Welcome Guest, Not a member yet? Register   Sign In
Delete all the index.html file "Directory access is forbidden." when using .htaccess
#11

(12-01-2018, 03:57 PM)Balenus Wrote: The files are not in a public folder, I'm protecting "application" and "CodeIgniter-3.1.9" inside a private folder that is protected by the .htaccess as suggested by the guide:

For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser - https://www.codeigniter.com/user_guide/i...index.html

This comment of yours early on had me concerned and thinking you might not fully understand.
(11-30-2018, 01:26 PM)Balenus Wrote: I am already using .htaccess in top folder to make all directories tree completely forbidden to anyone (i.e. "Deny from all")

To me "top folder" implied the "public" folder.
Reply
#12

(This post was last modified: 12-02-2018, 08:25 AM by Balenus.)

(12-02-2018, 08:05 AM)dave friend Wrote: To me "top folder" implied the "public" folder.

No, my structure is this one

Code:
index.php
--private
   --application
   --CodeIgniter-3.1.9
   .htaccess (to protect the entire "private" folder tree)
--public
  js / .css / img, etc. (all the static files are in the public folder)

Where -- means a folder

I'm sorry, I should have write this one down in the OP)
Reply
#13

(12-01-2018, 10:00 AM)Balenus Wrote:
(12-01-2018, 09:20 AM)jreklund Wrote: They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/

It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.


True until:
  • Someone accidentally (or ignorantly) changes the server and removes mod_authz_core. OR
  • mod_authz_core gets corrupted and fails to load during one of Apache's periodic restarts. OR
  • Someone thinks that "those files that start with a dot don't do anything" and can be deleted.

Do not scoff at these examples I have seen and had to fix all of them. You may know what you're doing but the next guy might not.
Reply
#14

(12-02-2018, 08:23 AM)dave friend Wrote:
(12-01-2018, 10:00 AM)Balenus Wrote:
(12-01-2018, 09:20 AM)jreklund Wrote: They protect from a miss configured sever. If you open an folder without a index.html file, it will display the content instead.

Like this:
http://mirror.imt-systems.com/centos/7/

It won't show the content if you have an .htaccess "Deny from all" in the folder or in the parent folder.


True until:
  • Someone accidentally (or ignorantly) changes the server and removes mod_authz_core. OR
  • mod_authz_core gets corrupted and fails to load during one of Apache's periodic restarts. OR
  • Someone thinks that "those files that start with a dot don't do anything" and can be deleted.

Do not scoff at these examples I have seen and had to fix all of them. You may know what you're doing but the next guy might not.

Far it form me to scoff a user who is donating some of his time to reply to my OP. Wink

True that when mod_authz_core is removed or fails the index.html files can give some protection.
Reply
#15

As long as we're talking about .htaccess, you all might find these two articles interesting

Don't Use .htaccess Unless You Must
Stop using .htaccess files! No, really.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB