Secure apache folders?

[zeveck]

How do I make it so that apache will not surve up a given folder to a web user?

Say there are files in that folder that I want the user to be able to download. Any pointers on how to make it so that user can download them via a PHP script?

[adaptr]

Plenty. Google for "apache download php scripts" and you'll be reading the rest of the year...

You need to think about what it is you want - there are at least 3 different concepts and/or questions in your post.
The first one can already be achieved in 3 different ways (or more).
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen

[zeveck]

[Monkeh]

[zeveck]

Not quite what I meant. I mean, then the user could still just do /uploads/foo.txt if they guessed the file name, right?

[Monkeh]

Yes. The only other way I can think of is passworded folders, or perhaps strict referer blocking. However, you could always just go with hard to guess file names. Try.. uploads/f0O.txt for example.

[pdr]

Make the directory outside of your documentroot.

[adaptr]

And they will be able to download files.. how, exactly ?
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen

[pdr]

Uh.. I thought the whole point here is to make it so people can't download files? Or is this a case of "I want to secure some of the files in a directory"? If so - move them into a different directory, serve one directory, don't serve the other directory.

[zeveck]

Doesn't work. I want to serve all files in a directory, but only to specific users. It is a problem if other users could get at the files just by guessing the URL. The question is how to secure the directory and still somehow make the files available.

(nice avatar)

[xces]

Have you read the howto Authentication, Authorization and Access Control in the Apache manual?