2

I have a website that uses JSON files to store settings in. Those files are located at a subfolder, so that it looks like /settings/settings.json.

If I type in the IP address on the local network like so http://192.168.1.1/settings/settings.json I am able to see the contents of the JSON. I need to prevent this somehow, and I think that I might be able to do this via a .htaccess file, but not sure. The domain name (192.168.1.1) is dynamic and can change from time to time, so I need to find some dynamic way of preventing it.

Peter David Carter
  • 370
  • 1
  • 10
  • 29
Daniel Jørgensen
  • 323
  • 4
  • 10

1 Answers1

2

I am able to see the contents of the json. I need to prevent this somehow

If you are using Apache, then you can use:

  • A .htacess file

  • A Directory block in httpd.conf (better performance)

If you are using Lighttpd, then you can use:

  • A url.access-deny directive in lighttpd.conf

See below for instructions.

Apache - Using a .htacess file

Create a .htaccess file in the settings directory with the following content:

deny from all

That will deny access to any file in that folder.

Note:

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

Source Apache HTTP Server Tutorial: .htaccess files

Apache - Using a Directory block in httpd.conf

Add the following to your httpd.conf file

<Directory "/settings">
  Require all denied
</Directory>

Lighttpd - Using a url.access-deny directive in lighttpd.conf

The mod_access module is used to deny access to files and directories.

  1. Edit /etc/lighttpd/lighttpd.conf file as follows:

    vi lighttpd.conf

  2. Add the following code to enable mod_access:

    server.modules += ( "mod_access" )

  3. Add regex as follows:

    # deny access to /settings
$HTTP["url"] =~ "^/settings/" {
     url.access-deny = ("")
}

  4. Save and close the file.

  5. Check for syntax errors:

    lighttpd -t -f /etc/lighttpd/lighttpd.conf

  6. If no errors then restart the lighttpd web server:

    service lighttpd restart

Source Lighttpd Deny Access To Folders / Directories. Script has been tweaked to match the requirements of the question.

Further Reading

DavidPostill
  • 153,128
  • 77
  • 353
  • 394
  • Iam unable to locate any httpd.conf file in my system. I've tried searching for it with `find / -name httpd.conf`, but nothing is returned. Could it have any other name? Im using lighttpd on a debian variant – Daniel Jørgensen Apr 23 '16 at 18:59
  • @DanielJørgensen Instructions added for Lighttpd. File is /etc/lighttpd/lighttpd.conf/ but different syntax to Apache. – DavidPostill Apr 23 '16 at 19:16
  • Gah, finally an answer that works! I could not get _url.access-deny_ to work no matter what I tried. I was using a stripped down version of lighttpd on an embedded device so I wasn't getting any logs. Finally the missing piece is to add "**mod_access**" to **server.modules**. None of the other answers had this key bit of knowledge. FINALLY it works. – CR. Jun 22 '21 at 23:30