X-LiteSpeed-Location - Can only access public_html

#1
Hi everyone,

hopefully this isn't some silly question - i've just been around the ropes and had to change a script to allow downloads via an X-LiteSpeed-Location header. Only problem i have is that i can't have the .zip files outside of the public_html directory.
I have the script set up so that if the file is <25mb, it will be delivered via PHP - however anything above and it'll send the X-LiteSpeed-Location header to access the file directly.
The PHP delivery method accesses the files outside of public_html no problem but once it uses the direct access method I get a 404 file not found error.
There is no .htaccess file set up in the directory.

Can anyone enlighten me as to if there may be a setting or something i can change or where to look?

Otherwise my only option is to move them to a web accessible location and somehow (i've no idea) not allow them to be downloaded by direct URL access?
Any suggestions?? thanks..

Mitch
 

mistwang

LiteSpeed Staff
#2
For security reason, LiteSpeed does not serve file out side the document root.
However, you can use Apache Alias or Litespeed "Static" Context to assign a URL to that directory, then LiteSpeed will be able to serve files from that directory.
 
#3
Thanks for that response mistwang -
i can certainly search for this, but another question that pops up is - if i assign a URL to that directory - if other users put this into the URL bar, will they also be able to access it?
 
Last edited:
#5
Would you be able to give an example of protecting from direct access with litespeed? I did the .htaccess 'deny from all' method, but that concluded in the same original error. I then allowed my server IP address in the .htaccess file, but that concluded in the same error.
I'm not going to tell anyone where the files are located, but that's not great web practise because there are people out there who will actively search for a weakness such as this - and if it's found then i'm screwed :(

I find it strange though, that PHP can still access the files through readfile() but the litespeed header can't?
 

NiteWave

Administrator
#6
the document is here:
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:internal-redirect

I did test, they works.

example just for reference:
step 1:
/usr/local/lsws/DEFAULT/html/x-ls-loc/t.php
Code:
<?php
header('X-LiteSpeed-Location: /internal_path/a.tar');
exit;
?>
step 2:
create a context for /internal_path/ in Example vhost:
lsws web admin -> Virtual Hosts->Example->Context->Add
Type:Static
URI:/internal_path/
Location:/var/www/test/
Accessible:Yes

step 3:
put a.tar to /var/www/test/

step 4:
/var/www/test>cat .htaccess
RewriteEngine on
RewriteCond %{ORG_REQ_URI} ^/internal_path/
RewriteRule . - [R=403,F]

-- finish.

tests:
http://127.0.0.1/x-ls-loc/t.php
works --- prompt you to download a file named t.php (the content is a.tar)

http://127.0.0.1/internal_path/a.tar
access deny -- 403 Forbidden

of course in above example, /var/www/test/ is out of document root - /usr/local/lsws/DEFAULT/html
 
#7
Thanks for that Nitewave - that's a great description - the only thing i'm having trouble with is adding a context.
i have access to litespeed webadmin v4.2.4 -
You have mentioned to use Example vhost - i'm not sure what that is? so i logged into the webadmin and did the following:
configuration->virtual hosts->add - but it gives alot of other options - i can't find a menu to add a context in webadmin as it says in the documentation?
Thanks for the help so far, at least i know we're getting somewhere..
 
#9
In the virtual host section in httpd.conf i've put:

Alias /dl /home/fakepath/downloads


Within the /home/fakepath/downloads directory .htaccess I've put:

RewriteEngine on
RewriteCond %{ORG_REQ_URI} ^/dl
RewriteRule . - [R=403,F]


Test:

http://www.airbrushtutor.com/dl/protutorials/airbrusheffects.zip
Gives a 403 - so this is good news.

http://www.airbrushtutor.com/dl
displays the directory contents???

However the download script requesting path:
/dl/protutorial/airbrusheffects.zip
doesn't work.. it's just frozen.
Also tried:
/home/fakepath/public_html/dl/protutorial/airbrusheffects.zip
No luck there either, just frozen.

That's a shame :( doesn't look like it can be done.
 
#11
Hi mistwang - no there never was a dl directory.. just the alias.

The way i've gotten it to work is by putting the contents into a web root folder -
home/fakepath/public_html/ukei84l

I've then taken both of your advice with the .htaccess and put this in there:

Options -Indexes

RewriteEngine on
RewriteCond %{ORG_REQ_URI} ^/ukei84l
RewriteRule . - [R=403,F]


I've then added a blank .index.php page in there so the directoy can't be viewed. Hopefully it's pretty safe?? i'd prefer it to be out of the web directory but after 2 days.. can't really spend more time on it :(

Thanks for the help though, i appreciate both of you responding, it's a credit to litespeed how helpful you've been. :)
 
#12
However the download script requesting path:
/dl/protutorial/airbrusheffects.zip
doesn't work.. it's just frozen.
it looks weird ...
what's the destination directory (/home/fakepath/downloads)'s owner/group/permission ?
#ls -ald /home
#ls -ald /home/fakepath
#ls -ald /home/fakepath/downloads
 
#13
Hi everyone,

hopefully this isn't some silly question - i've just been around the ropes and had to change a script to allow downloads via an X-LiteSpeed-Location header. Only problem i have is that i can't have the .zip files outside of the public_html directory.
I have the script set up so that if the file is <25mb, it will be delivered via PHP - however anything above and it'll send the X-LiteSpeed-Location header to access the file directly.
The PHP delivery method accesses the files outside of public_html no problem but once it uses the direct access method I get a 404 file not found error.
There is no .htaccess file set up in the directory.

Can anyone enlighten me as to if there may be a setting or something i can change or where to look?

Otherwise my only option is to move them to a web accessible location and somehow (i've no idea) not allow them to be downloaded by direct URL access?
Any suggestions?? thanks..

Mitch
wrg, no such thing as sx qx or etc, cepuxyuax, say, ask ,can say, ask any nmw and any s perfx
 
Top