14 replies to this topic

[alrazy1]

hello , how to enable apache webserver to access a folder found outside of the webroot in my case i have a xampp windows installation as a testing server in my machine, for example my php/html/jquery website is found in c:\xampp\htdocs and i want to force my website visitors to upload there files to an external folder outside of the /htdocs/ web root for example in c:\xampp\uploaded_files , now you are asking why i am doing that ? i am doing that because according to some tutorial they say its the best way to protect my website against hackers trying to inject/upload executable files like mainly php files....,that way even though a hacker succeeded to upload such bad files he cant access this folder because it is outside the web scope...
now i have another question please do i have to take additional measures to protect that external folder maybe by installing a .htaccess file and restrict the access only to the apache webserver but not to the website visitors ?

i am confused in how to do that correctly... !!
i tried some tutorials by editing the C:\xampp\apache\conf\httpd.conf
and i changed the directory configuration like that and that didnt worked either....:
i changed this :

#<Directory />
#    Options FollowSymLinks
#    AllowOverride None
#    Order deny,allow
#    Deny from all
#</Directory>

with this :

<Directory /> 
 Options FollowSymLinks
 AllowOverride All
 Order deny,allow
 Allow from all 
</Directory>

and i tried to implement the upload to the xampp:\uploaded_files and that didnt worked.

please tell me what i am doing wrong ?

Edited by Jaan, 06 March 2010 - 05:26 AM.
Please use code tags when you are posting your codes!

[BlaineSch]

Wrong category

I believe the .htaccess files can only do stuff with things inside it's current directory or sub directories.

[Orjan]

But this wasn't about .htaccess, it was about httpd.conf, the config file where this is to be changed. Unfortunately, I'm not good enough on them...

But I think you can create an alias...
this is snipped from xampp conf file, so it should give a hint...

<IfModule alias_module>

    Alias /phpmyadmin "C:/xampp/phpMyAdmin/"

    <Directory "C:/xampp/phpMyAdmin">

        AllowOverride AuthConfig

    </Directory>

</IfModule>

[alrazy1]

hi thank you for the help , but that didnt solved my problem i dont know why... i have added this to the httpd.conf file :

<IfModule alias_module>
    Alias /uploaded_files "c:\xampp\uploaded_files\"
    <Directory "c:\xampp\uploaded_files">
        AllowOverride AuthConfig
    </Directory>
</IfModule>

maybe somthing else causing my code not to work properly... ?
do you know a simple way to check if my alias /uploaded_files is working 100% ?
i tried to browse to http://localhost/uploaded_files
but that error what i got :
---------------------------------------------------------------------------------

Quote

Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.

If you think this is a server error, please contact the webmaster.

Error 404
localhost
02/03/2010 23:09:15
Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1

---------------------------------------------------------------------------------
Please help !!?:confused:

Edited by Jaan, 06 March 2010 - 05:27 AM.
Please use code tags when you are posting your codes!

[Orjan]

Have you restarted your apache server after the change of your httpd.conf? that is needed at starters. after that, do you have an index.html or index.php to show as default in that directory?

[alrazy1]

yes i have restarted apache webserver after i changed the httpd.conf , yes i created a very simple html index file and i installed it in the c:\xampp\uploaded_files, the problem isnt resolved yet unfortunately....thank you...

[alrazy1]

please help this thread isnt resolved yet !!!
thanks

[mmo-dev]

alrazy1 said:

hi thank you for the help , but that didnt solved my problem i dont know why... i have added this to the httpd.conf file :

<IfModule alias_module>
    Alias /uploaded_files "c:\xampp\uploaded_files\"
    <Directory "c:\xampp\uploaded_files">
        AllowOverride AuthConfig
    </Directory>
</IfModule>

maybe somthing else causing my code not to work properly... ?
do you know a simple way to check if my alias /uploaded_files is working 100% ?
i tried to browse to http://localhost/uploaded_files
but that error what i got :
---------------------------------------------------------------------------------

---------------------------------------------------------------------------------
Please help !!?:confused:

hmmm seems u got something backwards kiddo

<IfModule alias_module>
Alias /uploaded_files "c:/xampp/uploaded_files/"
<Directory "c:/xampp/uploaded_files">
AllowOverride AuthConfig
</Directory>
</IfModule>

hmm ok try that now and see if it works for u :) and u might wanna use a .htaccess file to make it so ur clients have 2 use a password to access the contents in that folder ^^

[alrazy1]

hi , thnk you , your suggestion is ok but i have maybe a better idea... :
<Directory "c:/xampp/uploaded_files">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

i appended this to the end of the httpd.conf and it worked...
i think this method is better because there is no web link or alias name , and nobody from the web can access this internal directory because its outside of the web root and maybe also i can password protect it by using some .htaccess file.....

please advice me if its a wrong approach , and why ?
i think that way only my php scripts can access this directory .. please advice if i am write or wrong about that ?
do you have a better way to protect data from hackers eyes?

[alrazy1]

hello again , i tried all the above in my xampp testing server /winxp and didnt worked i dont know why ?!!!
please help.

Quote

problem not resolved yet , please somebody help !

[alrazy1]

hello , problem resolved , i discovered that accessing files/directories outside of the webroot by php scripts has nothing to do with apache configurations like the file httpd.conf or .htaccess file, php that come with xampp testing server is configured already to access any file or directory from any where in the available root directories in the testing server machine.
apache configurations can limit the access of the public web visitors to certain directories in the webroot by demanding some passwords or prevent access at all to some directories inside the webroot and also it can permit the use of a directory outside the webroot also but it have nothing to do with the php.

please let me know your opinion on my conclusion about this issue....

Edited by Vswe, 12 March 2010 - 09:16 AM.
Don't double post, edit the first one instead.

[alrazy1]

Problem resolves !!! yes
httpd.conf this apatche configuration file has nothing to do with file access permissions for php scripts its only a web server config file not script config file......
for example you can restrict/allow access of the web visitors/surfers to a directory outside of the webroot or inside of it....
XAMPP php scripts can access any file in the computer it is installed on so you can reference any file or directory from your own script i think....
please correct me if i am wrong pro. guy's ..thanks.