<div dir="ltr"><div><div><div><div><br></div>One guess is that I think you can set permissions for your own applications based on their IP address, such that they can use that directory, while others cannot.<br><br></div>So in the directory settings you would have:<br><code><br>Order deny,allow<br>
Deny from all<br>
Allow from <var>xyz<br><br></var></code></div>Where xyz is the IP address, that you want to allow access from.<br><br></div>I'm not sure how this works in combination with the redirect you are trying to set - you would have to test to see which takes precedence.<br><br>But I think if implemented successfully the directory setting would protect the content of your directory, even if the name is not hidden.<br><div><div><div><br><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 28, 2016 at 11:46 AM, Bistrais, Bob <span dir="ltr"><<a href="mailto:Bob.Bistrais@maine.gov" target="_blank">Bob.Bistrais@maine.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal">My saga of securing a GeoMoose website continues. One of the issues reported in the latest security scan is that hidden directories were detected. These normally issue a 403 Forbidden response. The recommended practice is to issue a
404 Not Found response instead.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I found out how to do this through the Apache settings, and it’s pretty easy- in the http_d.cong file, add a line like this:<u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black">RedirectMatch 404 "../(the_directory_name)"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black">-That works for the majority of the hidden directories, but it falls apart with the cgi-bin directory. If I add a line in the conf file:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black">RedirectMatch 404 "cgi-bin"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black">-Then the application itself seems unable to access its own PHP files, or at least the errors occur when calling them.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"MS Shell Dlg 2","sans-serif";color:black">This may be more a Mapserver or Apache question, but wonder if anyone here has any suggestions?</span><u></u><u></u></p>
</div>
</div>
<br>_______________________________________________<br>
Geomoose-users mailing list<br>
<a href="mailto:Geomoose-users@lists.osgeo.org">Geomoose-users@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/geomoose-users" rel="noreferrer" target="_blank">http://lists.osgeo.org/mailman/listinfo/geomoose-users</a><br></blockquote></div><br></div>