hidden directory config?

[ploceus]

I have set my Apache server to use /var/www/html as DocumentRoot.

I also would like to set a directory 'hidden' like this:
/var/www/html/hidden

How do I configure Apache so that the public can access html directory but not in hidden directory? I tried to set 711 permissions to 'hidden' but the public can still run my scripts in hidden directory and that means backdoor entry.

I would like to configure so that nobody can look into hidden, nobody can execute any scripts in there either. The only ones allowed to see or execute scripts are other php scripts in html directory.

How can I do this? Thanks.

[bigtomrodney]

Well 711 still allows permission to execute for group and others. Remember 1=execute, 2=write and 4=read. Adding them together gives you the desired permission. So you should be setting it as 700, though I don't use Apache an awful lot so it may require its own permissions to be set.

[ploceus]

Yes, I tried setting 700. This will prevent others from executing scripts. But also prevents the server (apache) from running them too.

[Jason_Zhou]

what's your apache owner? I mean the user & group in the conf file. change /var/www/html/hidden to 700 and change the same owner as the apache conf file.

[darkrose0510]

If you want to allow apache access, but not users, then you'll need to setup the directory permissions using apache mod_auth, not filesystem permissions.

Easy Way:
Don't put the hidden directory under the document root e.g.
/var/www/html/
/var/www/hidden/
now the scripts can't be accessed from the web, but apache can still execute them.

Technically more correct way:
enable mod auth; if you're using a Debian based system then:
a2enmod mod_auth
will do the trick, otherwise check your distro's apache documentation.

next you need to create a .htaccess file in the hidden directory, with the following contents:

Code:

 Order deny,allow
Deny from all
Allow from localhost 127.0.0.1 SERVER_IP SERVER_NAME

change SERVER_IP and SERVER_NAME to suit your setup

Open the apache config file for the server/domain, and change:

Code:

        <Directory /var/www/html/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

to:

Code:

        <Directory /var/www/html/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride AuthConfig ## only this line changes
                Order allow,deny
                allow from all
        </Directory>

save it and restart apache, and if a user tries to access anything in the hidden directory they should get a Forbidden 403 error.

I haven't used mod_auth for a while, so if you have any problems, read the apache docs on it Documentation: Apache HTTP Server - The Apache HTTP Server Project