how to redirect all sub link to index.php to prevent showing all the server files to all users.
How to prevent the server files from being accessible by users
by mina bebawy -
Number of replies: 14
In reply to mina bebawy
Re: How to prevent the server files from being accessible by users
by Colin Fraser -
By default, Directory listings are enabled, so to get around this issue you can a .htaccess file in your parent and Moodle root directory. Try this:
Create a new file using a text editor in UTF-8 format, not Windows Notepad, add the line
Options -Indexes
You can the redirect to a specific page using a line like:
Redirect /path/to/this/directory/ /path/to/usual/index/file/index.php (or .htm, .html, whatever)Save as .htaccess
Note: there is no file file name before the dot, the htaccess is the extension. That should deny users the ability to access directory listings. Do not forget the dash, - , before the word Indexes that is a switch, no dash allows and dash denies.
Declaration: I have never tried to redirect, just left it at denying the directory listing, let them sort it out for themselves.
In reply to Colin Fraser
Re: How to prevent the server files from being accessible by users
by mina bebawy -
Thank you Colin for your reply
I created .htaccess file with Options -Indexes through "vim" in ubuntu terminal and also with the redirect but I got the same results and the folders are accessible and the files can be opened!
In reply to mina bebawy
Re: How to prevent the server files from being accessible by users
by Ken Task -
Easier - less complicated way?
cd /path_to/moodle36/admin/tool/
touch index.html
that last command creates a blank ... nothing in it .. index.html file which should be defined in apache as a default file to be served on access to folders ... like you discovered.
use browser and try it again ... should see a 'white screen'.
'spirit of sharing', Ken
In reply to Ken Task
Re: How to prevent the server files from being accessible by users
by mina bebawy -
Dear Ken
thank you for your reply
It Worked!
after running sudo touch index.php under admin
and copying index.php to tool folder
it gave this error message which is good for me I think
In reply to mina bebawy
Re: How to prevent the server files from being accessible by users
by Ken Task -
Yes, it should work. However, moodle is a series of .php scripts - including index.php in some directories.
Directions you were given said to touch index.html ... that's index.html - NOT index.php
One should NOT move nor overwrite any index.php file found in the code. Might result in surprises ... cannot predict what those would be, but possibly some very strange errors.
Matter of fact, if you managed to replace index.php that was in moodlecode/admin/ ... you just broke your Moodle. Download a zip of the version you have on server. Unzip locally. Find the index.php file in the moodle/admin/ code. Upload that index.php to your server in moodlecode/admin/
Check ownerships permissions on the index.php file you uploaded.
Right now, there is one other setting you need to change in apache - in main config file ... ServerSignature to none. That will turn off the line you see about php version ... no sense in giving bad guys/galls/bots more info ... the idea is to make it harder for them, not easier.
The 'devil is in the details'!
'spirit of sharing', Ken
In reply to Ken Task
Re: How to prevent the server files from being accessible by users
by mina bebawy -
Done sir to avoid devil
In reply to Ken Task
Re: How to prevent the server files from being accessible by users
by Colin Fraser -
That's interesting Ken, but why doesn't the .htaccess approach work here? I've used that elsewhere and it has worked, without the redirect. Any ideas?
In reply to Colin Fraser
Re: How to prevent the server files from being accessible by users
by Ken Task -
.htaccess should work ... and it's a file that apache (how about lightspeed or nginx or whatever?) is supposed to look for every time (just like default files) ... and if found ... execute or do whatever is in there - *IF the syntax is right.
Have just found the blank index file to be immediate ... no reboot required ... no restart of services ... nothing extra on server ... plus it's simple ... I'm stupid ... I like things simple!
'spirit of sharing', Ken
In reply to Ken Task
Re: How to prevent the server files from being accessible by users
by Ken Task -
Well, appears am not as 'stupid' as I thought!
Apache:
https://httpd.apache.org/docs/2.4/howto/htaccess.html
"You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance."
Nginx
https://www.nginx.com/resources/wiki/start/topics/examples/likeapache-htaccess/
The bottom line above ...
"Conclusion
Stop using .htaccess. It’s horrible for performance. NGINX is designed to be efficient. Adding something like this destroys that."
'spirit of sharing', Ken
In reply to Ken Task
Re: How to prevent the server files from being accessible by users
by Colin Fraser -
Yes, thanks Ken, I think I am getting it, .htaccess is old and Directory blocks are newer ideas... and using a blank html file called index.html is cleaner and simpler, oh well, live and learn..
In reply to Colin Fraser
Re: How to prevent the server files from being accessible by users
by Séverin TERRIER -
Hi,
Concerning the directory listing "issue" (and the idea of a blank file), you can already find good information in these discussions :
- https://moodle.org/mod/forum/discuss.php?d=12650 (2004)
- https://moodle.org/mod/forum/discuss.php?d=92984 (2008)
- https://moodle.org/mod/forum/discuss.php?d=262636 (2014)
In short, conclusion is to well configure the web server to disallow directory listing!
HTH,
Séverin
In reply to Séverin TERRIER
Re: How to prevent the server files from being accessible by users
by Ken Task -
Interesting ... the 2004 link (and probably the others provided) shows some debate.
The reference to the 2004 discussion ... points out that info should be included in installation docs.
https://docs.moodle.org/36/en/Security_recommendations
however, makes no mention of directory listing.
https://docs.moodle.org/36/en/Security_FAQ
Security Overview
Doesn't check for list 'directory listing' ... at least in 'English' ... except one ... vendor.
BTW, an addon/plugin could have a vendor directory not detected by the security check.
Distributor of platform that has apache/httpd in their repo has decided how apache/httpd is configured ... right out of the shrink wrap, so to speak.
Default for apache on CentOS and RedHat is to list raw directories, me thinks.
https://wiki.apache.org/httpd/DirectoryListings
Depending upon where one host and how, providers also have their own ideas.
One might see that the kernel is based upon el7 but that may not mean 'default' httpd/apache config.
As long as am on the topic of what's needed ... I wonder why there is included in default distribution tools like Jmeter testing. Have had to help a user 'clean up' after they explored what that was ... wanted to 'test' their production environment ... even though there were comments/warnings, etc. all over the place.
Why not have a 'core developers' plugin that installs all the extra ... developer stuff? Am not really asking that question ... just thinking out loud.
Just sharing!
'spirit of sharing', Ken
In reply to Ken Task
Re: How to prevent the server files from being accessible by users
by Jon Bolton -
Eek, the screenshot shows install.php, and the OP talks about moving index files to different directories. This could get... er, interesting? messy?
In reply to Jon Bolton
Re: How to prevent the server files from being accessible by users
by Ken Task -
Could be OP was attempting to show/verify the server signature setting changed successfully - but did point to a directory/file that should be present.
As far as moving files ... that was not the advice given ... 'devil is always in the details' ... so OP might learn some things here (hopefully, not the hard way).
There are many directories in moodle code that someone could initially pull up in browser, but nothing should be executable via browser.
'spirit of sharing', Ken