I've written a script which takes the summary of an order and stores in into an XML file, except the problem is that I don't want people to be able to open the XML file in their browser, obviously.
I'm hosted on a very dodgy shared server with limited abilities: no SSH, for starters.
Is there a place I can put this file so that PHP will still be able to read/write to it, but web browsers won't be able to get to it?
Ordinarily, I'd create a folder outside the document root and put it there, but I get a "Permission denied" message when I try that.
The folders which are there are:
anon_ftp
bin
cert
cgi-bin
conf
error_docs
etc
httpdocs
httpsdocs
pd
private
statistics
subdomains
web_users
PHP can't access the file when it's in the private folder. Would this be possible using .htaccess?
You could create a directory containing a .htaccess file that looks something like the following:
Deny from all
This will instruct Apache not to serve files from that directory; any attempts to access the directory or its contents will be met with a "403 Forbidden" response from the server.
Note: This depends upon the host not having removed Limit from the list of options in their AllowOverride directive; most shared hosts shouldn't have a reason to do this.
I worked around it by putting the XML file in my httpdocs folder, but added a .htaccess file with this in it:
<Files ~ "myfile.xml">
Order allow,deny
Deny from all
</Files>
Couldn't you ask the shared-hosting provider to create an outside-web-root folder for you? I've certainly done this in the past.
Related
I have a website url that looks something like this: www.test.com/folder1/test.html
If I change the url to www.test.com/folder1 I can see all the files and folders parallel to folder1. I don't want people to be able to do this and see these folders and files. How can I block access to this?
Please change the document root. The file is located at /etc/apache2/sites-available/000-default.conf if you use Ubuntu.
You need to turn off the Indexes option. You can do it in a .htaccess file for a directory, in the configuration file for the site in a <Directory> section, or the global configuration httpd.conf.
Options -Indexes
This will prevent the server from generating an navigable index of files.
Full documentation is here:
https://httpd.apache.org/docs/2.4/mod/core.html#options
On a subdomain I want to use only a .htaccess file for redirects. No PHP, no database or something else will be used. Can a .htaccess file still be hacked? What should I do to protect it?
The apache2.conf file has following lines by default which prevent viewing of htaccess files:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
It will not be visible under standard Apache setup which blocks all files starting with.ht from being served. So nobody will be able to view the contents or get at it through the Apache front-end. Take the usual precaution of having it be 644 permissions and not owned by the user that Apache runs as. No extra security needed outside of protecting your server generally.
Check that the standard protection is in place, so it can't be viewed. Easiest way is just to try visiting it in a web browser. You should get a 403 forbidden.
If you're worried you could put the rules in the main server config instead. I wouldn't worry as long as the above is in place.
So I have tried to follow some of the posts here to deny access to a public folder using .htaccess.
The problem is that I still can access the folder.
I have put the .htaccess inside my folder, with the commands?
Order allow,deny
Deny from all
I am missing something, but don`t know what.
BTW, I have restarted apache after that.
The site:
www.mysite.com
Folder I want to block
www.mysite.com/helloworld/
That configuration does exactly what you say it should do when I test it.
Presumably your server is configured not to respect .htaccess files.
You can change that by setting:
AllowOverride AuthConfig
… in your main configuration file.
See also the documentation for AllowOverride.
That said, if you don't want the content of a directory to be accessible to anyone over HTTP, then you are better off keeping that directory outside the web root in the first place.
I want to restrict access to some folders and files but only when a user tries to access to it through the url, not when the website access to these files. For example restrict the folders images, javascript,...
I tried in different ways but I always got error 500.
Basically, I don't want external users to list my website directory and open their files, if it is possible to accomplish.
Thanks in advance
This is pure mod_rewrite based solution:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains certain paths.
You are getting a 500 error because the container cannot be used in an htaccess file (which is essentially all inside a directory container for the directory that it's in). What you need to do is remove the container from your htaccess file, and leave the Deny from all bit:
htaccess file in your document root:
Refuse direct access to all files
Order deny,allow
Deny from all
Allow from 127.0.0.1
Then create an htaccess file in the uploads/files/, uploads/images/pages/ and uploads/images/store/ (and whatever other directories that you want to allow access to):
Allow from all
put .htaccess and edit with "Deny from all".
That's it.
I have an apache webserver running on centos environment. There is a folder and in that there is a file which has an extension .exe lets name the file x.exe
when I try download this file using http://mysite.com/folder/x.exe I get a 403 error.
but if I add a gif to that folder it works http://mysite.com/folder/pic.gif
I dont have SSH access to this server but need to know some clue for why this is happenning, the file permissions are correct too.
any help is appreciated
Within Apache's httpd.conf, it is possible to specify default handling actions for certain file types or paths. It may be that your server is configured to block executable files all together. Similar blocking can also occur in an .htaccess file. There are a few ways to do it... here's one:
<Files ~ "\.exe$">
Order allow,deny
Deny from all
</Files>
That little snippet could be in the main .conf file, and included .conf file, OR an .htaccess file (or all three!), and again, that is just one possibility. Your best bet is to check out the server logs. They will indicate why a given request was denied in a form similar to this:
[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by
server configuration: /www/root
Take a look at this document for information about server logs (including default paths to the logs themselves).
As I mentioned, there are a few other ways to block access to certain file types, certain files, certain folders, etc. Without looking at the error logs, it is very difficult to determine the cause. Further, without full access to the server, it may not be possible to alter this behavior. This blockage could be in place as a matter of policy for your web host.
I'd like to add I spent like 2 hours trying this crap over and over again only to discover that selinux was denying specific file types for httpd.
try:
setenforce Permissive
and see if that corrects the error
tag
Fedora 16
well the answer was I had this in a folder where it forbids the exe
Deny from all
<FilesMatch "\.(html|HTML|htm|HTM|xhtml|XHTML|js|JS|css|CSS|bmp|BMP|png|PNG|gif|GIF|jpg|JPG|jpeg|JPEG|ico|ICO|pcx|PCX|tif|TIF|tiff|TIFF|au|AU|mid|MID|midi|MIDI|mpa|MPA|mp3|MP3|ogg|OGG|m4a|M4A|ra|RA|wma|WMA|wav|WAV|cda|CDA|avi|AVI|mpg|MPG|mpeg|MPEG|asf|ASF|wmv|WMV|m4v|M4V|mov|MOV|mkv|MKV|mp4|MP4|swf|SWF|flv|FLV|ram|RAM|rm|RM|doc|DOC|docx|DOCX|txt|TXT|rtf|RTF|xls|XLS|xlsx|XLSX|pages|PAGES|ppt|PPT|pptx|PPTX|pps|PPS|csv|CSV|cab|CAB|arj|ARJ|tar|TAR|zip|ZIP|zipx|ZIPX|sit|SIT|sitx|SITX|gz|GZ|tgz|TGZ|bz2|BZ2|ace|ACE|arc|ARC|pkg|PKG|dmg|DMG|hqx|HQX|jar|JAR|xml|XML|pdf|PDF)$">
Allow from all
</FilesMatch>
added exe there and worked fine,
also a note, this was in a SilverStripe CMS powered site, and in the assets folder of SilverStripe