#Deny from env=noway
The .htaccess-File of the folder /data/ contains:
<Files "important.json">
#Order Allow,Deny
Deny from all
</Files>
It seems that the Satisfy any allows authenticated users to view the file. So is there a way to also exclude authenticated users from viewing the content of important.json?
You can simply overwrite the require of your root-.htaccess with the following require-setting in the .htaccess of your subdirectory:
Require all denied
Also see: https://httpd.apache.org/docs/current/upgrading.html
If you'd like to do this file by file, use:
<Files "important.json">
Require all denied
</Files>
Is it possible with Apache to enable Indexes for a directory and be able to view every file, but at the same time, password protect only certain file types. When I use <FilesMatch "\.(type1|type2)"> they become hidden from the directory listing, but do become password protected. I just need them to be available in the directory listing because... reasons.
Here's what I got that does half the job.
<FilesMatch "\.(dat|mca|mcr)$">
AuthName "Protected Files"
AuthType Basic
AuthUserFile /home/web/maps/.htpasswd
require valid-user
</Files>
<Directory /home/web>
Options +Indexes
</Directory>
IndexOptions +showForbidden will allow autoindex listings for things that may eventually require authentication (or are forbidden for any other reason!)
Consider installing your own indexer; typically this is just a PHP script in the directory itself (index.php) that dynamically retrieves the directory listing. Just like Apache's mod_autoindex would, but potentially with nicer looks.
DIY:
listing files in folder showing index.php
Off-the-shelve:
http://autoindex.sourceforge.net/
http://pdirl.newroots.de/
http://www.evoluted.net/thinktank/web-development/php-directory-listing-script
I have been struggling with this problem for some time now. Let me break it down:
We have an apache2 server which hosts most of our company's websites. Each website is a separate vhost. One of this vhosts is used by our internal UI Designer to present his latest drafts and projects to both internal users and 3rd party clients. At the moment, this VHost is password protected from the Vhost configuration file using this directive:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
Allow from all
AuthUserFile /home/secure/passwords
AuthName "Username and password required"
AuthType Basic
Require valid-user
</Directory>
What I need is to make this website available (so NO password prompt) to our internal users meaning a specific IP range. I have tried to use the Allow from 192.168.xxx.xxx option in the above instruction set. However this is not letting the internal IP through (still asking for a password). So I tried to use our company's external IP address (which you can find on any "what's my IP website"). No luck with that either.
So for my last attempt, I have created a second vhost which obviously uses a different ServerName. Also, in order not to have any conflicts in the configuration file, I have created a symlink to /var/www and called it www2. Therefore, the Directory directive in the second vhost file looks like this:
<Directory /var/www2/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Allow from all
</Directory>
However the configuration files are clearly conflicting because with the current configuration I get password protection on both hosts. If I disable this in the first Vhost, I lose it on both.
There is no .htaccess file in any of the directories, so there is nothing there to overwrite the configuration. The apache2.conf file has nothing defined related to Auth.
I'm not sure if you require more details, but feel free to ask me anything.
I appreciate the help!
----edit----
I just want to specify that I can't say 100% that my method of doing it is the correct one. Maybe setting up 2 VHosts isn't the solution to my problem. If anyone thinks of a better way of doing it, I'm open to suggestions. Bottom line is that I need one website to be available to internal users and password protected for anyone else.
Cheers!
have you tried to solve this using Satisfy Directive of Apache?
For example:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
Allow from all
AuthUserFile /home/secure/passwords
AuthName "Username and password required"
AuthType Basic
Require valid-user
Allow from 192.168.1
Satisfy Any
</Directory>
More information can be found here
I have a web site with lots of pages of photography. In order to allow visitors to download groups of photos without having to save each one individually, I want to create a read-only FTP user that will be publicly available.
Via the control panel for the host, I can create "regular" FTP user accounts, but they have write access, which is unacceptable.
Since there are several domains and subdomains hosted on the same server I don't want to use anonymous FTP -- the read-only FTP account should be restricted to a specific directory/sub-directories.
If possible, I would also like to know how to exclude specific directories from the read-only FTP access I grant to this new user.
I've looked all over on the server to find where user account info is stored to no avail. Specifically I looked in httpd.conf, and found LoadModule proxy_ftp_module modules/mod_proxy_ftp.so, but I don't know how to go about working with it (or if it's even relevant).
It seems like your reason for using FTP is to let people download many photographs at once.
You can just serve links to zip files too, using standard Apache HTTP access control. This way the specific risk of people deleting or overwriting your files, which you mentioned, is eliminated by using plain HTTP.
You can make one directory to provide an index of the zip files to download
<Directory /var/www/photos/>
Order allow,deny
Allow from all
Options Indexes
</Directory>
And apply standard permissions to the rest of your directories
# your file system is off limits
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
DocumentRoot /var/www/
# the rest of your content.
<Directory /var/www/>
<LimitExcept GET POST>
deny from all
</LimitExcept>
Order allow,deny
Allow from all
Options None
</Directory>