X-LiteSpeed-Location - Can only access public_html

Discussion in 'Install/Configuration' started by airbrushtutor, May 21, 2014.

  1. airbrushtutor

    airbrushtutor New Member

    Hi everyone,

    hopefully this isn't some silly question - i've just been around the ropes and had to change a script to allow downloads via an X-LiteSpeed-Location header. Only problem i have is that i can't have the .zip files outside of the public_html directory.
    I have the script set up so that if the file is <25mb, it will be delivered via PHP - however anything above and it'll send the X-LiteSpeed-Location header to access the file directly.
    The PHP delivery method accesses the files outside of public_html no problem but once it uses the direct access method I get a 404 file not found error.
    There is no .htaccess file set up in the directory.

    Can anyone enlighten me as to if there may be a setting or something i can change or where to look?

    Otherwise my only option is to move them to a web accessible location and somehow (i've no idea) not allow them to be downloaded by direct URL access?
    Any suggestions?? thanks..

    Mitch
  2. mistwang

    mistwang LiteSpeed Staff

    For security reason, LiteSpeed does not serve file out side the document root.
    However, you can use Apache Alias or Litespeed "Static" Context to assign a URL to that directory, then LiteSpeed will be able to serve files from that directory.
  3. airbrushtutor

    airbrushtutor New Member

    Thanks for that response mistwang -
    i can certainly search for this, but another question that pops up is - if i assign a URL to that directory - if other users put this into the URL bar, will they also be able to access it?
    Last edited: May 21, 2014
  4. mistwang

    mistwang LiteSpeed Staff

    do not tell anyone about it.
    and there are ways to protect from direct access.
  5. airbrushtutor

    airbrushtutor New Member

    Would you be able to give an example of protecting from direct access with litespeed? I did the .htaccess 'deny from all' method, but that concluded in the same original error. I then allowed my server IP address in the .htaccess file, but that concluded in the same error.
    I'm not going to tell anyone where the files are located, but that's not great web practise because there are people out there who will actively search for a weakness such as this - and if it's found then i'm screwed :(

    I find it strange though, that PHP can still access the files through readfile() but the litespeed header can't?
  6. NiteWave

    NiteWave Administrator

    the document is here:
    http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed:wiki:feature:internal_redirect

    I did test, they works.

    example just for reference:
    step 1:
    /usr/local/lsws/DEFAULT/html/x-ls-loc/t.php
    Code:
    <?php
    header('X-LiteSpeed-Location: /internal_path/a.tar');
    exit;
    ?>
    step 2:
    create a context for /internal_path/ in Example vhost:
    lsws web admin -> Virtual Hosts->Example->Context->Add
    Type:Static
    URI:/internal_path/
    Location:/var/www/test/
    Accessible:Yes

    step 3:
    put a.tar to /var/www/test/

    step 4:
    /var/www/test>cat .htaccess
    RewriteEngine on
    RewriteCond %{ORG_REQ_URI} ^/internal_path/
    RewriteRule . - [R=403,F]

    -- finish.

    tests:
    http://127.0.0.1/x-ls-loc/t.php
    works --- prompt you to download a file named t.php (the content is a.tar)

    http://127.0.0.1/internal_path/a.tar
    access deny -- 403 Forbidden

    of course in above example, /var/www/test/ is out of document root - /usr/local/lsws/DEFAULT/html
  7. airbrushtutor

    airbrushtutor New Member

    Thanks for that Nitewave - that's a great description - the only thing i'm having trouble with is adding a context.
    i have access to litespeed webadmin v4.2.4 -
    You have mentioned to use Example vhost - i'm not sure what that is? so i logged into the webadmin and did the following:
    configuration->virtual hosts->add - but it gives alot of other options - i can't find a menu to add a context in webadmin as it says in the documentation?
    Thanks for the help so far, at least i know we're getting somewhere..
  8. NiteWave

    NiteWave Administrator

    the context is for litespeed's native vhost --- created in lsws web admin.
    it's same as apache's alias
    http://httpd.apache.org/docs/2.2/mod/mod_alias.html#alias

    so in httpd.conf's virtual host configuration, just add
    Alias /internal_path/ /var/www/test/
    (or
    Alias /internal_path /var/www/test )
  9. airbrushtutor

    airbrushtutor New Member

    In the virtual host section in httpd.conf i've put:

    Alias /dl /home/fakepath/downloads


    Within the /home/fakepath/downloads directory .htaccess I've put:

    RewriteEngine on
    RewriteCond %{ORG_REQ_URI} ^/dl
    RewriteRule . - [R=403,F]


    Test:

    http://www.airbrushtutor.com/dl/protutorials/airbrusheffects.zip
    Gives a 403 - so this is good news.

    http://www.airbrushtutor.com/dl
    displays the directory contents???

    However the download script requesting path:
    /dl/protutorial/airbrusheffects.zip
    doesn't work.. it's just frozen.
    Also tried:
    /home/fakepath/public_html/dl/protutorial/airbrusheffects.zip
    No luck there either, just frozen.

    That's a shame :( doesn't look like it can be done.
  10. mistwang

    mistwang LiteSpeed Staff

    you need to remove the "dl" directory after you added the "Alias", if there is one.
    can be added to .htaccess under /home/fakepath/downloads
  11. airbrushtutor

    airbrushtutor New Member

    Hi mistwang - no there never was a dl directory.. just the alias.

    The way i've gotten it to work is by putting the contents into a web root folder -
    home/fakepath/public_html/ukei84l

    I've then taken both of your advice with the .htaccess and put this in there:

    Options -Indexes

    RewriteEngine on
    RewriteCond %{ORG_REQ_URI} ^/ukei84l
    RewriteRule . - [R=403,F]


    I've then added a blank .index.php page in there so the directoy can't be viewed. Hopefully it's pretty safe?? i'd prefer it to be out of the web directory but after 2 days.. can't really spend more time on it :(

    Thanks for the help though, i appreciate both of you responding, it's a credit to litespeed how helpful you've been. :)
  12. NiteWave

    NiteWave Administrator

    it looks weird ...
    what's the destination directory (/home/fakepath/downloads)'s owner/group/permission ?
    #ls -ald /home
    #ls -ald /home/fakepath
    #ls -ald /home/fakepath/downloads

Share This Page