Topic: Blocking particular file extensions from ibay web server

[n0lqu]

I would like to make it so a web user can't open files with a particular extension.  For example, within the mysite ibay, I don't want them to be able to open/download any files ending with .dat or .csv

I believe I can do this by adding the following <Files> block to the /etc/httpd/conf/conf.d:


<Directory /home/e-smith/files/ibays/mysite/html>
    <Files ~ "\.(dat|csv)$">
      order allow,deny
      deny from all
    </Files>
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
</Directory>


Is this the best way?  Would it be better/easier to make it global rather than just this one ibay?  Is there a way to use AddType to globally make all .dat's and .csv's non-downloadable (i.e. is there any mime type that means deny access, such as AddType /None .dat .csv?)

Finally, what's the right way to make the change to SME so it survives updates, etc.  I believe I need to make a custom template in /etc/e-smith/custom-templates/etc/httpd/conf/httpd.conf/ and rebuild the httpd.conf file with /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf , but I'm not sure what to name it or where specifically to put it so it ends up in the right place (within the <Directory> block for the correct ibay).

Thanks in advance for help and/or clarification!

[CharlieBrady]

I would like to make it so a web user can't open files with a particular extension.  For example, within the mysite ibay, I don't want them to be able to open/download any files ending with .dat or .csv

I don't really understand your problem. The only reason that the 'html' directory exists is to make files available via http. If you don't want files to be made available via http - don't put them inside the html directory.

What am I missing?

[n0lqu]

There are valid reasons for wanting non-accessible files in the same folder as accessible files.  In my case, I wrote a PHP form processing program that reads a configuration file to know what to do with the submitted data (E-Mail it, save it to a file, etc.)  It's a lot easier for the web author to deal with a configuration file in the same folder as the page it goes with rather than in some other location, but I don't want potential spammers to see the details of what we are doing with the data.

[piran]

<DirectoryMatch "/home/e-smith/files/ibays/(mysite|altsite|testsite)/html">
</DirectoryMatch>

[n0lqu]

Thanks! Looks like what worked for me was creating a file:

Code: [Select]

<DirectoryMatch "^/home/e-smith/files/ibays/mysite/(html|files)/.*">
    <Files ~ "\.(dat|csv)$">
      order allow,deny
      deny from all
    </Files>
</DirectoryMatch>Saving it as /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/92DenyAccessByExtension
and doing a /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf to rebuild Apache's httpd.conf file, then apachectl graceful /etc/init.d/httpd-e-smith restart (correction 9/14/09) to tell Apache to re-read its configuration file.

[dgs]

It's a lot easier for the web author to deal with a configuration file in the same folder as the page it goes with rather than in some other location

It may be easier, but it's not good practice. Placing config files in publically accessible locations is a huge security risk!  It isn't much work for a programmer to locate confiles in an alternate location.

but I don't want potential spammers to see the details of what we are doing with the data.

Which is exactly why you SHOULD NOT locate configs in publically accessible folders.

[cactus]

then apachectl graceful to tell Apache to re-read its configuration file.

That is not the proper way to restart the webserver on SME Server, next time please use:

Code: [Select]

sv t httpd-e-smith

[n0lqu]

That is not the proper way to restart the webserver on SME Server, next time please use:

Code: [Select]

sv t httpd-e-smith

Thanks for the correction!  Can you double-check if it's right, though?  It looks like "sv t httpd-e-smith" would simply terminate apache and not restart it (t=term).  Looking at http://wiki.contribs.org/Useful_Commands, it looks like there are two proper methods:

Code: [Select]

sv t httpd-e-smith
service httpd restart and

Code: [Select]

/etc/init.d/httpd-e-smith restart
Looking at the /etc/init.d/httpd-e-smith code, it looks like the "restart" is specifically starting it back up (u=up) after terminating it:

Code: [Select]

sv t httpd-e-smith
sv u httpd-e-smith

[janet]

n0lqu

You overlooked the fact that many services on sme server are supervised, which means they will automatically restart if you terminate them with
sv t servicename

To stop (bring down) a supervised service
sv d servicename

To bring a service back up when it has been stopped
sv u servicename