0

I'm trying to make my web server more secure, right now i'm attempting to put up a sort of "barrier" against directory traversal so a malicious user could not pass this if they found a way to perform such an attack.

The way I'm trying to do this is by having a folder layout as such: ( www being the furthest apache is allowed to go.)

/www/public_html/ #public contents
    / #private contents

I've found a way to deny all access after the web root, but i need things like PHP to be able to access private files like this

include '../private_file.php';

This is what i have so far in apache2.conf:

<Directory />
   Order Deny,Allow
   Deny from all
   Options None
   AllowOverride None
</Directory>

<Directory /www/public_html>
   Order Allow,Deny
   Allow from all
</Directory>

Does anyone know how I could do this?

Improve this question

1 Answer 1

Reset to default
1

<Directory> restrictions only control access over HTTP, not access by scripts running in the web server. They're not what you want here.

What you're looking for is the PHP open_basedir configuration option.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you so much! Saved me from going insane after Googling it for 3 hours

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.