here is a script for apache to disable folder access via browser:
## no access to this folder
# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Apache 2.2
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
Options -Indexes
But it does not work: https://doboda.com/wp-content/uploads/movies/
How can i block it?
This is not FTP. This is the directory listing option. You can disable it by adding this line to .htaccess:
Options -Indexes
Related
I have a website which logs the users activity on a text file. But then when I enter www.mywebsite.com/textfile.txt I can clearly see the contents of that txt file. How do I hide this?
Use this rewrite in top of .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^textfile\.txt$ - [F,L]
</IfModule>
Or use directive Files:
<Files "textfile.txt">
Order Allow,Deny
Deny from all
</Files>
And for Apache 2.4+, use this:
<Files "textfile.txt">
Require all denied
</Files>
I have a folder in the root called 'php', and when I type a url like this in my site:
http://example.com/php
it turns like this:
http://example.com/php/?q=php
but if the folder doesn't exist, it does not add the '?q='. I've tried adding:
Options -Indexes
but still happens. my site uses 'q=' to access different pages and I don't want the users to know that there's folder/s existing if the url adds a '?q='. how can I remove or disable that? I'm still new to htaccess thanks!
Here is my current htaccess:
#
# Apache/PHP/msys settings:
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(inc|profile|functions|pg|module|test|po|api|sh|ini|json|.*sql|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
Order allow,deny
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Follow symbolic links in this directory.
Options +FollowSymLinks
# Set the default handler.
DirectoryIndex index.php index.html index.htm
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^([^\.]+)/?$ ?q=$1 [L]
</IfModule>
ErrorDocument 403 /example/error404
ErrorDocument 404 /example/error404
I have .htaccess file:
Order deny,allow
Deny from all
# deny view files in directory
Options -Indexes
<FilesMatch "index\.php|profile\.php|newgame\.php|game\.php">
Allow from all
</FilesMatch>
It works well, I can open index.php or profile.php for url like site.com/index.php. But I can't open site for url site.com. Why? I give access to index.php. Isn't site.com the same of site.com/index.php. How to change .htaccess file to take into account this situation?
UPDATE
apache2.conf contains:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
You need to configure apache to recognize index.php as index file.
Add
DirectoryIndex index.php
i'm trying to enable clean URL on my server (Debian squezze) for my Drupal Website .
I tried all of the things i found on the net . So please help me .
The rewrite module is enabled.
On my server , the Drupal's folders got this way : " /var/www/myshop/client/101b". with a symbolic link named "current" . So to access from the brower on my website i have to write an URL like that : "http://myshop.myserv.com"
Here is my .htaccess at the root of my folder "101b":
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
Order allow,deny
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Follow symbolic links in this directory.
Options +FollowSymLinks
# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Set the default handler.
DirectoryIndex index.php index.html index.htm
# Override PHP settings that cannot be changed at runtime. See
# sites/default/default.settings.php and drupal_environment_initialize() in
# includes/bootstrap.inc for settings that can be changed at runtime.
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_flag magic_quotes_gpc off
php_flag magic_quotes_sybase off
php_flag register_globals off
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off
</IfModule>
# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
# Enable expirations.
ExpiresActive On
# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600
<FilesMatch \.php$>
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
</FilesMatch>
</IfModule>
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
Options All
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# <DirectoryMatch> is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "(^|/)\." - [F]
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
RewriteBase /myshop/client/101b
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /
# Pass all requests not referring directly to files in the filesystem to
# index.php. Clean URLs are handled in drupal_environment_initialize().
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
<IfModule mod_headers.c>
# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
<FilesMatch "(\.js\.gz|\.css\.gz)$">
# Serve correct encoding type.
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
</IfModule>
and here this my 000-default file in "etc/apache2/site-enabled/ : "
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/myshop/client/current
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/myshop/client/current/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
</Directory>
Alias /admin/ /var/www/myshop/backoffice/current/
<Directory /var/www/myshop/backoffice/current/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
But when i want to enable clean URL the test always fail.
Anyone have an idea ?
Thanks for help .
You should use 'RewriteBase /' instead of 'RewriteBase /myshop/client/101b' because virtual host is pointing to folder which contains Drupal site.
Please also check version of Apache you're using. Newest versions of Apache web-server require some changes in host's definition. You should use 'Require all granted' instead of 'Allow from All'. See example which works for me:
<VirtualHost *:80>
ServerName drupal7
ServerAlias drupal7 www.drupal7
DocumentRoot /home/vlad/www/public_html/drupal7
<Directory /home/vlad/www/public_html/drupal7/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Please take a look at answers here: Unable to enable Clean URLs in drupal 7 website after migration
I have installed phppgadmin in a Ubuntu server and want to access it from another computer.
It said access denied when i typed:
http://<ip>/phppgadmin
The port 5432 is opened in the Ubuntu server but just for local ip.
Thanks
The /etc/apache2/conf.d/phppgadmin.conf configuration file by default keeps anyone but localhost from accessing PhpPgAdmin.
Add a line that makes a new allow rule for your IP, so it looks something like this:
<Location /phppgadmin>
Order deny,allow
Deny from all
Allow from [Your client IP]
</Location>
By the way, this kind of question is probably more appropriate for stackoverflow's sister site serverfault.com
I know this is an old question but since i stumbled on it trying to fix the "Failed to load resource: the server responded with a status of 403 (Forbidden)" error while trying to access phpPgAdmin from another computer and the given answers didn't work for me, I wanted to share my solution.
Ubuntu: 17.04; phpPgAdmin: 5.1
Solution:
Comment out Require local in /etc/apache2/conf-enabled/phppgadmin.conf and restart apache (sudo service apache2 reload)
<Directory /usr/share/phppgadmin>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
AllowOverride None
# Only allow connections from localhost:
# Require local
<IfModule mod_php.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
#php_value include_path .
</IfModule>
<IfModule !mod_php.c>
<IfModule mod_actions.c>
<IfModule mod_cgi.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
<IfModule mod_cgid.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
</IfModule>
</IfModule>
</Directory>
/etc/apache2/conf-enabled/phppgadmin.conf
This is an apache (or web server) issue. You're phppgadmin directory has a .htaccess file disallowing EVERYONE except localhost.
You need to either set it to Allow ALL or Allow (insert IP here)
Are you running Apache?
You need to change your permissions in the httpd.conf file or .htaccess
http://httpd.apache.org/docs/2.0/misc/security_tips.html
I want to share my solution as well.
Debian 10.1 with Apache 2.4.38 and phpPgAdmin 5.1 on 64-Bit ARM.
The following config will allow local and LAN access, but (for security reasons) NO WAN access.
/etc/apache2/conf-enabled/phppgadmin.conf
<Directory /usr/share/phppgadmin>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
AllowOverride None
# Only allow connections from localhost:
#Require local
Order deny,allow
Deny from all
Allow from ::1
Allow from 127.0.0.1
Allow from 192.168.0.0/16
Allow from 172.16.0.0/12
Allow from 10.0.0.0/8
<IfModule mod_php.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
#php_value include_path .
</IfModule>
<IfModule !mod_php.c>
<IfModule mod_actions.c>
<IfModule mod_cgi.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
<IfModule mod_cgid.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
</IfModule>
</IfModule>
</Directory>