efz
asked on
Limiting web browsing to certain folders
At our company web site we have a folder where we keep information and executables that are used by our software. While we need to have our programs to have access to the folder and its contents, we’d like to prevent clever users from being able to type the address of a file directly into their browser and thereby downloading the file. Is there a folder property I could set at the web server that would accomplish this?
for windows check out this:
http://learn.iis.net/page.aspx/557/translate-htaccess-content-to-iis-webconfig/
specifically the section titled "Directory Browsing"
http://learn.iis.net/page.aspx/557/translate-htaccess-content-to-iis-webconfig/
specifically the section titled "Directory Browsing"
ASKER
Many thanks for your speedy response. Your suggestions seems like just what I need. If I understand correctly I insert the line
<directoryBrowse enabled="true" />
in the web.config file located in the sites root folder. What I don't understand is how this command is applied to one folder in particular. Visitors should be able to browse most of the site, no? I only wish to preclude them from a particular folder. The "directoryBrowse" directive seems to apply to the entire site doesn't it?
<directoryBrowse enabled="true" />
in the web.config file located in the sites root folder. What I don't understand is how this command is applied to one folder in particular. Visitors should be able to browse most of the site, no? I only wish to preclude them from a particular folder. The "directoryBrowse" directive seems to apply to the entire site doesn't it?
ASKER
There's a typo in my earlier comment. The directoryBrowse enabled value is supposed to be "false".
When I inserted that line into the web.config file, I was unable to browse any page of the web site without getting an error.
What's the secret?
When I inserted that line into the web.config file, I was unable to browse any page of the web site without getting an error.
What's the secret?
with linux you can change it at any level -- since it is handled by .htaccess file at each folder.
The default for windows is off at all levels, so its kind of strange it was on for you....
Normally you dont want people to be able to browse your web directories at all.
Note: " The enabled attribute determines whether directory browsing is enabled for the site, application, or directory."
(from http://www.iis.net/ConfigReference/system.webServer/directoryBrowse)
Yet it doesn't have any instruction on how to re-enable it for a specific application or directory.
The default accepted way is to disable is altogether.
Is there a application or directory you DO want browsing re-enabled for?
The default for windows is off at all levels, so its kind of strange it was on for you....
Normally you dont want people to be able to browse your web directories at all.
Note: " The enabled attribute determines whether directory browsing is enabled for the site, application, or directory."
(from http://www.iis.net/ConfigReference/system.webServer/directoryBrowse)
Yet it doesn't have any instruction on how to re-enable it for a specific application or directory.
The default accepted way is to disable is altogether.
Is there a application or directory you DO want browsing re-enabled for?
The below shows how to enable it for an individual directory
<configuration>
<location path="special_directory_na me_here">
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</location>
</configuration>
more info here:
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-browsing-with-iis7-web-config.aspx
<configuration>
<location path="special_directory_na
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</location>
</configuration>
more info here:
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-browsing-with-iis7-web-config.aspx
ASKER
I'm on a Windows server by the way.
I should clarify my problem. We store executable files at our site:
http://www.mysite.com/afolder/myfile.exe
I was not being precise when I used the term "browsing". What you say is true, users by default cannot browse the "afolder", however they can download the myfile.exe file by typing the following line in their browser:
http://www.mysite.com/afolder/myfile.exe
My problem is that I need to be able to allow our programs begin used in the field to access these files (as they currently have been doing), but not allow users to download them directly by simply typing the path to the executable. Is that possible?
I should clarify my problem. We store executable files at our site:
http://www.mysite.com/afolder/myfile.exe
I was not being precise when I used the term "browsing". What you say is true, users by default cannot browse the "afolder", however they can download the myfile.exe file by typing the following line in their browser:
http://www.mysite.com/afolder/myfile.exe
My problem is that I need to be able to allow our programs begin used in the field to access these files (as they currently have been doing), but not allow users to download them directly by simply typing the path to the executable. Is that possible?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Depending on what you are using them for, you could make the names of the .exe files less obvious, so someone couldn't GUESS the name of the file.... but if they know the file is called "lmnop.exe" they would be able to get it.....
Still "lmnop.exe" is less obvious than "myapp.exe"
Still "lmnop.exe" is less obvious than "myapp.exe"
ASKER
So be it. Please accept my sincere thanks for your help.
http://www.javascriptkit.com/howto/htaccess11.shtml
are you using linux or windows for your web server?