Prevent access to files from Apache without .htaccess - apache

(LAMP server configuration)
As a workaround for another problem, I need PHP to be able to access local files, but prevent these files from being served over http by Apache.
Normally, I would just use .htaccess to accomplish this, however due to institutional restrictions, I cannot. I also can't touch php.ini, although I can use php_ini_set within php.
As a creative solution, I thought that if php executes as its own linux user (not as apache) I could use normal chown's and chmod's to accomplish this.
Again, the goal is simply to have a directory of files that apache will not display, but php can access.
I'm open to any suggestions.

Put the files outside of your web accessible root (DocumentRoot), but keep them accessible via PHP.
Suggestion:
/sites
/sites/my.site.com
/sites/my.site.com/data // <-- data goes here
/sites/my.site.com/web // <-- web root is here

Here's a thought. Set the permissions on the files to be inaccessible to even the owner, then when PHP needs them, chmod() then, read them, then chmod() them back to inaccessible.

Related

Apache routing without htaccess

I am working with a custom website built in PHP running on Apache server. The client wants to move it to a new server. I moved everything including the .htaccess file, the homepage loads fine but all the other urls like site.com/register isn't working. I'm sure this is not handled by code in the old server because I renamed everything (including .htaccess) and it still works. If I create a file like test.php in the old server, I can access it like site.com/test. It doesn't even hit the index.php file. Also, not all the urls work like this, some are loading through files in other folders.
So my question is - what are the possible ways that Apache can let user access site.com/test without the .php extension. It must not be using .htaccess. Also, we should be able to add exceptions to this so that some urls can be loaded differently.
you can achieve same thing in hosts file if you are using Linux server. you need to define same rules in hosts configuration file.

Trac on shared server

I'm facing an odd problem with Trac's authentication. I have it installed in other servers and never had problem to install it, but now I'm trying to install it on a shared linux server where:
don't have access to httpd.conf;
only available scripts are php and python (wsgi);
no dev tools at all (so no chance to use gcc to compile something);
.htaccess is okay.
Well, trac is installed and working in anonymous mode and I can not find a way to make it private. It looks like it only relies on Apache basic authentication but I can not do this without httpd.conf access.
On my other instalations I use <Location> inside httpd.conf, but I can't use this tag inside .htaccess. I know that I can simply put <Location>'s content inside a .htaccess file and put this file in any www subdirectory to protect it. But since this is a wsgi script in another directory outside www I have no place to put that .htaccess.
I'm looking for a way to solve this by:
still using apache auth with any other .htaccess configuration that I've missed;
any other way Trac could be used in privative besides relying on apache;
any other issue/project tracking similar to trac is an option too.
I'm using AccountManagerPlugin on a shared Linux server machine of mine without issues.

ModX Cache: Files Being Written with Wrong Permissions

The title doesn't really sum it all up...
I have recently installed ModX Revolution 2.2.4 on an Apache server and I am having complications with the cache folder. Occasionally I have to manually clear the cache folder via ftp, but any files written there are owned by Apache and my account can't delete them. I have tried adding the "new_file_permissions" and "new_folder_permissions" to the system settings, but there is no change. The cache files are always owned by Apache and I have no access via ftp.
Also, files such as the .htaccess and really anything I upload (css etc) are seen as uneditable to modx unless I manually change them to 777 via ftp. I can't change owner and group though.
The server tech can't figure it out. This has come up before on the modx forums but it has never been answered.
Obviously, this is a server problem.
I had this problem (with an IIS server though), and the host needed to change some of their settings.
Especially, if MODX works on your different host(s).
That is the way it is supposed to work, your FTP account does not have permission to write files written by apache, your ftp may be a member of the group but does not have write permission. [needed to delete]. I suspect this is by design for security purposes.
Your new_file_permissions, new_folder_permissions are used for the modx file manager.
So you can do a couple of things:
Run modx under fastcgi, that way the user writing the files should be the same user as the ftp user.
OR
write a little script [you can even stuff it in a snippet] that will delete the cache files for you. [since it will be running as the apache user, it should be no problem.

Block access to files by URL

I am new to webhosting and building a very small PHP website as a part of my project. It will not be used for practical purposes for now, but still I want to make sure that it is not TOO insecure.
I have a few files which I don't want users to access by URL(some text and CSV files) but my PHP code should be able to use them. How can I achieve something like this?
If you don't want them accessed by the web server but just by PHP, the best thing is to just keep them outside the webroot.
You can block access using .htaccess, but that will prevent you from using pretty much any other web server than Apache, and it adds un-necessary overhead (and a possible vulnerability if the .htaccess is accidentally removed or configured wrong)

How do I hide my Scripts folder?

I have a directory on my website specifically for javascript files, I want these javascript files to be hidden, so if I type the url to it it says Forbidden or disallows access, but my front-end website files can still access them to execute them when needed. Is there a way to do this through a FTP client?
Cheers,
Dan
You can't do this trough a ftp client. It is the task of your webserver to forbid access to certain files.
If you change permission, the webserver won't have access to them anymore, so this is not the way to go.
You must configure your webserver to restrict the access. If you're using Apache, you can use an .htaccess file. There's different ways of doing this, many depends on the way the webserver is configured.
The easiest is to put an .htaccess file in your Scripts folder which contain only this none line :
deny from all
However, like peeter said, there's a good chance this will break your site, since the browser must access theses files, so you can't restrict access.
Put a htaccess file in your scripts folder containing deny from all, but this will stop your pages from accessing the scripts also (though not if you pass them through the PHP engine first)
You're trying to hide JavaScript files that are executed on the clients side. If a client(browser) cannot access the files means non of your javascript code is executed.
If I understood your question correctly then you cannot achieve what you're trying to achieve.