Login

Balenus · 11-30-2018, 01:26 PM

Hello,

I have got a simple question.

After installation I saw CodeIgniter puts in each folder an index.html file with the following content:

Code:
<!DOCTYPE html>

<html>

<head>

 <title>403 Forbidden</title>

</head>

<body>

<p>Directory access is forbidden.</p>

</body>

</html>

Can I delete these files?

I am already using .htaccess in top folder to make all directories tree completely forbidden to anyone (i.e. "Deny from all")

dave friend · 11-30-2018, 08:24 PM

They protect against an imperfect server setup that could allow someone to obtain a list of files in the directory. These are tiny files so it's a very small price to pay for a little extra just in case insurance.

Balenus · 12-01-2018, 06:50 AM

(11-30-2018, 08:24 PM)dave friend Wrote: They protect against an imperfect server setup that could allow someone to obtain a list of files in the directory. These are tiny files so it's a very small price to pay for a little extra just in case insurance.

Thanks, could you explain a bit more.

I mean how do they protect? Huh

If I have an .htaccess file with "Deny from all" these index.html files seem useless to me.

If I don't have an .htaccess file or it's misconfigured, these index.html files won't be a big protection.

***jreklund*** · 12-01-2018, 09:20 AM

They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/

Balenus · 12-01-2018, 10:00 AM

(12-01-2018, 09:20 AM)jreklund Wrote: They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/

It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.

***jreklund*** · 12-01-2018, 12:02 PM

You asked what they where for. You can of course protect it in other ways.

dave friend · 12-01-2018, 03:03 PM

(12-01-2018, 10:00 AM)Balenus Wrote: It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.

Well, first of all, "Deny from all" is deprecated in Apache v > 2.4 syntax and it should be "Require all denied".

Second, and most important. the "public" folder of a website must be set to "Allow from all" or "Require all granted" or requests for files in that folder (and subfolders) will be denied meaning webpages won't show.

Balenus · 12-01-2018, 03:57 PM

(12-01-2018, 03:03 PM)dave friend Wrote: Well, first of all, "Deny from all" is deprecated in Apache v > 2.4 syntax and it should be "Require all denied".

In the .htaccess I'm using:

Code:
<IfModule authz_core_module>

    Require all denied

</IfModule>

<IfModule !authz_core_module>

    Deny from all

</IfModule>

(12-01-2018, 03:03 PM)dave friend Wrote: Second, and most important. the "public" folder of a website must be set to "Allow from all" or "Require all granted" or requests for files in that folder (and subfolders) will be denied meaning webpages won't show.

The files are not in a public folder, I'm protecting "application" and "CodeIgniter-3.1.9" inside a private folder that is protected by the .htaccess as suggested by the guide:

For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser - https://www.codeigniter.com/user_guide/i...index.html

Balenus · 12-01-2018, 03:58 PM

(12-01-2018, 12:02 PM)jreklund Wrote: You asked what they where for. You can of course protect it in other ways.

Ok, thanks!
I simply wanted to make sure I was not missing something. Wink

***jreklund*** · 12-01-2018, 04:15 PM

That guide means that you should have the following folder structure.
application
system
public_html
- index.php (inside public_html)

And point your webbserver towards public_html.
Rendering .htaccess security obsolete, as a user can't access them by an URL.