Author Topic: .htaccess not protecting my log files or files in temp directory  (Read 5882 times)

Offline unite07

  • Newbie
  • *
  • Posts: 1
.htaccess not protecting my log files or files in temp directory
« on: December 08, 2006, 06:14:48 PM »
Can anyone help me. I have installed roundcube in my document root and the app is working very well.

how ever the public is able to browse my directories. it seems if the files are php they are protected by the .htaccess file.
but my log files and temp files are completely public

What is the correct way to install round cube?

can anyone define a apache2 structure for roundcube that is secure?


also is there a way to disable inline images in the message. if they are bigger than my php memory limit roundcube blows up

Offline seansan

  • Jr. Member
  • **
  • Posts: 84
Re: .htaccess not protecting my log files or files in temp directory
« Reply #1 on: December 31, 2006, 05:05:33 AM »
I have the .htaccess file set-up in tmp and logs with the following code

Code: [Select]

Order allow,deny
Deny from all


furthermore you could maybe do something with mod_rewrite (http://attrition.org/attrition/how-anti-theft.html) against inline images (from outside)

Offline haralder

  • Newbie
  • *
  • Posts: 2
Re: .htaccess not protecting my log files or files in temp directory
« Reply #2 on: December 31, 2006, 10:47:48 AM »
This is working for me. Any corrections are welcome (I am mixing Directory and Location for historical reasons):

Code: [Select]
   <Directory /srv/www/roundcube>
        <FilesMatch &quot;(\.inc|\~)$|^_&quot;>
            Order allow,deny
            Deny from all
        </FilesMatch>
        Order deny,allow
        Allow from all
    </Directory>
    <Location /roundcube/temp>
        Order allow,deny
        Deny from all
    </Location>
    <Location /roundcube/logs>
        Order allow,deny
        Deny from all
    </Location>
    <Location /roundcube/config>
        Order allow,deny
        Deny from all
    </Location>

I think this (improved/generalized/etc.) should be added to the INSTALLATION document, as it is preferable to htaccess (http://httpd.apache.org/docs/2.0/howto/htaccess.html#when)