Recipe 6.26 Restricting Access to Files Outside Your Web Root

Problem

You want to make sure that files outside of your web directory are not accessible.

Solution

For Unixish systems:

<Directory />
    Order deny,allow
    Deny from all
    AllowOverride None
    Options None
</Directory>

For Windows systems:

<Directory C:/>
    Order deny,allow
    Deny from all
    AllowOverride None
    Options None
</Directory>

Repeat for each drive letter on the system.

Discussion

Good security technique is to deny access to everything, and then selectively permit access where it is needed. By placing a Deny from all directive on the entire filesystem, you ensure that files cannot be loaded from any part of your filesystem unless you explicitly permit it, using a Allow from all directive applied to some other <Directory> section in your configuration.

If you wanted to create an Alias to some other section of your filesystem, you would need to explicitly permit this with the following:

Alias /example /var/example
<Directory /var/example>
    Order allow,deny
    Allow from all
</Directory>

See Also

• http://httpd.apache.org/docs/mod/mod_access.html