Above public_html

by Jim Burney

Posted: 16 years ago 11 replies

PROGRAMMING

Hi Everyone,

Must apologize, I do not often come around this forum.

If anyone could offer me advice on this I would be thankful.

Problem

I want my download folder above the public_html directory.
For security reasons of course.

Possible solutions on how to achieve this anybody??.....................

Thanks

Jim

#publichtml

DoubleAgent 16 years ago

Don't do it.

1) You have to own full access to the server in order for this to even work.
2) Allowing public access to folder's above public_html will actually make the server MORE vulnerable.

That would be a serious mistake, use another option, even if it means password protecting a folder, just make sure everything on the web is in public_html otherwise you'll be extremely vulnerable.
- Thanks
{{ DiscussionBoard.errors[179297].message }}

Dan Grossman

16 years ago

2) There's nothing unsafe about putting his download folder above public_html. It is in no way accessible through the web server above the document root, so it's not publically accessible. The only way people are going to be able to download from there is through a script in public_html or below that the files pass through. Meanwhile, putting the folder there prevents any direct access at all, so the files can't be stolen even if someone figures out the filenames.

1) Not true, even through a basic FTP program, you have permission to your entire user directory, not just the web server document root and below. He can create folders at the same level or above public_html.

Thanks
1 reply

Signature

Improvely: Built to track, test and optimize your marketing.

{{ DiscussionBoard.errors[179316].message }}

Jim Burney

16 years ago

Hi Guys

Thank you for replying.

I was probably not to clear with my request. Apologies for that.

I have always been under the impression it was safer to have a downloads folder above the public folder.

Creating a download folder there is not my problem.

My problem is with the link required to access that folder (a download link)

Cheers

Jim

Thanks
1 reply

{{ DiscussionBoard.errors[179349].message }}

Dan Grossman

16 years ago

Originally Posted by Jim Burney

My problem is with the link required to access that folder (a download link)

You can't link to anything there since it's not accessible to apache. You have to create a download script, which is a good place to do authentication that the person downloading is someone who has permission to do so. The script sends the appropriate headers (content-type, content-disposition, content-encoding) then outputs the contents of the file.

I tried to give you a simple example script, but the forum keeps stripping out the variables... I guess PHP code isn't allowed here...

Thanks
1 reply

Signature

Improvely: Built to track, test and optimize your marketing.

{{ DiscussionBoard.errors[179365].message }}

DoubleAgent

16 years ago

Actually, I was more right than you give me credibility for, Dan. Depending on the script used, you could very well make your entire server accessible to the internet (you should know that). And, unless you're in a position to verify the security of the script (from injection attacks, etc), and know about setting up proper permissions, script configurations, etc... you'd be better off being (SAFE) than going thru the hassle of setting up another script (the less scripts on your server, the better).

I was giving you the most secure (and easiest solution).

You can link to any file in the folder via a simple http href link <a href="http://[path to file]">LINK</a>, so long as you give your clients the password, which most cpanel web hosts have a service for, otherwise .htaccess modification is needed.

If you cant manage to give them a password, how were you going to manage to give them access to your hidden directory in the first place? That is my impression of your problem, so a password seems the best solution.

This is the best solution. Putting folders into the public arena above your public_html folder is a bad move, no matter what anyone here thinks, this is also the easiest solution.

Thanks
1 reply

{{ DiscussionBoard.errors[179444].message }}

Dan Grossman

16 years ago

Originally Posted by DoubleAgent

This is the best solution. Putting folders into the public arena above your public_html folder is a bad move, no matter what anyone here thinks, this is also the easiest solution.

Are we having a terminology problem?

/home/joeblow/public_html/downloads is below public_html and directly accessible through an HTTP request

/home/joeblow/downloads is above public_html and not directly accessible through an HTTP request

Thanks
1 reply

Signature

Improvely: Built to track, test and optimize your marketing.

