Skip to content

[EN] Securing private directory

Jump to bottom Edit New page
Flaxee edited this page Jan 1, 2020 · 5 revisions

It's very important to isolate the private directory from your visitors. In this guide you can learn how to do it.

Apache

Show / hide

First of all, if you have .htaccess files enabled, the private directory might be already blocked. Test it to find out.

If not, follow these instructions. Note that they were made for Ubuntu, file locations might differ on other systems.

1. Edit you site file

You should have a .conf file in your /etc/apache2/sites-available/ folder. (mine was named 000-default.conf). Open it in your favorite editor.

2. Block the private directory

Add the following code inside of the <VirtualHost> block. Remember to adjust the absolute path if needed!

<Directory /var/www/html/private>
   Order Deny,allow
   Deny from all
</Directory>

Save and exit.

3. Reload Apache

On Ubuntu you can run sudo service apache2 restart. If you got any errors, you probably screwed the configuration file.
Now test if everything is working.

Nginx

Show / hide

1. Edit you site file

Find your site file. By default it's /etc/nginx/sites-available/default. Open it in your favorite editor.

2. Block the private directory

Add the following code inside of the server block. Remember to adjust the relative path if needed!

location ^~ /private {
  deny all;
}

Save and exit.

3. Reload Nginx

On Ubuntu you can run sudo service nginx restart. If you got any errors, you probably screwed the configuration file.
Now test if everything is working.

IIS

Show / hide

We don't have much experience with IIS, but this config was reported to work

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Disable-Folder" stopProcessing="true">
                    <match url="private\/(.+)" />
                    <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access Is Forbidden." />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Other web servers

Show / hide

Use Google

Test it

Show / hide

You should not be able to access these URLs, and see the error page
(Replace example.com with your TS-website address)

  • example.com/private/ (root private dir)
  • example.com/private/dbconfig.php (file)
  • example.com/private/php (directory)
  • example.com/private/php/load.php (file inside of directory)

TS-Website Wiki | German Translation by derrobin154 | Polish Translation by toster234 | Czech Translation by flw55 | Hungarian Translation by Aqua22

English

Deutsch

Polski

Česky

Hungarian

Clone this wiki locally