Prevent Code Execution from External Acess - apache

Here is my directory structure
root
private
public
Using .htaccess and/or httpd.conf, I want to limit access to the private folder to only code executed from the root folder. So, no external access to anything in the private folder. Honestly, I have tried a lot of options, but nothing seems to work.
My test environment is XAMPP - installed on my local machine.
EDIT
One of the issues I encountered was using the wrong directory path. I created a simple PHP page with just phpinfo()
<?php
phpinfo();
?>
In the PHP Variables section, I looked for _SERVER["CONTEXT_DOCUMENT_ROOT"]. I used this for the directory path and then added private (the folder in the root that I wanted to limit access to). Thus, my completed code in the httpd.conf is below:
<Directory "E:/xampp/htdocs/home/private">
Order deny,allow
Deny from all
</Directory>

Using Order deny,allow and Deny from all should be already sufficient
Order deny,allow
Deny from all
If you put this in a .htaccess in the private folder, all access from outside will be prohibited.
Alternatively, you can put it in a <Directory /path/to/root/private> in httpd.conf, which has the same effect
<Directory /path/to/root/private>
Order deny,allow
Deny from all
</Directory>
Update:
According to Apache HTTP Server Tutorial: .htaccess files you should prefer httpd.conf over .htaccess files
You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

Related

Apache2 403 Forbidden in custom document root

I have searched anything on this topic in the internet and i just cannot get it to work. I am desperate....
I just want to access my index.php inside a custom document root folder but i keep getting this error
The new document root that i want instead of the /var/www/html default is called
/home/ever/FH/SKS/frontend
I have set all the permission recursively to 775 for this folder and all subfolders.
The main apache configuration file /etc/apache2/apache2.conf looks like this:
Most instructions i have found on how to set a new directory root, told me to just change the path inside the /etc/apache2/sites-available/000-default.conf file to point to my new document root.
My 000-default.conf:
I also tried a version of the 000-default.conf file that looked like this:
The symlinks should be corrrect:
I have not set up any .htaccess file or changed anythign else.
Please help me... i am desperate. In XAMPP this is done super easy, but i refuse that this cannot be done with the normal Apache server too. It cant be THAT big of a deal can it ?
It seems that in version 2.4 of the apache webserver i have to use
<Directory /var/www/foo>
Require all granted
</Directory>
instead of 2.2 syntax
<Directory /var/www/example.com>
Order allow,deny
Allow from all
</Directory>
furthermore i have to place the configuration inside the
/etc/apache2/apache2.conf
file instead of the
/etc/apache2/sites-available/000-default.conf
file.
My apache2.conf now looks like this:
allowing me to finally access the file WITHOUT PHP support it seems....
but this is another long complicated battle that never happened before with XAMPP i guess.....

How to add .htaccess rules inside <VirtualHost> or inside the httpd.conf file

A short explanation of what I'm doing is: I need to automatically create virtualhosts for each ip address on my machine, make it point to the vsftpd user directory (/home/xxx) and deny any kind of scripts from being executed.
I want to stop any kind of webpages and especially PHP scripts from being executed, because it would post a huge security risk(apache is sudo). The purpose of this virtualhost is purely to serve game resource files, extentions like .wav , .mdl , .tga , .spr and so on.
I searched around and found this
deny from all
<filesmatch "\.(avi¦wmv¦mpg¦mov)$">
Allow from all
</filesmatch>
But this is .htaccess content. How can I implement this functionality of only allowing certain extentions inside my httpd.conf file? It would be a pain to make it use .htaccess, and a risk because users might edit them.
Please refrain from any comments unrelated to my question, such as "sudo apache? you're a dumbass" and so on.
There is no such thing as .htaccess only content. The is a huge misconception. Most of time you do NOT want to use .htaccess and Apache recommends that you not use it unless necessary. Apache rules can always be put in the server config.
When not to use .htaccess
Now you can put that in your VirtualHost directive. The same location where your document root is defined.
The FilesMatch directive can be used in these context.
Context: server config, virtual host, directory, .htaccess
http://httpd.apache.org/docs/current/mod/core.html#filesmatch
So in your vhost file you can add a Directory directive like this example.
<Directory /path/to/documentroot/>
Deny from all
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Allow from all
</FilesMatch>
</Directory>
If you are using Apache 2.4 then you need to use Require.
<Directory /path/to/documentroot/>
Require all denied
<FilesMatch "\.(avi|wmv|mpg|mov)$">
Require all granted
</FilesMatch>
</Directory>

How to allow files to be accessed by scripts but not the internet - Apache

I wish to set up an apache server running php. I want all the files in a particular folder (say /site/ ) to be accessible from www.example.com/ . However I wish the files in /site/data/ to be not visible through www.example.com/data/ . I want www.example.com/fun.php script to be able to read/write to /site/data/ . What is the best way to do this through premissions and the apache defalt file?
You need to set up your directory structure slightly differently to what you have proposed. Rather run your site under a directory like:
/site/html
and store your data under a directory like:
/site/data
configuring Apache to only serve files from /site/html and not /site/data
or if you are using a more traditional apache directory structure then put the files you want publicly accessible through the web server in:
/var/www/html
and the private data files you only want your application to have access to in something like:
/var/www/data
Your Apache conf file will then contain something like:
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
This way the files in /var/www/data will not be publicly accessible but these files can still be accessed by php scripts in /var/www/html/
Disable Apache directory listings by putting this in your .htaccess file under /site/data
Options -Indexes

How to execute .htaccess script based on local machine or live?

I want my htaccess code to work only on my live machine and not the local,
What code can I write in the HTaccess to differentiate?
In your local apache VirtualHost add this instruction:
<Directory /my/directory/where/the/htaccess/is >
# prevent reads of .htaccess files
AllowOverride None
</Directory>
Then you local Apache will never read any .htaccess in this directory (and subdirectories)

Prevent access to files in a certain folder

I have a folder with a lot of .php files. I would like to deny access to them (using .htaccess). I know an option is to move this folder outside public_html, but this is not possible in this situation.
Is is possible to block access to a whole folder?
Add this to the .htaccess file:
order deny,allow
deny from all
Apache 2.4 now uses a different way to do this so the method that works for Apache 2.2 will not work. See below for the method that will work for Apache 2.4. Place this in your Apache .htaccess file or better yet in a <Directory> directive in the Apache .conf file for your site.
Using .htaccess:
If using Apache 2.2:
order deny,allow
deny from all
If using Apache 2.4 use:
Require all denied
Using Apache Configuration files:
Instead of using a .htaccess file, it is usually preferred to place the configuration directly in your Apache .conf file as follows:
<Directory "/var/www/mysite">
Require all denied
</Directory>
Or if using a virtual host:
<VirtualHost *:80>
### Other configuration here ###
<Directory "/var/www/mysite">
Require all denied
</Directory>
### Other configuration here ###
</VirtualHost>
Of course the above configurations are examples, and you will need to adjust according to your requirements.
Create .htaccess file inside the desired folder with the following contents:
Deny from all
Edit apache2.conf or httpd.conf, whatever you find in Apache2 directory (probably located in /etc/apache2). You'll need to edit/check the following:
AllowOverride ALL (in the related <Directory> tag)
AccessFileName .htaccess
Edit your site's configuration file only in case you have a <Directory> tag specified inside it and add the following line:
AllowOverride ALL
Restart your Apache2 server
service apache2 restart
The above steps are all meant for Linux environments. The same instructions would work well for Windows environments except for the paths and the server restart command.
Reference: http://www.cyberciti.biz/faq/apache-htaccess/
Just add a .htaccess file with the code Deny from all to the folder.
More info at http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html