Block /__data directory from public?

tbaatar · 2019-02-15 00:35:59 UTC

Hi,

I noticed a lot of Matrix builds exposing the /__data directory to the public. For example you can see this Edinburgh University website exposing everything in that directory.

From my test builds it seems the new way of installing Matrix into the /var/www/squiz_matrix seems to cause this issue whereas the old method of placing it inside /home/websites/squiz_matrix forbids the /__data directory.

Both apache virtual host file is identical.

So the question is how would you go about blocking this directory in Apache?
I’ve tried bunch of ways to block it without any success.

Thanks.

dschoen · 2019-02-15 00:47:04 UTC

Matrix has served public files out of /__data since at least 3.10, you definitely don’t want to block it.

tbaatar · 2019-02-15 01:16:32 UTC

Hi David,

Why does it expose it when Matrix is installed in the /var/www/ directory?
and is the Virtual Host the right place to block the /data directory for public access? I did try adding rules to deny but nothing gets picked up

Any pointers?
and out of interest why would you not block it?

dschoen · 2019-02-15 01:27:27 UTC

Because that’s where Matrix is serving public files from.

tbaatar · 2019-02-15 01:30:52 UTC

I understand this serves the public files but what I mean is I don’t want to list all available files.

For example you can see for https://www.busabout.com/__data is forbidden but the individual assets within this folder is available to public, and i don’t feel this is the right representation of how the apache should be setup:
http://www.sps.ed.ac.uk/__data

Douglas · 2019-02-15 04:07:18 UTC

Exposing as in listing the folder? Or providing public access? From looking at your examples, I’m thinking it’s the former?

It’s an apache config AFAIK - c.f. https://httpd.apache.org/docs/2.4/mod/core.html#options where it discusses Indexes:

Indexes
If a URL which maps to a directory is requested and there is no DirectoryIndex ( e.g. , index.html ) in that directory, then mod_autoindex will return a formatted listing of the directory.

We specifically have Directory blocks in our Apache config to prevent auto indexing. Not sure what the default Matrix config may or may not have - might be worth checking both the primary /config/httpd.conf as well as any virtual host files.

tbaatar · 2019-02-15 07:30:28 UTC

Hi Douglas,

I’m trying to stop auto indexing of the entire top level directory to public.

I had a play around with virtual host before posting this topic but it doesn’t seem to do anything. Therefore the setting must be somewhere else.

Thanks.

tbaatar · 2019-02-15 10:48:02 UTC

Mananged to get it working by adding the following directory block in virtual host.

<Directory /var/www>
  Options -Indexes
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

Apart from getting this working, the documentation should make a notice of this or included the non index of the /__data directory by default, and I hope these exposed directories are not paying customers because it looks really ametureish.

dschoen · 2019-02-19 22:48:37 UTC

Sorry @tbaatar I was confused between blocking and exposing the index and didn’t get back to this before a few days leave. I agree the public templates should not expose the index. We only use Openresty (basically nginx) internally now and that template is definitely not auto indexing under /__data.

I’ll put a ticket internally to look at those templates, it’s feasible autoindexing is enabling on some distros and not others - what OS are your running Matrix on? I think on another post you mentioned Ubuntu?

tbaatar · 2019-02-20 10:55:46 UTC

Hi David,

No worries. I’m running LAPP stack and this is just my own development server. It would be great to get updated installation document with Nginx as opposed to Apache.

Thanks