Stop people from viewing contents of a directory - apache

I want to stop people from viewing the contents of my images directory. I've built an app using Codeigniter and notice that they just have index.html pages with a 403 Forbidden message in all directories - is this a secure method to use? Is an index.html page in the directory sufficient or do I need to update config or .htaccess?

The .htaccess solution should work if you're comfortable using it.
Options -Indexes
If you are on a shared host with cPanel, you can change your settings in Index Manager
Cpanel - Index Manager

The index.html should be enough and secure, but it is not really a clean solution, because it is not actually returning a error message, it is probably still returning HTTP 200 and then showing the html page with error 403.
The clean solution would be adding
Options -Indexes
to the .htaccess file.

In general you need more than just an index.html, depending on you server configuration you can still get a directory listing. None of the files in the directory will be protected either.
Your best bet is to do al of the above, update the server config to limit access and also set policy via .htaccess if that is appropriate. Finally, if you don't want it to be served it really should not be part of the directory structure being published by the server.

Related

How to disable the download of files in an Apache2 webserver?

I took over a website which I'm supposed to admin and somebody brought to my attention that certain Indexes and Files are available, which shouldn't be. I will be using dummy names.
You were able to access example.com/intern before, but I changed a line in /etc/apache2/apache2.conf according to this https://stackoverflow.com/a/31445273 . This worked partly, as I get a 403-Forbidden when I now navigate to example.com/intern and that's basically what I want.
However the directory intern governs a file called file.php.bak aswell as file.php. When I navigate to example.com/intern/file.php I get a white website. I am however not sure, if you are able to access file.php in another way, because the site does load and I don't get a 403 like before. What is way worse and the reason I am struggling with this is: If I go to example.com/intern/file.php.bak then my Browser (Firefox) offers me to download file.php.bak, which I can read in plaintext. I want all files in intern to not be accessible via the website, but I have no idea how to do this. Can anybody help?
Things I've tried:
Removing the Indexes from the apache2.conf file like mentioned above. It only puts the 403 on the directory itself and not recursively for all the files in it.
Writing a .htaccess file as described here: https://fedingo.com/how-to-prevent-direct-file-download-in-apache-server/ and putting it in intern with the same result as in 1)
Putting an empty index.html file in the intern directory. This leads to no more 403 in example.com/intern, but the download on example.com/intern/file.php.bak is still possible. I've also tried index.php with the same result.
File System:
The application runs from /var/www/application which is also the folder for the /var/www/application/index.php I want to use. The /var/www/application/intern directory is also there. While it isn't browsable anymore, the files in it still are accessible. /var/www/application/intern/file.php can be navigated to via example.com/intern/file.php, but it seems like it can't be downloaded or read as it results in a white page. /var/www/application/intern/file.php.bak can however be downloaded via example.com/intern/file.php.bak.
Let's say Apache document root is set to DocumentRoot "/folder_one/folder_two"
Placing files in a folder_one will prevent people browsing your apache server and requesting the files directly.
Place index file in folder_two and include some code such as PHP to tell apache to include whatever files you want from folder_one.
In this manor Apache will still be able to serve whatever files you want from folder_one and people will not be able to request the files directly as the are located in a directory above the Apache document root.

How can I fix my homepage showing a 403 error?

I keep getting a 403 error on my homepage, despite having all my permissions set to allow public to read. I'm not using any plugins, I'm not using Wordpress, and though my site is routed through Cloudflare it goes through to my hosting provider's 403 page (I haven't created my own). I've tried 755 and 644 and I keep getting the same thing. How can I fix this?
(The website is alexbelman.com)
There are several possible reasons depending on your hosting environment and a bit more detailed info from you about your hosting setup would help. For example - is your site on a server running Linux? cPanel?
But maybe this info can help you in the meantime:
If you're sure you have the correct permissions on folders (in most cases your public_html folder should be 750, all folders within the public_html folder in most cases should be 755, and files should be 644) then probably the first two things I would check would be:
Make sure you have an index file in your public_html folder - some examples would be index.html , index.htm , index.php , or on some hosts a default.html is used. If there is no index file in the folder that serves your site, server security configs will often present a 403 while protecting the sensitive contents of your hosting account from being viewed.
If you're sure you have an index file in your public facing folder, then check the contents of the .htaccess file in your public_html folder, since an errant rule or line of code in your htaccess is a common cause for a 403
If you can post the contents of your .htaccess file here someone here or possibly myself can spot anything that shouldn't be there or is incorrect.
Also, since you're using CloudFlare you should take a look at their Quick Fix suggestions here - https://community.cloudflare.com/t/community-tip-fixing-error-403-forbidden/53308

How can I get Apache to serve index files from subdirectories that have the same name as the subdirectory?

I was just asked to work on a terrible site that the client is running off IIS. I can't make changes to the live server so I attempted to install the site on my testing server running Apache.
The site's homepage is up and running but I cannot navigate to any subdirectories. The nav menu has links like /about-us/ -- however, there is no index.php file in the about-us directory. Instead there is a file named about-us.php.
If I was getting paid to fix the site up I would do the work to rename the files and/or links, but for now I just want to get this thing running so I can make my CSS and content edits and be done with it. I assume there is some easier way (using htaccess?) to dynamically tell Apache that, when directed to a subdirectory, look for /foo/foo.php instead of /foo/index.php -- right now all I get is a directory listing or permission denied if I turn indexing off.
I've been Googling around but can't find anything that looks like the same problem -- can one of you rewrite gurus please point me in the right direction?
The best approach for you is to set the appropiate DirectoryIndex for each directory as in:
<Directory /path/to/about-us>
DirectoryIndex about-us.php
</Directory>
You can also define a single "controller" in case there is no index page found, this is done like:
FallBackResource /index.php

How to avoid .htaccess constant seek?

Are there any options in Apache 2.4 that enable the .htaccess to be cached, and not having the web server looking for it at each request?
I know that using the AllowOverride None, will do this, but then, for most popular scripts this will need the required settings to be made in the vhosts file for each folder.
If somehow we could just tell Apache to remember the htaccess files that it has already accessed since previous restart, this would be a great tool for speed improvement.
A script that reads the base content recursively for all htaccess, and builds a vhosts file, would not be a bad idea as well, anyone uses this approach?

How Come Everybody Can See My Private Files?

Sorry for the newbie question...
When I go to http://www.plans4boats.com/scripts/youtubeplayer/ in Google Chrome, I can see a full listing of the files there. What should I do if I don't want any old hacker to just come in and view/copy my source codes? Does it have something to do with htaccess?
I discovered that putting a blank index.html file in the folder helps for THAT folder, but it still leaves all subfolders vulnerable.
What should I google for more information on how to set up my server to prevent this?
Just set Options -Indexes for that particular directories either in an .htaccess file or a <Directory> or <Location> container.
What you need to do is turn of Directory Listing for your specific server. I don't know what server you're using so I can't walk you through it, but just google your server name and how to disable directory listing.
I created a file called .htaccess and put the following contents:
IndexIgnore /