Apache Friends Support Forum

[tun001757]

Hi all,

I am newbies in apache and php. Now I installing xampp package in Window server 2008. After I did research I need to set Options -Indexes in httpd.conf in order not to allow user see the list of directories and files.

In previous hosting, I have one folder where storing confidential files with permission set to 711, it not allow user to download the files even thought they know the exact URL (/files/resume.pdf). I think Options -Indexes is just like permission 755 which allow you to download the file if you know the exact URL. And this 755 can set for web directory (htdocs)

Can anyone tell me how to set one directory (confidential files located) to permission like 711 in httpd.conf? Since this time I am running in Window environment, I am not able to set permission like 711, 755 or 644 easily.

Or just set Options -Indexes in httpd.conf safe enought?

Thank advance.

Tun

[tun001757]

Hi, Anyone can answer this question?

Thank.

[Nobbie]

Can anyone tell me how to set one directory (confidential files located) to permission like 711 in httpd.conf?

You cannot set file permissions in httpd.conf - these file permissions are permissions of the Operating System and Apache cannot influence the Operating System.

Since this time I am running in Window environment, I am not able to set permission like 711, 755 or 644 easily.

Right - this is additionally a problem for Windows System, as permissions like 755 etc. are linux related, they dont exist under Windows. But as said before, you cannot set file permissions in httpd.conf anyway (even not on Linux systems).

Or just set Options -Indexes in httpd.conf safe enought?

No, of course not. If you want to protect the files from being accessed via Apache, you have to use the Apache Configuration "Allow From ..." and "Deny From ....", eventually in conjunction with "Basic Authentication" (protect directorys via userid and password).

There is one question left: if you have certain files / folders, which you want to protect from outer access - why do you put these files under the htdocs (DocumentRoot) folder? If you put them somewhere else, they cannot be accessed in any way.

[Sharley]

There is no advantage in changing the settings in the httpd.conf file because if the visitor knows the file name then it will be available for download - best leave the httpd.conf file as the default settings when installed.

However you can deny file download by using a .htaccess file in the directory (folder) that contains the files you wish not to be downloaded - the .htaccess file overrides the httpd.conf file settings and suits individual site, folder and or file settings.

Read these search results for help with enabling this feature for your particular situation.

Best wishes.

[tun001757]

Hi Sharley,

Your reply is very useful to me. It is hard for me to create .htaccess file.

So i simply put my confidential file under C:\\xampp\uploads.

instead of C:\\xampp\htdocs\uploads. Am I right to say it is 100% safe?

Regards,

Tun

[Altrea]

Nothing is 100% secure.
But all sources saved in a directory above your DocumentRoot can't be requested directly through the HTTP protocol.
So they are much much more secure than files inside your DocumentRoot or any unsecured subfolder of that.