Jump to content

Recommended Posts

Posted

Hey everybody,

I have a question about setting up the website I'm developing.

INTRO

First of all I will give you an idea about the construction of the filesystem.

Webroot

/files

/img

/css

.....

The webroot is the root directory of the website, this will contain the webpages, and the above directories : files,img,css

QUESTION

I want to deny access to files,img and css dir so only the pages in webroot dir can access them, so users can NOT go directly to for example: www.foo.com/css/.

I thought of specifying a .htaccess file in each dir and add deny from all.

But I noticed my css didn't work. Does anybody know how to setup the apache server ?

Posted (edited)

You need to add a .htaccess file in the root of the site, but you don't do a deny all, or that would restrict access to those files and directories, but an "IndexIgnore" statement which makes it so files and folders can't be listed. You would get a blank page or a 403 forbidden message depending on how you set it up.

example:

IndexIgnore *

Would prevent files from being listed in the directory. It still allows the site to load them, and if the full URL/path was entered from the browser, the file could still be shown, which allows it to work in the webpages, without divulging full files if someone navigated to /img or /css

If you only wanted a specific directory to be viewable, you place an htaccess file in just that folder with:

Options All Indexes
IndexOptions FancyIndexing

And from that specific directory and sub directories, files would then be viewable.

Edited by digip
Posted

I want to deny access to files,img and css dir so only the pages in webroot dir can access them, so users can NOT go directly to for example: www.foo.com/css/.

I thought of specifying a .htaccess file in each dir and add deny from all.

But I noticed my css didn't work. Does anybody know how to setup the apache server ?

You can't. If you block user access to the folders then their browsers won't be able access anything in those folders, so it won't be able to render your webpages.

You could set Apache to require the referer URL to start with your full qualified domain name (FQDN) e.g. (Just replace FQDN with your servers fully qualified domain name).

RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC]
RewriteRule /css/.*$ / [R]
RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC]
RewriteRule /img/.*$ / [R]
RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC]
RewriteRule /files/.*$ / [R]

This won't stop most people getting at the content as they will be using their browser which will automatically send the correct referer URL when requesting the page. It will also cause problems for search bots and so would probably hit your page rankings on Google. To get around the search bot problem you can add a list of search bots into your RewriteConds e.g.

RewriteCond %{HTTP_REFERER} !^https?://<FQDN>/ [NC]
RewriteCond %{HTTP_USER_AGENT} !Googlebot [NC]
RewriteRule /files/.*$ / [R]

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...