FuzzieDice

[Log in to get rid of this advertisement]

I am trying to stop Apache2 from serving files with extensions such as .zip, .wma, etc.

So if someone uploaded such a file with such an extension, then gave a link to it, when someone clicked on that link they would not be able to access that file.

here's the setup I need to use:

1. Web sites served from /var/www/public_html/[domain.com]

2. We can NOT put .htaccess in the [domain.com] directory to do this. We need to put this in the configuration somehow.

3. In the /etc/apache2/apache2.conf I have included:
Include /etc/apache2/apache2_filters

4. In /etc/apache2/apach2_filters I have:

<Files ~ "^\.zip">
Order deny,allow
Deny from all
</Files>

<Files ~ "^\.wma">
Order deny,allow
Deny from all
</Files>

5. We also don't want to put these filters in sites-available.

We need to use this particular setup. However, if I upload a .zip file and make a web page that has a download link to that .zip file, I still can click on the .zip file and download it. This shouldn't happen.

Can someone point me to how I can resolve this?

Thanks in advanced.

System: Ubuntu 8.04 LTS Server (LAMP)

bathory

You should change slightly your regular expression:
Read this to see how to combine different file extensions.

Regards

FuzzieDice

Thank you. That is exactly what worked for me. Regular expressions have always been a bit of a challenge for me. Glad to have a little help with it.

FuzzieDice

Sorry I have to bump this because now it's not solved yet. I see it will block .zip but NOT .zIp ZIP ZiP, etc. and making filters for each one can be tedious. Is there a way to do case-insensitive matching?

Thanks.

bathory

I'm afraid that what you want cannot be done using <Files>. You can achieve this using mod_rewrite and the following rule:
Regards

FuzzieDice

Thank you but I cannot allow mod_rewrite to be active on the server due to security risks. Other customers use the server and if they do something it could be trouble.

Therefore I guess I'll have to make a script write a ton of these rules in every possible way to stop this. It's possible, but will make a large rule file.

anomie

How about:
My preference is to use the FilesMatch directive, but the form of Files you're using is probably fine too. (You can check the directive documentation to confirm.)

Note: I have not tested this. It seems like it should work, but you will need to verify.

Poetics

This may sound silly, but how about a script that either prunes zip files from the served directories or otherwise makes them inoperable (chmod -r comes to mind)?

FuzzieDice

anomie - I could not use FilesMatch because apparently it was not yet implemented and/or supported. When I tried it (Ubunty 8.04 LTS server with current updates and upgrades) apache would not restart. However, before reading your message, I tried that in just Files and it worked. So your answer works, just that for some, they have to use just Files and not FilesMatch.

Poetics - What you're thinking of is a good idea, but I prefer to do this at the server level since a file could be served in between times of clean-ups and thus some things run the risk of getting through. I want to stop it before it got served in the first place.

Also I found that anomie's idea also works in ProFTPd filters as well.

FuzzieDice

Here is the Files:

Inside the /etc/apache2/apache.conf, add:

Inside a /etc/apache2/apache_filters file, create one set for each extension you wish to eliminate.

For those wondering about ProFTPd, Here's how it would work, edit the /etc/proftpd/proftpd.conf file and at the end of the file place the following code. Note that you can only put one PathDenyFilter in the config as multiple ones are ignored in favor of (I forgot which) either the first or the last one specified.

You can add as many as you want to the PathDenyFilter separating each set with a pipe | character.