{{ DiscussionBoard.errors[179489].message }}

DoubleAgent 16 years ago

Obviously the 3 of us posting here know the difference, since we've all used the terminology properly. Even in the post you quoted of me (read it again). I wasn't the one asking for help, so your uninforming comments are not needed here. Are you being scrappy because a REAL programmer decided to hang out in the forums for a while???? Am I somehow stealing your sunshine from the few people here who think you have something to offer anyone? Besides selling your services? You don't see me selling anything!

I know very well that the easiest (and most secure) option is a password protected directory BELOW the web root, not uploading a script (one that he himself cannot verify is fully secure, sorry if i'm wrong here) to help with public access to a folder ABOVE the web root. That is obvious to anyone, maybe except you. HAHA

Obviously I'm not 100% if this solution is applicable to his situation, but it was just a suggestion.

You run a web service company, Dan? Maybe you should help the OP instead of being so eristic.

That's all I was saying, so what was it you were correcting me for, again???
- Thanks
{{ DiscussionBoard.errors[179590].message }}

Dan Grossman

16 years ago

I'm not trying to sell anything here, just saying he can put the downloads folder above public_html without it being insecure... I tried to write the (secure) download script for him but the forum kept arbitrarily deleting variables from the [code] block so I had to delete it... don't know what your problem is.

Thanks
1 reply

Signature

Improvely: Built to track, test and optimize your marketing.

{{ DiscussionBoard.errors[179712].message }}

rwil02

16 years ago

Originally Posted by Dan Grossman

Dan. I think you need the [ php ] block instead. Or others have complained of it deleting out the dollar sign

And I think DoubleAgent is really not listening.

I use this basic procedure on my ASP.NET sites

MainSite folder
Downloads folder
Blog folder

the files go into Downloads, and cannot be reached except with an FTP program and my admin level FTP accounts

In my main site folder I have a login protected section, which does IP recording, etc for validation (to prevent sharing) including a downloads page.
The downloads page lists the files a user has access to using a "made up" url pointing to a folder that doesn't exist and the file name.

Then I have a handler script for the made up folder that intercepts the requests, validates the user details and streams the file from the downloads folder to the user if allowed.

The downloads cannot be reached without being logged in, and only those a person has rights to.

Thanks
1 reply

Signature

Roger Willcocks
L-Space Design
Please vote to help me win a 3kW solar array

{{ DiscussionBoard.errors[185307].message }}

zapseo

16 years ago

First -- as of the version of the 7 Dollar Script in existence about 6 mos ago, it stores the downloadable files "above" public_html.

(I think things have gotten tangled up in terminology here...)

The download folder is not "publicly accessible", but rather, the script is able to access the downloadable file from within the folder that lives "above" public_html and then can deliver it to the user after the software does appropriate verification/validiation/whatever steps.

Thus, there is no actual publicly accessible link -- no actual URL that someone could type in -- and get the downloadable file --

It's more that the script operates as a delivery mechanism to deliver something not normally accessible via http.

HTH.

Thanks
1 reply

Signature

Speed Read Copy -- 97% Off Value -- RAVE Reviews!

{{ DiscussionBoard.errors[203288].message }}

rwil02

16 years ago

Originally Posted by zapseo

First -- as of the version of the 7 Dollar Script in existence about 6 mos ago, it stores the downloadable files "above" public_html.

.....

Thus, there is no actual publicly accessible link -- no actual URL that someone could type in -- and get the downloadable file --

It's more that the script operates as a delivery mechanism to deliver something not normally accessible via http.

HTH.

Bing.

Hi again Judy.

That is it exactly.

You don't open up external access to folders about public_html (that would be a security risk indeed)

but you store files in a location that is not accessible directly, and use a script to retrieve them. That way the script can perform security checks, etc as desired.

Thanks

Signature

Roger Willcocks
L-Space Design
Please vote to help me win a 3kW solar array

{{ DiscussionBoard.errors[203549].message }}

Above public_html

Trending Topics

How did you turn it all around?

Any thoughts on golf's latest phenom...Scottie Scheffler??

What's the Best IM-Related Skill to Learn Today That Can Help in the Future?

Some interesting stats about brand comms

best high quality crypto traffic.