SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Zealot PixelPaul's Avatar
    Join Date
    Nov 2003
    Location
    Wisconsin, USA
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Folder permissions question

    I am hosting a website on Linux-Apache server. I have a folder called 'docs'. I want to be able to link directory to a PDF file within this folder, i.e. www.mydomain.com/docs/filename.pdf. But what I don't want is the have users be able to see all the files displayed as a list is they were to type in www.mydomain.com/docs/. What do I need to do so the files could be directly linked and downloadable, while not allow visitors to view the complete file list of all content within that folder. Is it a matter of changing a folders permissions or something else?

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,496
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    Never mind my answer... see the one below from dklynn
    Last edited by guido2004; Jan 24, 2013 at 02:14. Reason: wrong answer...

  3. #3
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    PP,

    That's a simple one because Apache has a directive specifically for just such a situation (not exposing files contained in a directory):

    Code:
    Options -Indexes
    If you need to learn more about all things Apache, go to http://httpd.apache.org/docs/index.html and pick your version of Apache.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  4. #4
    SitePoint Zealot PixelPaul's Avatar
    Join Date
    Nov 2003
    Location
    Wisconsin, USA
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    PP,

    That's a simple one because Apache has a directive specifically for just such a situation (not exposing files contained in a directory):

    Code:
    Options -Indexes
    Thanks for the reply, but I have no idea how to or where to do this? Can anybody please help?

  5. #5
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,177
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    A simple option is to put a file in that folder called index.php

    It can even be blank, but it will prevent anyone from viewing that file list you speak of.

  6. #6
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,177
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Or it can just be called index.html, by the way. I'm on a phone, so couldn't edit the last post.

  7. #7
    SitePoint Zealot PixelPaul's Avatar
    Join Date
    Nov 2003
    Location
    Wisconsin, USA
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    A simple option is to put a file in that folder called index.php

    It can even be blank, but it will prevent anyone from viewing that file list you speak of.
    Thanks,that was an easy fix

  8. #8
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Ralph,

    Sorry, as I explained to Guido via PM:

    .htaccess in the DocumentRoot can be used to tell Apache the following:

    • The names and order of the DirectoryIndex files to use when none are specified in the URI.
    • Options -Indexes is the directive to tell Apache it's not permitted to provide a file listing of the directory.
    • ErrorDocument 404 /404_handler_file is used to tell Apache not to use its default error page but your 404_handler_file.
    • Etc.


    PLEASE use the correct statements to control Apache functions as the use of an index.php file was serendipitous in its meeting the OP's request.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  9. #9
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,177
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by dklynn View Post
    .htaccess in the DocumentRoot can be used to tell Apache the following:

    • The names and order of the DirectoryIndex files to use when none are specified in the URI.
    • Options -Indexes is the directive to tell Apache it's not permitted to provide a file listing of the directory.
    • ErrorDocument 404 /404_handler_file is used to tell Apache not to use its default error page but your 404_handler_file.
    • Etc.


    PLEASE use the correct statements to control Apache functions as the use of an index.php file was serendipitous in its meeting the OP's request.
    Thanks David. I knew your solution would be much better, but had sympathy for the OP, who (if anything like me) is probably bewildered by this stuff. Unless I have my hand held and every step laid out in full, I easily get lost in the crevasses of undefined steps, so to speak.

    To expand on your advice above, do you mean that, in a .htaccess file in the root folder, the following should be added to deal with situations like this?

    Code:
    Options -Indexes
    ErrorDocument 404 /my-404-page.html

  10. #10
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Hi Ralph,

    Thanks for that.

    I was ready to respond with the .htaccess information but saw your back-and-forth with PP and **HAD** to comment.

    In explanation for the serendipity comment, the server must be using index.php somewhere in its DirectoryIndex statement (in httpd.conf). The simple fact that you chose that meant that Apache would serve the (null?) index.php file rather than the (Options +Indexes) directory listing. Serendipity can be a useful tool but, if you actually know what you're doing, you don't need it (Luck - "The Good Lord protects babies, drunks and fools" - and it's best not the be the latter and I'm far too old to be in the first category ).

