How to prevent reading of an xml in a particular directory from browser in apache on Centos4.4
hi friends,
I have configured a HelpDesk Ticketing System on Centos4.4. The problem I am facing is that there is a file called "site.xml" which contains the information about database connections and I don't want ppl to be able to read that file through browser. As per the readme.htm of that software if the below entries will be put in .htaccess then nobody can read the xml through browser.
<Files ~ ".xml"> Order allow,deny Deny from all Satisfy All </Files>
Even though the above entries are there in .htaccess still I am able to read "site.xml" file. How do I prevent the reading of this file ?
HelpDesk Ticketing Software is under /var/www/html/request and .htaccess is also under /var/www/html/request.
Please let me know if you need any further information.
Thanks & Regards
Ankush Grover
On 2/10/07, ankush grover ankushcentos@gmail.com wrote:
I have configured a HelpDesk Ticketing System on Centos4.4. The problem I am facing is that there is a file called "site.xml" which contains the information about database connections and I don't want ppl to be able to read that file through browser. As per the readme.htm of that software if the below entries will be put in .htaccess then nobody can read the xml through browser.
I am not an apache wiz but have you tried excluding just that file - I think the stanza you posted was trying to block reading of all xml files. Also, how is your top level apache config file set up? Can you use .htaccess files within sections of the same or other sites? I know it is possible to set up your main configuration so that normal users can't override options in lower level config files.
Even though the above entries are there in .htaccess still I am able to read "site.xml" file. How do I prevent the reading of this file ?
.htaccess files are only good if you're allowing them via the AllowOverrides option in your httpd.conf. By default this option is off, and if you have administrative access to the box it should stay that way, as using .htaccess files will cause a (slight) performance hit.
You don't really need the satisfy statement there either. I'd create a helpdesk.conf file in /etc/httpd/conf.d/ with:
<Directory "/var/www/html/request"> <Files "site.xml"> Order allow,deny Deny from all </Files> #other directory wide modifications, custom 404, etc. </Directory>
If all you're protecting is that one file, you don't really need the ~, as that enables full regex matching, which should really be done with FilesMatch
Alternatively if you really want to block all xml files, use this:
<Files ~ ".xml$">
ankush grover spake the following on 2/10/2007 2:11 AM:
hi friends,
I have configured a HelpDesk Ticketing System on Centos4.4. The problem I am facing is that there is a file called "site.xml" which contains the information about database connections and I don't want ppl to be able to read that file through browser. As per the readme.htm of that software if the below entries will be put in .htaccess then nobody can read the xml through browser.
<Files ~ ".xml"> Order allow,deny Deny from all Satisfy All
</Files>
Even though the above entries are there in .htaccess still I am able to read "site.xml" file. How do I prevent the reading of this file ?
HelpDesk Ticketing Software is under /var/www/html/request and .htaccess is also under /var/www/html/request.
Please let me know if you need any further information.
Thanks & Regards
Ankush Grover
Did you try to chown to root:root and chmod to 600? That should keep apache from reading the file.
Scott Silva wrote:
ankush grover spake the following on 2/10/2007 2:11 AM:
hi friends,
I have configured a HelpDesk Ticketing System on Centos4.4. The problem I am facing is that there is a file called "site.xml" which contains the information about database connections and I don't want ppl to be able to read that file through browser. As per the readme.htm of that software if the below entries will be put in .htaccess then nobody can read the xml through browser.
<Files ~ ".xml"> Order allow,deny Deny from all Satisfy All
</Files>
Even though the above entries are there in .htaccess still I am able to read "site.xml" file. How do I prevent the reading of this file ?
HelpDesk Ticketing Software is under /var/www/html/request and .htaccess is also under /var/www/html/request.
Please let me know if you need any further information.
Did you try to chown to root:root and chmod to 600? That should keep apache from reading the file.
Since it is a web application, that would also keep the application from reading its own configuration file...
Putting the restriction in a conf file in /etc/httpd/conf.c is the cleanest way to handle this.
-
ankush grover -
Cynthia Kiser -
Jim Perrin -
Les Mikesell -
Scott Silva