CodeIgniter Forums
Delete all the index.html file "Directory access is forbidden." when using .htaccess - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: Installation & Setup (https://forum.codeigniter.com/forum-9.html)
+--- Thread: Delete all the index.html file "Directory access is forbidden." when using .htaccess (/thread-72287.html)

Pages: 1 2


Delete all the index.html file "Directory access is forbidden." when using .htaccess - Balenus - 11-30-2018

Hello,

I have got  a simple question.

After installation I saw CodeIgniter puts in each folder an index.html file with the following content:

Code:
<!DOCTYPE html>
<html>
<head>
 <title>403 Forbidden</title>
</head>
<body>
<p>Directory access is forbidden.</p>
</body>
</html>

Can I delete these files?

I am already using .htaccess in top folder to make all directories tree completely forbidden to anyone (i.e. "Deny from all")


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - dave friend - 11-30-2018

They protect against an imperfect server setup that could allow someone to obtain a list of files in the directory. These are tiny files so it's a very small price to pay for a little extra just in case insurance.


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - Balenus - 12-01-2018

(11-30-2018, 08:24 PM)dave friend Wrote: They protect against an imperfect server setup that could allow someone to obtain a list of files in the directory. These are tiny files so it's a very small price to pay for a little extra just in case insurance.

Thanks, could you explain a bit more.

I mean how do they protect? Huh 

If I have an .htaccess file with "Deny from all" these index.html files seem useless to me.

If I don't have an .htaccess file or it's misconfigured, these index.html files won't be a big protection.


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - jreklund - 12-01-2018

They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - Balenus - 12-01-2018

(12-01-2018, 09:20 AM)jreklund Wrote: They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/

It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - jreklund - 12-01-2018

You asked what they where for. You can of course protect it in other ways.


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - dave friend - 12-01-2018

(12-01-2018, 10:00 AM)Balenus Wrote: It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.

Well, first of all, "Deny from all" is deprecated in Apache v > 2.4 syntax and it should be "Require all denied".

Second, and most important. the "public" folder of a website must be set to "Allow from all" or "Require all granted" or requests for files in that folder (and subfolders) will be denied meaning webpages won't show.


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - Balenus - 12-01-2018

(12-01-2018, 03:03 PM)dave friend Wrote: Well, first of all, "Deny from all" is deprecated in Apache v > 2.4 syntax and it should be "Require all denied".

In the .htaccess I'm using:

Code:
<IfModule authz_core_module>
    Require all denied
</IfModule>
<IfModule !authz_core_module>
    Deny from all
</IfModule>

(12-01-2018, 03:03 PM)dave friend Wrote: Second, and most important. the "public" folder of a website must be set to "Allow from all" or "Require all granted" or requests for files in that folder (and subfolders) will be denied meaning webpages won't show.

The files are not in a public folder, I'm protecting "application" and "CodeIgniter-3.1.9" inside a private folder that is protected by the .htaccess as suggested by the guide:

For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser - https://www.codeigniter.com/user_guide/installation/index.html


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - Balenus - 12-01-2018

(12-01-2018, 12:02 PM)jreklund Wrote: You asked what they where for. You can of course protect it in other ways.

Ok, thanks!
I simply wanted to make sure I was not missing something. Wink


RE: Delete all the index.html file "Directory access is forbidden." when using .htaccess - jreklund - 12-01-2018

That guide means that you should have the following folder structure.
application
system
public_html
- index.php (inside public_html)

And point your webbserver towards public_html.
Rendering .htaccess security obsolete, as a user can't access them by an URL.