niels Posted June 15, 2011 Posted June 15, 2011 Hey everybody, I have a question about setting up the website I'm developing. INTRO First of all I will give you an idea about the construction of the filesystem. Webroot /files /img /css ..... The webroot is the root directory of the website, this will contain the webpages, and the above directories : files,img,css QUESTION I want to deny access to files,img and css dir so only the pages in webroot dir can access them, so users can NOT go directly to for example: www.foo.com/css/. I thought of specifying a .htaccess file in each dir and add deny from all. But I noticed my css didn't work. Does anybody know how to setup the apache server ? Quote
digip Posted June 15, 2011 Posted June 15, 2011 (edited) You need to add a .htaccess file in the root of the site, but you don't do a deny all, or that would restrict access to those files and directories, but an "IndexIgnore" statement which makes it so files and folders can't be listed. You would get a blank page or a 403 forbidden message depending on how you set it up. example: IndexIgnore * Would prevent files from being listed in the directory. It still allows the site to load them, and if the full URL/path was entered from the browser, the file could still be shown, which allows it to work in the webpages, without divulging full files if someone navigated to /img or /css If you only wanted a specific directory to be viewable, you place an htaccess file in just that folder with: Options All Indexes IndexOptions FancyIndexing And from that specific directory and sub directories, files would then be viewable. Edited June 15, 2011 by digip Quote
Jason Cooper Posted June 15, 2011 Posted June 15, 2011 I want to deny access to files,img and css dir so only the pages in webroot dir can access them, so users can NOT go directly to for example: www.foo.com/css/. I thought of specifying a .htaccess file in each dir and add deny from all. But I noticed my css didn't work. Does anybody know how to setup the apache server ? You can't. If you block user access to the folders then their browsers won't be able access anything in those folders, so it won't be able to render your webpages. You could set Apache to require the referer URL to start with your full qualified domain name (FQDN) e.g. (Just replace FQDN with your servers fully qualified domain name). RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC] RewriteRule /css/.*$ / [R] RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC] RewriteRule /img/.*$ / [R] RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC] RewriteRule /files/.*$ / [R] This won't stop most people getting at the content as they will be using their browser which will automatically send the correct referer URL when requesting the page. It will also cause problems for search bots and so would probably hit your page rankings on Google. To get around the search bot problem you can add a list of search bots into your RewriteConds e.g. RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC] RewriteCond %{HTTP_USER_AGENT} !Googlebot [NC] RewriteRule /files/.*$ / [R] Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.