Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: n0lqu on September 09, 2009, 09:05:19 PM

Title: Blocking particular file extensions from ibay web server
Post by: n0lqu on September 09, 2009, 09:05:19 PM: I would like to make it so a web user can't open files with a particular extension. For example, within the mysite ibay, I don't want them to be able to open/download any files ending with .dat or .csv

I believe I can do this by adding the following <Files> block to the /etc/httpd/conf/conf.d:

<Directory /home/e-smith/files/ibays/mysite/html> <Files ~ "\.(dat|csv)$"> order allow,deny deny from all </Files> AllowOverride None order deny,allow deny from all allow from all </Directory>

Is this the best way? Would it be better/easier to make it global rather than just this one ibay? Is there a way to use AddType to globally make all .dat's and .csv's non-downloadable (i.e. is there any mime type that means deny access, such as AddType /None .dat .csv?)

Finally, what's the right way to make the change to SME so it survives updates, etc. I believe I need to make a custom template in /etc/e-smith/custom-templates/etc/httpd/conf/httpd.conf/ and rebuild the httpd.conf file with /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf , but I'm not sure what to name it or where specifically to put it so it ends up in the right place (within the <Directory> block for the correct ibay).

Thanks in advance for help and/or clarification!
Title: Re: Blocking particular file extensions from ibay web server
Post by: CharlieBrady on September 10, 2009, 03:56:05 AM: Quote from: n0lqu on September 09, 2009, 09:05:19 PM
I would like to make it so a web user can't open files with a particular extension. For example, within the mysite ibay, I don't want them to be able to open/download any files ending with .dat or .csv

I don't really understand your problem. The only reason that the 'html' directory exists is to make files available via http. If you don't want files to be made available via http - don't put them inside the html directory.

What am I missing?
Title: Re: Blocking particular file extensions from ibay web server
Post by: n0lqu on September 10, 2009, 03:25:00 PM: There are valid reasons for wanting non-accessible files in the same folder as accessible files. In my case, I wrote a PHP form processing program that reads a configuration file to know what to do with the submitted data (E-Mail it, save it to a file, etc.) It's a lot easier for the web author to deal with a configuration file in the same folder as the page it goes with rather than in some other location, but I don't want potential spammers to see the details of what we are doing with the data.
Title: Re: Blocking particular file extensions from ibay web server
Post by: piran on September 11, 2009, 12:21:01 AM: <DirectoryMatch "/home/e-smith/files/ibays/(mysite|altsite|testsite)/html">
</DirectoryMatch>
Title: Re: Blocking particular file extensions from ibay web server
Post by: n0lqu on September 11, 2009, 05:09:37 PM: Thanks! Looks like what worked for me was creating a file:
Code: [Select]
<DirectoryMatch "^/home/e-smith/files/ibays/mysite/(html|files)/.*"> <Files ~ "\.(dat|csv)$"> order allow,deny deny from all </Files> </DirectoryMatch>Saving it as /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/92DenyAccessByExtension
and doing a /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf to rebuild Apache's httpd.conf file, then ~~apachectl graceful~~ /etc/init.d/httpd-e-smith restart (correction 9/14/09) to tell Apache to re-read its configuration file.
Title: Re: Blocking particular file extensions from ibay web server
Post by: dgs on September 13, 2009, 01:16:42 AM: Quote from: n0lqu on September 10, 2009, 03:25:00 PM
It's a lot easier for the web author to deal with a configuration file in the same folder as the page it goes with rather than in some other location

It may be easier, but it's not good practice. Placing config files in publically accessible locations is a huge security risk! It isn't much work for a programmer to locate confiles in an alternate location.

Quote from: n0lqu on September 10, 2009, 03:25:00 PM
but I don't want potential spammers to see the details of what we are doing with the data.

Which is exactly why you SHOULD NOT locate configs in publically accessible folders.
Title: Re: Blocking particular file extensions from ibay web server
Post by: cactus on September 13, 2009, 11:45:15 AM: Quote from: n0lqu on September 11, 2009, 05:09:37 PM
then apachectl graceful to tell Apache to re-read its configuration file.
That is not the proper way to restart the webserver on SME Server, next time please use:
Code: [Select]
sv t httpd-e-smith
Title: Re: Blocking particular file extensions from ibay web server
Post by: n0lqu on September 14, 2009, 04:33:46 PM: Quote from: cactus on September 13, 2009, 11:45:15 AM
That is not the proper way to restart the webserver on SME Server, next time please use:
Code: [Select]
sv t httpd-e-smith

Thanks for the correction! Can you double-check if it's right, though? It looks like "sv t httpd-e-smith" would simply terminate apache and not restart it (t=term). Looking at http://wiki.contribs.org/Useful_Commands (http://wiki.contribs.org/Useful_Commands), it looks like there are two proper methods:
Code: [Select]
sv t httpd-e-smith service httpd restartand
Code: [Select]
/etc/init.d/httpd-e-smith restart
Looking at the /etc/init.d/httpd-e-smith code, it looks like the "restart" is specifically starting it back up (u=up) after terminating it:
Code: [Select]
sv t httpd-e-smith sv u httpd-e-smith
Title: Re: Blocking particular file extensions from ibay web server
Post by: janet on September 14, 2009, 04:58:21 PM: n0lqu

You overlooked the fact that many services on sme server are supervised, which means they will automatically restart if you terminate them with
sv t servicename

To stop (bring down) a supervised service
sv d servicename

To bring a service back up when it has been stopped
sv u servicename