Thursday, October 22, 2009

Apache: Deny access to certain file types

How to deny access to certain file types.

Useful: to deny access to certain files that contain private information (log files, source code, password files, etc.).

I a previous tip (Hide a file type from directory indexes) I have showed how we can hide some files from appearing in directory indexes. Even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser… How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes).
So if there are ’special files’ that you want to not be served in any case to remote users then you will have to deny access to them.

In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (, , and sections). In this case we will be interested in the section.

Allow/Deny Directive in
Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:


Order allow,deny
Deny from all

This is a simple example of how we can deny access to a single file by its name. If you don’t have such a configuration, then it might be a good idea to add it .

Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):


Order allow,deny
Deny from all

Similar to this we can deny access to whatever files we might need

Apache:Deny access to some folders in Apache Directory Indexing

Let’s see how we can deny access to all the .svn folders that exist on the server.In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):


Order allow,deny
Deny from all

Similar to this we can deny access to other folders we might need…

Note: this will show a Forbidden page (code 403) even if the folder does not exist and it is just called from the browser in the url.
Another way how this can be quickly accomplished is by using a Rewrite rule:

RewriteRule ^(.*/)?\\.svn/ - [F,L]or using a redirect:

RedirectMatch 404 /\\.svn(/|$)(in this last example I am using 404 as the returned code so this looks like the folder doesn’t exist on the server; of course if you prefer you can return 403 – forbidden code

Apache: Hide some files from appearing in directory indexes.

To prevent certain files from appearing in directory indexes, in case this needs to remain enabled. This is particularly useful for non html files (or raw files not parsed by apache and returned as a html to the browser), for example: php include files, libraries (that will not have the extension php), or log files, or any other file that you might want to prevent the users to easily see in the browser.

Normally I will disable directory indexes, and this will not be needed, but in case you have to keep directory indexes ON for some reason, then it is a good idea to hide some files from showing in the directory indexes.
This will not prevent peoples to download the files as long as they know (or guess) the file name/location, it will just hide the files from the index generation. Some good examples of what files to hide like this:

•.htaccess (for obvious reasons)
•*.bak *~ (this can lead to download the source of some parsed web files that are saved as backup files)
•RCS CVS *,v *,t (hide cvs related files)
•*.inc (or whatever files extensions you might use to include in regular php files)
These are just examples and you should use this directive based on your particular need.

IndexIgnore

We will use the apache directive IndexIgnore to hide the list of files. Since this can be used in global configuration and also in virtual host configuration, per directory or in .htaccess it is useful to know that any new IndexIgnore line will actually add the files to the list of hidden files and not overwrite a previous definition. So you can choose this as you see it fit (add them all in one place in a single line, or have more ignore list defined, etc.). To achieve our sample here is how we will hide the file types from above to appear in directory indexes:

IndexIgnore .htaccess
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
IndexIgnore *.incOr the same thing in one single line:

IndexIgnore .htaccess .??* *~ *# HEADER* README* RCS CVS *,v *,t *.incSome Linux distributions will include some defaults for this directive, but in case you have directory indexes ON you should really look into this directive and add the files you don’t want the users to see in a browser in a directory index.