Re: Restrict access to folders (Apache Users)

On Mar 19, 2007, at 11:43 AM, Zembower, Kevin wrote:

Maybe I'm missing something here, but …

If neither PersonalSite nor ProfessionalSite contain any links to the other, and if they both contain an ‘index.html’ file to suppress automatic index generation, then users won’t be able to browse from one site to the other.

Am I missing something?

-Kevin

If I read the question right, what you are missing is what happens if someone currently at www.myDomainName.com/PersonalSite decides to delete the /PersonalSite part of the URL, leaving them at www.myDomainName.com/ At that point (given no index.html file at root level and indexing enabled) they would be able to see both the PersonalSite and the ProfessionalSite directories, and navigate to either one. This also assumes that the physical directory structure of the site is set up with a root level folder containing both the PersonalSite folder and ProfessionalSite folder. As this is a lot of assumptions, I suspect that one or more would not hold up for any given site (for example, I would think most sites would have an index.html at root), and as such, there may not be an issue. However, if I am wrong, and assuming my understanding of the issue is correct, then I see a number of possibilities to restrict this behavior:

1) Place an index.html file at the root level of the server that does not contain links to ProfessionalSite and/or PersonalSite

2) Restrict access to the root level entirely using a Deny from ALL directive, which is then over-ridden in your ProfesionalSite and PersonalSite directories using an Allow from ALL directive (I think that would work)

3) Place your PersonalSite and ProfesionalSite directories outside of the webserver root directory, and use Alias directives to point /PersonalSite and /ProfessionalSite to them. That way even if you can list the root level directory, neither site will show up

Those, at least, are what I can think of off the top of my head. There may be other/better options, depending on your site layout, requirements, and other stuff about Apache I don't know.

-----------------------------------------------

Israel Brewster

Computer Support Technician

Frontier Flying Service Inc.

5245 Airport Industrial Rd

Fairbanks, AK 99709

(907) 450-7250 x293

-----------------------------------------------

From: nat.colley@xxxxxxxxx [mailto:nat.colley@xxxxxxxxx]
Sent: Monday, March 19, 2007 1:55 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Restrict access to folders

Hey Bruce, I'm a newbie and I'm interested in this question, too, so thanks for asking.
----- Original Message ----
From: Bruce Hyatt <bjhyatt@xxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Monday, March 19, 2007 12:42:37 PM
Subject: Restrict access to folders
Sorry, this is probably a tired newbie question. I've read the httpd.conf file and browsed the archives but haven't found what I'm looking for. If you could just point me in the right direction I'd be really happy.

I want to set up something similar to virtual hosts but I only have one domain name.

What I have in mind and I believe I've seen before is:

www.myDomainName.com/PersonalSite
www.myDomainName.com/ProfessionalSite

set up so that people can't navigate up to the root, see the other site and navigate to it. I don't want to have to restrict the individual sites to password access.

TIA,
Bruce

_______________________________________________
No banners. No pop-ups. No kidding.
Make My Way your home on the Web - http://www.myway.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.