Set Options -Indexes in httpd.conf safe enought?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Set Options -Indexes in httpd.conf safe enought?

Postby tun001757 » 28. April 2011 06:46

Hi all,

I am newbies in apache and php. Now I installing xampp package in Window server 2008. After I did research I need to set Options -Indexes in httpd.conf in order not to allow user see the list of directories and files.

In previous hosting, I have one folder where storing confidential files with permission set to 711, it not allow user to download the files even thought they know the exact URL (/files/resume.pdf). I think Options -Indexes is just like permission 755 which allow you to download the file if you know the exact URL. And this 755 can set for web directory (htdocs)

Can anyone tell me how to set one directory (confidential files located) to permission like 711 in httpd.conf? Since this time I am running in Window environment, I am not able to set permission like 711, 755 or 644 easily.

Or just set Options -Indexes in httpd.conf safe enought?

Thank advance.

Tun
tun001757
 
Posts: 5
Joined: 28. April 2011 06:34

Re: Set Options -Indexes in httpd.conf safe enought?

Postby tun001757 » 05. May 2011 10:23

Hi, Anyone can answer this question?

Thank.
tun001757
 
Posts: 5
Joined: 28. April 2011 06:34

Re: Set Options -Indexes in httpd.conf safe enought?

Postby Nobbie » 05. May 2011 10:33

tun001757 wrote:Can anyone tell me how to set one directory (confidential files located) to permission like 711 in httpd.conf?


You cannot set file permissions in httpd.conf - these file permissions are permissions of the Operating System and Apache cannot influence the Operating System.

tun001757 wrote:Since this time I am running in Window environment, I am not able to set permission like 711, 755 or 644 easily.


Right - this is additionally a problem for Windows System, as permissions like 755 etc. are linux related, they dont exist under Windows. But as said before, you cannot set file permissions in httpd.conf anyway (even not on Linux systems).

tun001757 wrote:Or just set Options -Indexes in httpd.conf safe enought?


No, of course not. If you want to protect the files from being accessed via Apache, you have to use the Apache Configuration "Allow From ..." and "Deny From ....", eventually in conjunction with "Basic Authentication" (protect directorys via userid and password).

There is one question left: if you have certain files / folders, which you want to protect from outer access - why do you put these files under the htdocs (DocumentRoot) folder? If you put them somewhere else, they cannot be accessed in any way.
Nobbie
 
Posts: 8779
Joined: 09. March 2008 13:04

Re: Set Options -Indexes in httpd.conf safe enought?

Postby Sharley » 05. May 2011 10:46

There is no advantage in changing the settings in the httpd.conf file because if the visitor knows the file name then it will be available for download - best leave the httpd.conf file as the default settings when installed.

However you can deny file download by using a .htaccess file in the directory (folder) that contains the files you wish not to be downloaded - the .htaccess file overrides the httpd.conf file settings and suits individual site, folder and or file settings.

Read these search results for help with enabling this feature for your particular situation.

Best wishes.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Set Options -Indexes in httpd.conf safe enought?

Postby tun001757 » 06. May 2011 05:12

Hi Sharley,

Your reply is very useful to me. It is hard for me to create .htaccess file.

So i simply put my confidential file under C:\\xampp\uploads.

instead of C:\\xampp\htdocs\uploads. Am I right to say it is 100% safe?

Regards,

Tun
tun001757
 
Posts: 5
Joined: 28. April 2011 06:34

Re: Set Options -Indexes in httpd.conf safe enought?

Postby Altrea » 06. May 2011 12:59

Nothing is 100% secure.
But all sources saved in a directory above your DocumentRoot can't be requested directly through the HTTP protocol.
So they are much much more secure than files inside your DocumentRoot or any unsecured subfolder of that.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8298
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 21 guests