Basic security, how to prevent direct URL access to files in the Elgg sub directories?

Could someone please guide me with some basic security settings. I have installed a test website using version 2.3.13 on Apache2/php55, and it's working fine, but I don't understand why I can access all the files in my Elgg directories from the internet (even when not logged on).

For example: 




both return their contents.

Maybe it's a simple Apache2 config but It would be great if someone could point me in the right direction, and yes Restrict pages to logged-in users is set and default setting is Private.







  • some additions....


    <Directory /var/www/html/xxxxxxx/>
                    Options FollowSymLinks
                    AllowOverride All
                    Require all granted</Directory>



    # Don't allow listing directories
    Options -Indexes

    # Follow symbolic links
    Options +FollowSymLinks

    # Default handler
    DirectoryIndex index.php

    RewriteEngine on

    # explicity allow access for the .well-known directory
    RewriteRule "^.well-known/" - [L]

    # hide all dot files/dirs (.git)
    RewriteRule (^\.|/\.) - [F]






  • well I can use the following which does stop access to these extensions, but i'm still a little uneasy about anyone having access to directories like




    <FilesMatch "\.(rst|MD|txt)$"> #deny these from url access
     Require all denied



  • The only important point is that you don't set write permission for the files/folders of the install folder of Elgg and its subfolders. The only exception might be during the installation where it would be necessary temporarily to allow for the Elgg installer creating settings.php and .htaccess. Afterwards the write permission should no longer be necessary at all as the webserver would only have to read the files and read/access the folders but not write into them.

    The files you are so worried about are freely downloadable here from the site (within the zip archive) and everyone can view them also at the Elgg github repository. There's no secret in them so no harm in anyone seeing their content (which would still require knowing the full path).

  • Thanks iionly,

    I'm played around with the RewriteCond and this seems to have sorted it out. I will need to watch it for while to see if has any knock effect to other plugins. The first line covers my homepage where there are some direct links to jpg,css files etc etc, then everything else is forced through the Elgg route.


    RewriteCond %{REQUEST_URI} !^/mod/homepage_elgg/(.*)$
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} !-f
    #RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?__elgg_uri=$1 [L,QSA]