    Actually, I will tend to use (without comments or going into mod_rewrite code):

    Code:
    # .htaccess in DocumentRoot
    
    # Set Apache Options
    Options -Indexes -MultiViews
    
    # Set Directory Indexes
    DirectoryIndex index.php index.html home.php other_as_required
    
    # Set ErrorDocument for this domain
    ErrorDocument 404 /sitemap.php
    
    # OPTIONAL code to prohibit viewing .htaccess file
    <Files .htaccess>
    	order allow,deny
    	deny from all
    </Files>
    Explanation(s):

    1. The .htaccess file is a server file peculiar to Apache in which you can put limited directives aimed at Apache. The only "trick" is to know that (ab)use of .htaccess should be very limited and is only useful to webmasters with no access to the server/virtual host conf files.
    2. Options -Indexes tells Apache it's prohibited from providing directory listings.
    3. Options -MultiViews tells Apache NOT to serve files in directory positions in the URI, i.e., NOT to serve http://example.com/index.php/yadda-yadda/whoop-de-do's index.php file and allow it to parse the remaining parts of the path/file in the URI. To make matters worse, +MultiViews will also attempt to serve any extension with the same filename as a directory name in the path - and this trips-up newbie webmasters!
    4. DirectoryIndex sets the order Apache will search for a default file to serve when no filename is present in the URI. While generally set in the httpd.conf (the server's configuration file), a webmaster can change the default name very easily. This is useful when developing/modifying a website as you can serve a "coming soon" or "update in progress" page simply by changing the order and testing using a direct link to the website's intended (future) DirectoryIndex.
    5. Apache will serve a default error document script unless you specify one you have built for your website. I've used the Home page (index.php), error.php but I've shown sitemap.php above as a good alternative (it helps visitors find what they're looking for).
    6. This <Files> wrapper has specified that noone is allowed to see, read, download or even know that an .htaccess file even exists (deny access to all).


    When I get lazy, I'll only use the DirectoryIndex and ErrorDocument but the others should be considered the best candidates for inclusion ... with the caveat that you don't need the comments I inserted so they should be removed for efficiency.

    I hope that explanation helped everyone.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  11. #11
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,177
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Thanks David. That's a fantastic little tutorial right there. Thanks for going into such detail. Certainly bookmarked for future reference.

    I'm a little hazy about the Multiviews part. Is +Multiviews the default? I use a CMS that does included index.php in the middle of the URI (http://example.com/index.php/yadda-yadda/), though I use some htaccess code to hide it, as most others do, too. I wonder how -Multiviews would affect that. I wasn't clear on what "trips-up newbie webmasters" (says he, flat on his face).

  12. #12
    SitePoint Member
    Join Date
    Sep 2012
    Location
    Dhaka, Bangladesh
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just open a text editor, and paste the following code.
    PHP Code:
    <?php
        header
    ('Location: ../');
    Save it as index.php. Now upload it to /docs directory.

    Or, you can configure .htaccess.
    Last edited by HAWK; Jan 29, 2013 at 18:33.

  13. #13
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by ayonkhan View Post
    Just open a text editor, and paste the following code.
    PHP Code:
    <?php
        header
    ('Location: ../');
    Save it as index.php. Now upload it to /docs directory.

    Or, you can configure .htaccess.
    Hi ayonkhan,

    While your PHP redirect will work, it is generally not the preferred method. It requires that Apache make a route, read a page and then redirect when the .htaccess file is read and redirected prior to having to invoke PHP or load a page. When you get into really complicated rewrites then often using PHP redirects make more sense.

    Regards,
    Steve
    Last edited by HAWK; Jan 29, 2013 at 18:33.
    ictus==""

  14. #14
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Ralph,

    No problem. It seemed that a detailed explanation was necessary.

    +MultiViews is not the default ... probably because it's such a PITA!

    Sorry, I didn't understand the question about the CMS with index.php in the middle of the URI. I'm familiar with WP which redirects everything (which does not exist as a file or directory) to its own index.php which then parses ({THE_REQUEST?} ... well, that's my guess). If your CMS DISPLAYS the index.php in the middle of the URI, then it's got to invoke +MultiViews. As you can tell, I dislike that approach.

    "Trips-up newbie webmasters" means that new webmasters don't understand how MultiViews works so they casually select directory names which might duplicate file names. If that's the case, they'll never reach the directory contents. IMHO, that's a GOTCHA!

    Steve,

    Spot on! When a webmaster cannot create a RewriteMap (does not have control over the server or virtual host configuration files), I've recommended that a PHP handler script be used to perform a file or database lookup for the redirection followed by a header(status) and then header(location) redirection. Since this is only made necessary when a webmaster needs to recreate a website while preserving PR for the old pages (and didn't bother to use the same script names), this is rarely used.

    As far as I'm concerned, mod_rewrite is an exceptionally powerful tool which can perform ALL necessary redirections (given the necessary permissions to modify the requisite files as noted above).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •