HowTo restrict file access via the web
e-smith release:  4.1.x/SME5

Problem:  You want to restrict access to critical files via the web server.  Typically this is to protect PHP application configuration files that hold sensitive login and password information.

Solution:  Implement the following httpd.conf template fragments via the steps below.  See the Mitel security advisory below for one example:

Security Advisory -- PHP-Nuke Remote Compromises
Posted on Friday, November 02 @ 12:34:35 EST


STEP 1:  You will need to create a custom template for Apache. Execute the following commands from the server command line: 

# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
# pico /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/88RestrictFileAccess

In the editor, enter: 

<Directory /path-to-files>
<Files file1 file2 ...>
order deny,allow
deny from all
allow from address1 address2 ...
</Files>
</Directory>

Replace /path-to-files with the full directory path to the files you wish to protect on your server. For example, if it is in the primary i-bay, use /home/e-smith/files/primary/html.  Add multiple <Directory>...</Directory> blocks if required.

Replace address1 address2 ... with a space-separated list of individual IP addresses, or netblocks in CIDR notation. For example, 127.0.0.1 would allow access from localhost, and 127.0.0.1 192.168.1.0/24 would allow access from both localhost and any system with an address from 192.168.1.1 to 192.168.1.254.  Here is the completed example, based on the above settings and restricting access to a file named admin.php3:

<Directory /home/e-smith/files/primary/html>
<Files admin.php3>
order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.0/24
</Files>
</Directory>

Then rebuild the template and restart the webserver: 

# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# /etc/rc.d/init.d/httpd restart

When Apache restarts, test that the allowed addresses can access the protected file(s), and that disallowed addresses cannot.  From the example above you would try to access this URL:

http://yourprimarydomain.com/admin.php3