When I browse example.com/img it shows all the directory contents. This leads to security problem . How to redirect these kind of url requests to example.com but without using htaccess
Best practice usually suggests adding these lines to your Apache config to disable directory listing:
<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>
But this will simply deny users access to the URL example.com/img. If you'd like to redirect as well, you could add an index.php file to each directory you'd like to redirect from in addition to making the Apache config change. The index.php file should contain:
<?php
header("Location:".$_SERVER['DOCUMENT_ROOT']);
Related
I have a website running on a server. It's just an index.html with a hello world text. Also, I have a folder named /vpn which contains various txt files and an index.html file.
If I try to access the URL domain/vpn, it shows me the content of index.html.
I just need to show the files inside the folder vpn when the user tries to access domain/vpn.
I created an .htaccess file with the next content in the root:
RewriteEngine on
<If "%{REQUEST_URI} == '/vpn/'">
DirectoryIndex disabled
Options +Indexes
</If>
When I try to access to vpn, it shows me a 404 error, the requested URL was not found on this server.
.htaccess is applying the DirectoryIndex rule (If a delete it, it shows me index.html content again), but not the Options +Indexes one.
I tried the same example in localhost (with XAMPP) and it's working fine.
What can be the problem?
PD: This is the content of apache2.conf file:
When I try to acces to vpn, it shows me a 404 error, the requested URL was not found on this server.
If you are getting a "404 Not Found" then it would imply that mod_autoindex is not actually installed on your server (consequently Options +Indexes has no effect - although it would seem from your server config that Indexes is perhaps already enabled).
mod_autoindex is the module responsible for generating the directory listings.
I created an .htaccess file with the next content in the root:
Personally, I would create an additional .htaccess file in the /vpn directory instead:
DirectoryIndex disabled
Options +Indexes
And disable Indexes (and set DirectoryIndex) in the root .htaccess file.
NB: RewriteEngine has no place here, unless you are overriding a parent config.
If I try to access the url "domain/vpn"
Note that you should be requesting domain/vpn/ (with a trailing slash). If you omit the trailing slash then mod_dir issues a 301 redirect to append it.
I have a subdirectory setup with a static website inside.
But when I go to www.site.com/directory/ it doesn't show the index page, only www.site.com/directory/index.html works.
Is there a way for .htaccess to rewrite this?
I can't just forward all urls because there are also other pages like www.site.com/directory/other.html that still need to work.
Inside /directory/ it's enough that you put an .htaccess file with the directive:
DirectoryIndex index.html
If it still does not work, maybe there are other server directives conflicting with it.
In Apache config you should enable AllowOverride so you could set different options in .htaccess. In that file you could set the DirectoryIndex directive.
See:
http://httpd.apache.org/docs/2.2/mod/mod_dir.html#directoryindex
http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
I'm running WAMP on my Win7 box and trying to configure an htaccess folder to restrict my guests from browsing the directory structure.
Right now, if you head to http://grovertechnologysolutions.com/Technical, it will list the directory structure which I do not want. They should be only able to get to the .html site.
I've already modified the httpd.conf file to remove the commented out rewrite mod.
I've added the htaccess file to the documentroot of my website.
My htaccess file looks like this:
options -indexes
# or #
IndexIgnore *
I've restarted all services multiple times.
Should the htaccess be in the WWW folder or the document root? I run many websites virtually and only care about my main site, so I've been placing the htaccess inside that folder, but have tried www as well.
I'm assuming you've edited the proper .htaccess file in the website's DocumentRoot folder.
Options -Indexes
The above will only work if your particular WAMP's configuration and the website's VirtualHost file has the proper AllowOverride value set, such as...
AllowOverride All
Check the website's VirtualHost file, and/or httpd.conf's for something like...
<Directory "C:/WampDeveloper/Websites/www.example.com/webroot">
Options All
AllowOverride All
order allow,deny
allow from all
</Directory>
If it's not set to All nor lists Indexes, that .htaccess line is going to get ignored.
I've already modified the httpd.conf file to remove the commented out rewrite mod
mod_rewrite has nothing to do with this.
I've restarted all services multiple times.
.htaccess files are re-read on every request. You don't need to restart Apache.
http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
Hello I don't know much about the .htaccess configuration, but I want to restrict access to php files on my web server and I want to have only index.php with parameters accessible.
My files are in subfolder like: www.mydomain.com/sub/index.php. I want to have access to open that index.php in subfolder, css files and js files.
Here is my configuration I have so far:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch "*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
I have tried to do something like <Files sub/index.php> but everytime it restricts all php files in subfolders and www.mydomain.com/index.php works fine.
Can anyone help me with it?
You can move all files except ones needed to be accessible by http (index.php, css, images etc.) out from DocumentRoot directory to upper level, so directory layout looks like this:
/lib
/files
/html
/index.php
/css/
/images/
where /html is your DocumentRoot.
In this case you won't need any additional restrictive rules in .htaccess or VirtualHost configuration/
htaccess may not be the best option to preventing direct access to some of your Php files. Instead, create an access value and set it to some value in the page you wish directed access to and don't set it in other pages otherwise.
$access = 'some value';
if(empty($access)) { header("location:index.php"); die();}
This way other php files will only be accessible via include or require. Hope that helps.
To prevent my Ajax files from direct acccess I did this:
I put all files in a common directory called "ajax" and put this in an .htaccess file in the same folder. This is my directory structure:
/var/www/html/ajax
<Directory "/var/www/html/ajax">
order allow,deny
Deny from all
Allow from 127.0.0.1
</Directory>
But this produces server error 500. .htaccess use is enabled in my server along with mod-rewrite. Please help.
The Directory directive is not allowed in your .htaccess file. see http://httpd.apache.org/docs/2.0/mod/core.html#directory. However, you can achieve the same result by simply placing the code you have in the .haccess in the /var/www/html/ajax directory, without the Directory directive
order allow,deny
Deny from all
Allow from 127.0.0.1
<Directory> is a directive that's not supported in .htaccess files, it's core and vhost specific.
For an .htaccess file, the directive is superfluous and must be omitted, because the directory is implied by the location of the .htaccess file.
Simply remove <Directory> and its closing "tag" and it should work.