Using Whitelisting to control file access in Apache Webserver

Fuseki has started his career as software developer, but quickly switched over to network administration. After 7 years as network engineer, incl. one year in a management position, he entered a new team, working as penetration tester and security consultant. In addition to this, malware analysis and digital forensics are becoming more and more part of Fusekis daily work.

Fuseki has studied Information Technology as well as Software Technology and holds a diploma in each of these.

The aim

You want to control which files on your webserver can be accessed by whom, but you don’t want to use blacklisting. You want to say, i.e., external users can access files whose names end with .php, .jpg and .png. All other files must not be accessible, no matter which name they have.

You can use LocationMatch and FilesMatch to control access to files. In this example, we will use FilesMatch, because we care about files which are stored on the filesystem. But the same approach also applies to files, which are generated when requested.

The problem

When apache finds a FilesMatch entry in its configuration which matches the requested filename, the corresponding rules are applied. There is no problem with that as long as you do not try to create a catch-all rule Continue reading “Using Whitelisting to control file access in Apache Webserver”