• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Delete all the index.html file "Directory access is forbidden." when using .htaccess

#1
Hello,

I have got  a simple question.

After installation I saw CodeIgniter puts in each folder an index.html file with the following content:

Code:
<!DOCTYPE html>
<html>
<head>
 <title>403 Forbidden</title>
</head>
<body>
<p>Directory access is forbidden.</p>
</body>
</html>

Can I delete these files?

I am already using .htaccess in top folder to make all directories tree completely forbidden to anyone (i.e. "Deny from all")
Reply

#2
They protect against an imperfect server setup that could allow someone to obtain a list of files in the directory. These are tiny files so it's a very small price to pay for a little extra just in case insurance.
Reply

#3
(11-30-2018, 08:24 PM)dave friend Wrote: They protect against an imperfect server setup that could allow someone to obtain a list of files in the directory. These are tiny files so it's a very small price to pay for a little extra just in case insurance.

Thanks, could you explain a bit more.

I mean how do they protect? Huh 

If I have an .htaccess file with "Deny from all" these index.html files seem useless to me.

If I don't have an .htaccess file or it's misconfigured, these index.html files won't be a big protection.
Reply

#4
They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/
Reply

#5
(12-01-2018, 09:20 AM)jreklund Wrote: They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/

It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.
Reply

#6
You asked what they where for. You can of course protect it in other ways.
Reply

#7
(12-01-2018, 10:00 AM)Balenus Wrote: It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.

Well, first of all, "Deny from all" is deprecated in Apache v > 2.4 syntax and it should be "Require all denied".

Second, and most important. the "public" folder of a website must be set to "Allow from all" or "Require all granted" or requests for files in that folder (and subfolders) will be denied meaning webpages won't show.
Reply

#8
(12-01-2018, 03:03 PM)dave friend Wrote: Well, first of all, "Deny from all" is deprecated in Apache v > 2.4 syntax and it should be "Require all denied".

In the .htaccess I'm using:

Code:
<IfModule authz_core_module>
    Require all denied
</IfModule>
<IfModule !authz_core_module>
    Deny from all
</IfModule>

(12-01-2018, 03:03 PM)dave friend Wrote: Second, and most important. the "public" folder of a website must be set to "Allow from all" or "Require all granted" or requests for files in that folder (and subfolders) will be denied meaning webpages won't show.

The files are not in a public folder, I'm protecting "application" and "CodeIgniter-3.1.9" inside a private folder that is protected by the .htaccess as suggested by the guide:

For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser - https://www.codeigniter.com/user_guide/i...index.html
Reply

#9
(12-01-2018, 12:02 PM)jreklund Wrote: You asked what they where for. You can of course protect it in other ways.

Ok, thanks!
I simply wanted to make sure I was not missing something. Wink
Reply

#10
That guide means that you should have the following folder structure.
application
system
public_html
- index.php (inside public_html)

And point your webbserver towards public_html.
Rendering .htaccess security obsolete, as a user can't access them by an URL.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.