3

I have a folder in my root that i want no one to know of. Even if someone types in it correct i want to throw a 404 not found.

Would this be Possible to do with mod-rewrite perhaps?

I cant store it outside root right now, dont ask why

Thanks!

Cape
  • 31
  • 1
  • 2
  • 2
    Maybe a silly question: If you're never going to serve those files to a web browser, why not move them outside the web root? – grossvogel Jul 17 '10 at 20:52
  • I'm with grossvogel, I'm asking why. I can't think of any reason you could have to be unable to move a file out of the document root. – David Z Jul 17 '10 at 20:54
  • 1
    See [this question](http://stackoverflow.com/questions/214886/how-do-i-hide-directories-in-apache-specifically-source-control) – Gilles 'SO- stop being evil' Jul 17 '10 at 21:01
  • @Gilles: OK, true. What I meant (and should have written) was, I couldn't think of any reason to require a URL to produce a 404 error specifically (rather than 403 or something else) when you couldn't just move the file/directory out of the document root. Although after thinking about it a bit, I can see how someone might think it would be useful in certain cases. – David Z Jul 18 '10 at 03:31

4 Answers4

1

Is throwing a 403 out of the question? If you have shell access, you can chmod the directory so the web user cannot read or stat it.

Tristan
  • 916
  • 5
  • 10
  • At the very least, throwing a 404 is not the correct HTTP status. 204 No Content, a 301 Redirect, 401 Unauthorized by adding security, or a 403 Forbidden is fine. – Jordan Jul 17 '10 at 21:05
  • 4
    True, although RFC 2616 does say "This status code is commonly used when the server does not wish to reveal exactly why the request has been refused." It's sort of an implicit endorsement (or at least recognition) of the practice of using 404 to "pretend" that an existing file isn't there without revealing why. – David Z Jul 18 '10 at 03:35
0

Create a custom 404 page and then set mod_rewrite up to rewrite requests to the offending directory to the custom 404 file. Custom 404 pages are generally good practice anyway so you get two for the price of one by doing this.

hollsk
  • 3,124
  • 24
  • 34
0

I'd first suggest moving the file out of the web root, unless you have a really good reason not to (and I won't easily be convinced that you do).

If you're intent on not doing that, use Tristan's suggestion of a 403 error. Something like

<Files /path/to/docroot/nameoffile>
    Order allow,deny
    Deny from all
</Files>

If you're really intent on not doing that, you should be able to use an alias to redirect the URL to a nonexistent location:

Alias /nameoffile /path/that/doesnt/exist

The same could be done with mod_rewrite,

RewriteRule /nameoffile /path/that/doesnt/exist [L]

The rewrite is more computationally expensive, but it might be your only option if you don't have access to the main server configuration.

David Z
  • 128,184
  • 27
  • 255
  • 279
  • 1
    To make the `RewriteRule` case a little more efficient, you can avoid rewriting at all and do `RewriteRule ^/nameoffile - [R=404]` to immediately throw a 404 status on the match. It kind of bastardizes the semantics of the `R` flag, but `mod_rewrite` considers it entirely acceptable. – Tim Stone Jul 17 '10 at 23:52
-1

I did not try this, but I guess you could redirect to something that does not exist.

zvone
  • 18,045
  • 3
  • 49
  • 77