I want to disable access of a specific folder of my domain say: mydomain.com/newsletters/
BUT since i will be adding files inside /newsletters I want all files to be accessible.. say: mydomain.com/newsletters/april-newsletter.pdf
Thank you in advance.
Related
I've been searching and I haven't found a solution that fits my need right now.
I have a website www.mywebsite.com and all its files are inside the public_html folder.
I want to create a folder called "uploads" inside public_html and then BE ABLE TO ACCESS it with www.mywebsite.com/uploads
I want it to list all the fles I've put there via FTP, but right now it shows me FORBIDDEN.
How can I be allowed to see the list of files and folders?
Thank you.
Assuming a user has access to all files within the public_html directory. Doesn't this mean they could have access the a node.js application code within it? Surely this is a massive security risk.
What is the normal way of handling this? Would you user files permissions to restrict the file, or place the node directory outside of the public_html and reference it somehow? If so, how?
Many thanks for any answers given!!
Yes your server scripts should live outside public_html. Only files that you want to make available to the public should be placed under public_html.
Your node server script can refer to the "./public_html" or "../public_html" folder if it is stored in or above the folder containing the script, or it can even refer to "/path/to/public_html" if it is stored elsewhere on your filesystem.
I wish to protect folder with core files of CMS and its sub folders and files from accessing via web, and I tried with .htaccess file with this:
order deny,allow
deny from all
Problem I have is that I can protect that folder but some script from that folder or its sub folder then do not work good.
I also tried with this:
order deny,allow
deny from all
allow from 127.0.0.1
allow from 76.xx.xx.xx
In this case 76.xx.xx.xx is static IP of site.
Is there any way to prevent accessing files in that folder but still to make all work ok?
Another question.
I wish to secure more my site from hackers. So, is there any way to prevent injecting malicious files and code in my scripts/files and/or to block my site of executing files from other sites, hosts, to allow just working with local files.
I prefer .htaccess file, but if it is needed I have access to WHM if there is need for editing other files (but in that case I will need step by step guide). I am running site on Linux VPS with Cent-OS 5 system.
The usual way to do this is to put the accessible files in an apache-accessible directory, but all the rest into a directory out of the way from Apache. For example:
/usr/
local/
mycms/
public/
lib/
/var/
www/
mycms -> softlink to /usr/local/mycms/public
Or better yet, make mycms an alias in Apache config, pointing at the public directory. This way, the files that should be accessible are, those that shouldn't be aren't, and you can still reference all your other files simply by ../lib/ etc.
I know this does not really answer your question literally, and if the CMS directory structure is not under your control, this may not be the best way to do it.
Another way is through rewrites - simply rewrite all requests to your CMS directory except for your CMS's entry script into requests for the entry script.
"The most important safeguard is to keep uploaded files where they cannot be directly accessed by the users via a direct URL. This can be done either by storing uploaded files outside of the web root or configuring the web server to deny access to the uploads directory.
Another important security measure is to use system-generated file names instead of the names supplied by users when storing files on the file system. This will prevent local file inclusion attacks and also make any kind of file name manipulation by the user impossible"
I understand this, however - I am providing options for Wordpress users to upload files to their image directory, so I can not do either of these afaik. The files need to go into the images directory, and be named a name of their choosing.
Here is what I am doing so far:
1) Only allowing files with names with one extension, and the extension must be from a trusted list.
2) Only allowing alphanumeric, spaces and underscores in the first part of the name and less than 30 chars.
3) Not allowing files with the name .htaccess to be uploaded
4) Only allowing admin access to the upload and using wp nonces
5) Checking mime type
6) Checking file size
Some questions I have are:
If I deny uploading any file named '.htaccess' and am denying any file with .php extension, shouldn't this prevent someone from upolading an image file with .php code embedded?
I understand that I can use php to copy images without malicious code, however I am planning to allow the upload of .ttf files and .css files as well.
I could scan those files with php for script question marks, etc. Is this advisable? If so what would I search for beyond this?
If I am only allowing admins access and am using nonces and the above methodology, how secure is my code and are their other things that I should be doing?
Any help is greatly appreciated!
I thought I would bump this - having a hard time finding much feedback here.
If you do a thorough scrubbing of file names, and only whitelist image, text and css files, what kind of security does that buy you.
Currently, I am uploading as a random name in a directory, scrubbing the name, one extension, whitelisted and re-saving in a public image directory. And only allowing access by wp admins.
You should disable PHP execution in the images directory. That would prevent a lot of the potential problems you've considered without having to worry about having missed some tricky filename construction. Add php_flag engine off to the apache configuration for that directory.
Unless you really need them for some reason, you should also disable .htaccess files, at least in the images directory. Everything you can do in a .htaccess file can be done in an apache configuration file outside of any directory that might be writeable by the web server. See the AllowOverride directive.
In my root web folder I have a list of folders (files, modules, classes) that I'm using .htaccess to prevent access to. However, in the modules/ folder, there are modules that carry their own images, which I'd like to allow access to.
How do I allow access to images in a folder under modules/, but still prevent accessing any other files in that same directory path?
Try this in your .htaccess. It should let you grant access to images within the directory. You may need to tweak this to make it work for you.
<FilesMatch "\.(gif|jpe?g|png)$">
Order allow,deny
Allow from all
</FilesMatch>
I believe if you read this document: http://httpd.apache.org/docs/1.3/howto/htaccess.html you will gain insight as to how to achieve the access permissions you desire.
To sum it up, without rewriting the document: you can allow access to the directories that you wish either through .htaccess files in those folders, and .htaccess files can be placed at any level in your directory tree.
Further, the article also makes some suggestions that may perform better by using your main server config file instead of .htaccess files.
Hope this helps,
-james