Find the answer to your Linux question:
Results 1 to 5 of 5
I have set my Apache server to use /var/www/html as DocumentRoot. I also would like to set a directory 'hidden' like this: /var/www/html/hidden How do I configure Apache so that ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2007
    Posts
    7

    hidden directory config?


    I have set my Apache server to use /var/www/html as DocumentRoot.

    I also would like to set a directory 'hidden' like this:
    /var/www/html/hidden

    How do I configure Apache so that the public can access html directory but not in hidden directory? I tried to set 711 permissions to 'hidden' but the public can still run my scripts in hidden directory and that means backdoor entry.

    I would like to configure so that nobody can look into hidden, nobody can execute any scripts in there either. The only ones allowed to see or execute scripts are other php scripts in html directory.

    How can I do this? Thanks.

  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Well 711 still allows permission to execute for group and others. Remember 1=execute, 2=write and 4=read. Adding them together gives you the desired permission. So you should be setting it as 700, though I don't use Apache an awful lot so it may require its own permissions to be set.

  3. #3
    Just Joined!
    Join Date
    Jul 2007
    Posts
    7
    Yes, I tried setting 700. This will prevent others from executing scripts. But also prevents the server (apache) from running them too.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Feb 2008
    Posts
    1
    what's your apache owner? I mean the user & group in the conf file. change /var/www/html/hidden to 700 and change the same owner as the apache conf file.

  6. #5
    Linux User
    Join Date
    Jan 2006
    Posts
    414
    If you want to allow apache access, but not users, then you'll need to setup the directory permissions using apache mod_auth, not filesystem permissions.

    Easy Way:
    Don't put the hidden directory under the document root e.g.
    /var/www/html/
    /var/www/hidden/
    now the scripts can't be accessed from the web, but apache can still execute them.

    Technically more correct way:
    enable mod auth; if you're using a Debian based system then:
    a2enmod mod_auth
    will do the trick, otherwise check your distro's apache documentation.

    next you need to create a .htaccess file in the hidden directory, with the following contents:
    Code:
     Order deny,allow
    Deny from all
    Allow from localhost 127.0.0.1 SERVER_IP SERVER_NAME
    change SERVER_IP and SERVER_NAME to suit your setup

    Open the apache config file for the server/domain, and change:
    Code:
            <Directory /var/www/html/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride None
                    Order allow,deny
                    allow from all
            </Directory>
    to:
    Code:
            <Directory /var/www/html/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride AuthConfig ## only this line changes
                    Order allow,deny
                    allow from all
            </Directory>
    save it and restart apache, and if a user tries to access anything in the hidden directory they should get a Forbidden 403 error.

    I haven't used mod_auth for a while, so if you have any problems, read the apache docs on it Documentation: Apache HTTP Server - The Apache HTTP Server Project

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •