I am new to Laravel4, I was trying to run laravel4 on a shared hosting.Since I dont have root access, to avoid public in my url. I have moved all the contents in the public directory to "public_html" folder.
Then I changed the locations in respective files. But when I visited url "abc.com/myapp/app", it lists all the folders and files under app directory. Since it exposes the project files, I was looking to avoid the same.
In CodeIgniter if we try to access folders like this it gives message
"Directory access is forbidden."
Edit:
I have added
Options All FollowSymLinks MultiViews -Indexes
in a .htaccess file in the app folder as per suggested by #valey viktorovsky
There are multiple methods...
The easy one:
If you have access to .htaccess file and you can modify it, place this little code
Options -Indexes
Annoying one
If you cannot create/modify .htaccess file, create index.html file inside each folder you would like to protect
Related
So My issue is as follows. My users can upload files and profile images into the app, Right clicking a profile image and opening in a new tab shows the image (which I want)
https:/my-app.com/storage/profile-photos/sad65f87as5f.png
If I remove the filename part of the url then I get forbidden which I also want
https:/my-app.com/storage/profile-photos
If I then however remove profile-photos from the url it lists all the folders in my storage directory. How do i make this forbidden?
https:/my-app.com/storage
In addition I have an uploads folder in the storage directory and this and all its contents are publicly available.
I'm using apache php8.1 and laravel9 in this project. It is also a production environment.
*** Solution ***
As alluded to in the comments below by DadoH, i needed to add code to stop indexing to the .htaccess file.
Adding to storage folder didn't work but adding the Options -Indexes line to the top of the .htaccess in the public folder did.
You can disable browsing of a folder when there is no index, if you add Options -Indexes into your .htaccess in your storage folder.
Currently I've put my laravel site online (just for testing). But when I go to for example www.mysite.nl/.env it shows my password etc. for my database. How can I prevent this?
It should be mentioned that use of .env files is intended to be for development only, not production.
Once you're ready to take the site live, the values that you put in the .env file should be moved to the server environment variables.
This should be more secure for two reasons:
The problem you've discovered, that the .env file is accessible, will no longer apply, since there will be no more .env file. Plus, this won't require any server configuration changes (.htaccess files or similar) to restrict access to the .env file.
Server environment variables will not be accessible to anyone without shell access to the server.
Also keep in mind that .env file should not be reachable by users. Only the public/ folder content must be reachable. Set your server configuration to do it ( not always possible though ).
Otherwise, for your production environment you can simply ommit the .env file and define all the settings directly in app/config/
Some hosters also provide their servers with Forge.
Remember to always put your .env file into the .gitignore file if you are using it.
Have a nice day
Removing .env alone doesn't guarantee that your code is safe. As the only reason why this happen is that you ignore the default recommended structure which is to only give access for the web server to public directory.
Now, let say you removed the .env file. Are you sure that:
Nobody can access storage/logs/laravel.log (or daily rotating log file).
Are you sure you're cache and session data is safe, if you're using file based driver.
Are you sure nobody can peek at your compiled blade view under storage/framework/views.
Don't ever skip and compromise security to solve your webhosting limitation.
To hide .env on apache server add this below code in top of your htaccess file. this will also hide directory list view and will hide gitignore webpack config and more. hope that helps
# Disable Directory listing
Options -Indexes
# block files which needs to be hidden, specify .example extension of the file
<Files ~ "\.(env|json|config.js|md|gitignore|gitattributes|lock)$">
Order allow,deny
Deny from all
</Files>
# in here specify full file name sperator '|'
<Files ~ "(artisan)$">
Order allow,deny
Deny from all
</Files>
Be careful, the accepted answer skips over an important detail. Even if the .env file is removed, the directory that it resides in should not be accessible in the first place.
Instead of attempting to deny access to a list of files or folders as some people suggest, the web server's Document Root should be set to the /public folder in a Laravel application. All requests will then be mapped safely starting from /public, which means that the source files of your application are not accessible from the web unless you explicitly give access to them.
Why is there an index.html file in almost every folder in Joomla? What folders do not contain an index.html file and why?
The blank index.html file in each folder is to prevent directory browsing via web address.
On a poorly configured web server someone could see all the files contained in a folder by simply browsing to the path, such as www.yoursite.com/images/, this could be a potential security problem on servers without directory browsing (indexing) turned off.
Having the blank index.html file returns a blank white screen to the browser rather than displaying the contents of the folder.
The index.html file isn't necessary, it's in the folders as a layer of security. It is there to keep prying eyes from being able to see a directory structure, if there was no index.html file and someone randomly went to http://yoursite.com/scripts/js/ (for example), they could potentially see a listing of all files in that directory. Instead, with the index.html file in place they see a blank landing page:
<html><body bgcolor=" #FFFFFF" ></body></html>
Another approach (for apache servers) is to add this line to the .htaccess file placed at the root directorty of the website:
Options -Indexes
It prevents directory browsing for the whole website.
My current hosting company cannot allow me to place any content above the server root. So i have no way to protect those config.php files from those evil people. I know a way to stop them being accessed by browsers (fake 404 messages) but it's very easy to get pass that.
do you guys know any other way to protect files from users but allow php scripts to access them?
If your hoster allows the use of .htaccess files you could add a file called .htaccess into the desired directory with the content:
deny from all
So nobody can acces the files in this directory (but your php interpreter should still be able to).
You could give a custom extension those files and then protect them with an .htaccess file denying access to them. Something like the following:
<Files config.php>
Order allow,deny
deny from all
</Files>
If you're using a config.php, just set some variable in your main script like "$include_config" and then check for it in your config file itself. If the variable is not there, use die(); and nothing at all will be output by config.php
I recently migrated my magento website to a different server, and here's the process I used:
made a dump of the database.
copied all the system files from the FTP to my hard drive.
emptied the VAR folder
emptied the media cache folders
replaced the strings in the SQL dump from http://www.oldsite.com to http://www.newsite.com
restored the database on the new server
modified the local.xml file to suit the new database host, login and password.
uploaded the system files to the new server
Everything seems to work fine, except for the fact that the product images are not being displayed on the frontend for some reason.
For example, here's a path from an image that was supposed to be showing, which I got through firebug:
http://www.newsite.com/media/catalog/product/cache/1/small_image/113x113/9df78eab33525d08d6e5fb8d27136e95/1/_/1_9.jpg
When I search for the path of the image the site is supposed to show in the FTP, the file is actually there. I can download it and display it on my computer. I don't know why this is happening. It doesn't make any sense to me.
This /media/catalog/product/cache/ was generated by the system, because I erased it myself before uploading the site, so I guess it isn't a cache related issue.
Well, I described the issue the best I could. I hope you can help me out.
EDIT:
Hmm, it turns out the problem was the .htaccess file inside the media folder! Removed the file -> Problem solved!
Just in case anyone else has the same problem, removing the .htaccess in the media folder did the trick. I don't know if that's the best possible solution though! Thanks!
Change Options All -Indexes to Options -Indexes in the above mentioned .htaccess file.
copied all the system files from the FTP to my hard drive.
This one makes me a bit suspecting. Magento has case-sensitive folders in the media folder. There would be, for instance, an 'a' folder and an 'A' folder in the same location.
If you downloaded your files unarchived (file by file) via FTP to a Windows machine, this would cause a conflict and would omit up to half your images.
Ok, since everything checked out with the base URL, my next suggestion is a migration path option if you have cPanel on the old server, and since most do, this should help:
Create a full backup of the account using cPanel. This will create a tar.gz of the entire account.
Download the tarred backup to your computer and unzip.
Find home_dir.tar - this is what contains your HTML root information. You can either upload this directly to the server and untar there using SSH, or do it on your local computer and upload.
Find the SQL folder in the untarred backup. There should be a dump of your database there. Use source to put that information into a new database.
On the server, delete use_cache.ser and change config information for the new database.
Your .htaccess should have come over in the home_dir.tar, but make sure that it's correct per our other question
Once that's done, you should be fully functional, unless you need to make changes in the database base_url for the new server.
Images not showing in Magento 1.7 to 1.9 upgrade:
My solution:
in /media/.htaccess
fixed options syntax:
# Options ExecCGI Includes IncludesNOEXEC SymLinksIfOwnerMatch -Indexes
Options +ExecCGI +Includes +IncludesNOEXEC +SymLinksIfOwnerMatch -Indexes
removed these. Maybe conflict with .htaccess in site root directory??
# For security reasons, Option followsymlinks cannot be overridden.
# Options +FollowSymLinks
# Options +SymLinksIfOwnerMatch
# RewriteEngie on
also changed ownership of .htaccess to apache
chown apache:apache /var/www/mystore/media/.htaccess
Would like opinion of why these may be causing 500 errors.
php bin/magento catalog:images:resize
This helped me, but it take's a lot of time to complete
for magento 2.4.5
in pub//media/.htaccess
change „FollowSymLinks“ to „SymLinksIfOwnerMatch“. example:
############################################
enable rewrites
Options +SymLinksIfOwnerMatch
RewriteEngine on
## you can put here your pub/media folder path relative to web root
#RewriteBase /magento/pub/media/
############################################