Protect a directory with nginx

I have a directory /cat that I wish to deny all user direct access to file from the URL.

I can do location /cat { deny all;} But then the application cannot across /cat/js which it needs.

This I wish to deny URL access recursive to any file in the /cat … but allow my application to access it.

Any thoughts?

Not possible. If your application needs it the browser needs to be able to download it.

There are some things you can try with checking the referer of the request, but since that is user supplied data it can be tampered with.

Maybe you’ve seen filesystem root folders named “public_html”? In this case, the hint is what’s inside is not “private”.

Alongside the filesystem root folder you can see other folders and files. If you didn’t make them and you don’t know what they are, tread careful. BUT - you should be able to easily create a filesystem folder alongside the others and put sensitive information, private files, etc. in it. eg. “db-logins” or whatever makes sense to you.

The key difference is that PHP can access what’s in the filesystem below the site’s area of the server. HTTP requests can have access to what’s under the filesystem public root. PHP can access what’s in the filesystem below the site’s area of the server including what’s under the filesystem public root.

Doing more outside of the site’s area is what I call “server administration” and largely “only when I absolutely have no other choice” but as long as you don’t overdo things it should be OK. I suppose if in doubt ask your host first? I don’t imagine most would mind a bit of config / directives but mega TB would likely get attention.

A PHP Framework tackled this problem by setting a BASEPATH constant in the calling PHP files and to test for the constant in the included/required PHP files:

file: public_html/cat/protected-file.php

<?php
defined('BASEPATH') OR exit('No direct script access allowed');

Modern practise is to have a single index.php file in the public_html base directory and to call application PHP files which are located above the root:

website-url.tld
  ./application-files/
  ./public_html/
      ./assets/images/
      ./assets/javascript/
      ./const/
     index.php

Ok thanks I ok with the php above Or outside the root directive - but when I try to put my assets (css and js for example outside the root directive they don’t work).

So why only protect the php outside the html_pub ? Why not protect the js above and outside the root directive?

Or do I not understand site vulnerability?

Does direct access to js files not cause a problem? Why only protect php files?

PHP is processed on the server, so only the server needs access to PHP files. Sure, you could give the client access, but they can’t do anything with those files by themselves and if the web sever ever breaks and just sends PHP files to the browser instead of processing them all your passwords may be out in the open.

JS and CSS are processed on the client (ie, the browser), so the client needs access to them.
Also, JS and CSS should not contain sensitive information.

Ahh then I set my root directive put php files outside the root and js / css and HTML files inside and under root directory for application access good to go .

I don’t really need the referrer command for the index anyway.

Thank you ever so much to all!

2 Likes