Jump to content


Photo

Directory restriction


  • Please log in to reply
7 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 24 October 2006 - 12:52 PM

I want to restrict a directory where no-one can get into it from the browser.  Certain folder's however, when restricted using htaccess don't work.  Like my include's or other related folder's.  I was wondering if I go ahead and just put an index.php page in every directory, including CSS, atleast that will prevent them from going to the directory and getting a directory view of the folder along with server information.  I know how to stop them from going to htaccess, and php.ini and also how to restrict file's if needed, like important documentation.

Ok so images, I tried restrictiing it, no images appear on the page. So I can just create an index.php page in there that say's, You are not allowed to directly view this directory.

Then the include's, I tried it but don't remember the results.

The css pages where the same though they couldn't be pulled into the page.

Ok, in my folder I am using for my framework I have

master/ inside it there's
css, javascript, includes, config, portable and a few other folder's.
I wanted to atleast keep people from going to www.domainname.com/master and getting into a directory to see all the file's and structure.  So do I just put a protection file into each one.  also if I block off the whole folder, so they can't call specific pages.  I don't want them trying to pull up anything under
/master/config
because in there are all my functions, and system file.  ANy ideas?  At that point if they open my config file, and start feeding it variable's, who knows.  NEver thought about that, any advice?  Thanks?

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 24 October 2006 - 01:39 PM

In your httpd.conf:
<Directory "/var/www/something">
	Options -Indexes
</Directory>

If you put it in a .htaccess file, then just remove the Directory tags.

#3 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 24 October 2006 - 01:42 PM

what?

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#4 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 24 October 2006 - 02:05 PM

This will turn the directory listing off.

#5 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 24 October 2006 - 02:12 PM

put:

Options -Indexes

into an .htaccess file in each directory you want to "protect" (here, the /master/ and /master/config/ directories).  it won't send a friendly error message, but it will stop users from browsing the directory's contents if there's no index page.  alternatively you can add the <Directory> tags if you want to put this directly into your httpd.conf, in which case you don't need to place the file in each directory you wish to "protect."

if they're all going to be PHP and included files, you can put them above the webroot and reference it directly in the path.  you cannot do this with CSS, images and javascript however, as for HTML to access them, it needs a URL or their explicit contents.

to protect the CSS, images and javascript you need to do several things:  first, put them into a web-inaccessible directory (=> above the root).  second, since you can't source directly to these files (how do you specify the URL?), you have to source to a PHP file which will serve the file's contents.  i'm pretty sure that's overkill, though.

EDIT:  was just clarifying Daniel's post, didn't see his reply before i posted.

#6 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 24 October 2006 - 02:44 PM

ok, that will work.  Thanks again.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#7 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 24 October 2006 - 02:58 PM

akitchen mentioned it, but i have a certain rule of thumb these days. if it needs protecting from access, put it below the web root. all my framework and other scripts go here. i actually do this with images too in the event that i want to restrict access to certain files. anything to be served directly to the user goes above the web root. once you get used to how to serve these files and include them, etc, you'll find it gives a little more peace of mind than just protecting a directory.
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#8 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 24 October 2006 - 03:00 PM

CSS files, images and javascript files can't be protected from being viewed. The browser needs them to parse/show then so it has to be downloaded to the user's computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users