LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-06-2008, 08:34 AM   #1
RavenLX
Member
 
Registered: Oct 2004
Posts: 88

Rep: Reputation: 15
Need help stopping Apache2 from serving certain files


I am trying to stop Apache2 from serving files with extensions such as .zip, .wma, etc.

So if someone uploaded such a file with such an extension, then gave a link to it, when someone clicked on that link they would not be able to access that file.

here's the setup I need to use:

1. Web sites served from /var/www/public_html/[domain.com]

2. We can NOT put .htaccess in the [domain.com] directory to do this. We need to put this in the configuration somehow.

3. In the /etc/apache2/apache2.conf I have included:
Include /etc/apache2/apache2_filters

4. In /etc/apache2/apach2_filters I have:

<Files ~ "^\.zip">
Order deny,allow
Deny from all
</Files>

<Files ~ "^\.wma">
Order deny,allow
Deny from all
</Files>

5. We also don't want to put these filters in sites-available.

We need to use this particular setup. However, if I upload a .zip file and make a web page that has a download link to that .zip file, I still can click on the .zip file and download it. This shouldn't happen.

Can someone point me to how I can resolve this?

Thanks in advanced.

System: Ubuntu 8.04 LTS Server (LAMP)
 
Old 11-06-2008, 09:32 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
You should change slightly your regular expression:
Code:
<Files ~ "\.(zip)$">
Order deny,allow
Deny from all
</Files>
Read this to see how to combine different file extensions.

Regards
 
Old 11-06-2008, 01:17 PM   #3
RavenLX
Member
 
Registered: Oct 2004
Posts: 88

Original Poster
Rep: Reputation: 15
Thumbs up Solved

Thank you. That is exactly what worked for me. Regular expressions have always been a bit of a challenge for me. Glad to have a little help with it.
 
Old 11-07-2008, 10:19 AM   #4
RavenLX
Member
 
Registered: Oct 2004
Posts: 88

Original Poster
Rep: Reputation: 15
Exclamation NOT solved - yet

Sorry I have to bump this because now it's not solved yet. I see it will block .zip but NOT .zIp ZIP ZiP, etc. and making filters for each one can be tedious. Is there a way to do case-insensitive matching?

Thanks.
 
Old 11-08-2008, 08:54 AM   #5
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
I'm afraid that what you want cannot be done using <Files>. You can achieve this using mod_rewrite and the following rule:
Code:
RewriteEngine on
RewriteRule .*\.zip$   -   [NC,F]
Regards
 
Old 11-11-2008, 09:14 AM   #6
RavenLX
Member
 
Registered: Oct 2004
Posts: 88

Original Poster
Rep: Reputation: 15
Thank you but I cannot allow mod_rewrite to be active on the server due to security risks. Other customers use the server and if they do something it could be trouble.

Therefore I guess I'll have to make a script write a ton of these rules in every possible way to stop this. It's possible, but will make a large rule file.
 
Old 11-11-2008, 10:29 AM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
How about:
Code:
<FilesMatch "(\.[Zz][Ii][Pp]$|\.[Ww][Mm][Aa]$)">
    Order allow,deny
    Deny from all
</FilesMatch>
My preference is to use the FilesMatch directive, but the form of Files you're using is probably fine too. (You can check the directive documentation to confirm.)

Note: I have not tested this. It seems like it should work, but you will need to verify.
 
Old 11-11-2008, 11:02 AM   #8
Poetics
Senior Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,178

Rep: Reputation: 49
This may sound silly, but how about a script that either prunes zip files from the served directories or otherwise makes them inoperable (chmod -r comes to mind)?
 
Old 11-11-2008, 02:35 PM   #9
RavenLX
Member
 
Registered: Oct 2004
Posts: 88

Original Poster
Rep: Reputation: 15
Thumbs up Finally Solved.

anomie - I could not use FilesMatch because apparently it was not yet implemented and/or supported. When I tried it (Ubunty 8.04 LTS server with current updates and upgrades) apache would not restart. However, before reading your message, I tried that in just Files and it worked. So your answer works, just that for some, they have to use just Files and not FilesMatch.

Poetics - What you're thinking of is a good idea, but I prefer to do this at the server level since a file could be served in between times of clean-ups and thus some things run the risk of getting through. I want to stop it before it got served in the first place.

Also I found that anomie's idea also works in ProFTPd filters as well.
 
Old 11-11-2008, 02:40 PM   #10
RavenLX
Member
 
Registered: Oct 2004
Posts: 88

Original Poster
Rep: Reputation: 15
Lightbulb Resolved Code

Here is the Files:

Inside the /etc/apache2/apache.conf, add:

Code:
Include /etc/apache2/apache_filters
Inside a /etc/apache2/apache_filters file, create one set for each extension you wish to eliminate.

Code:
<Files ~ "\.([zZ][iI][pP])$">
Order deny,allow
Deny from all
</Files>
For those wondering about ProFTPd, Here's how it would work, edit the /etc/proftpd/proftpd.conf file and at the end of the file place the following code. Note that you can only put one PathDenyFilter in the config as multiple ones are ignored in favor of (I forgot which) either the first or the last one specified.

Code:
<Global>
PathDenyFilter \.([zZ][iI][pP]|[wW][mM]*|[mM][pP][gG])$
</Global>
You can add as many as you want to the PathDenyFilter separating each set with a pipe | character.

Last edited by RavenLX; 11-11-2008 at 02:47 PM.
 
  


Reply

Tags
allow, apache2, apache2conf, deny, files


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache2 is serving single NameVirtualHost for all names r3gan Linux - Software 4 06-12-2008 10:33 AM
apache2 serving <username>'s page radiodee1 Linux - Newbie 1 04-05-2007 04:10 PM
Apache2 is serving PHP source files unless called without the extension rjlee Linux - General 3 12-08-2006 06:17 AM
Apache2 running but not serving any page Kerion Linux - Newbie 4 07-28-2004 05:16 PM
serving files krajaba Linux - Networking 0 04-30-2001 11:53 AM


All times are GMT -5. The time now is 01:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration