Apache and hiding events, images and temp folders.....

Forum for questions and support relating to the 1.24.x releases only.
Locked
timf
Posts: 132
Joined: Mon Mar 21, 2005 4:07 pm
Location: Lytham St.Annes Lancs.

Apache and hiding events, images and temp folders.....

Post by timf »

I've had this problem on a previous install and know it's a simple fix but I guess I'm running out of grey matter - say here's the issue.

I have ZM running more or less fine and can see the console at localhost/zm as expected - but from the outside world logging in directly to the ip address with out /zm suffix anyone can see the events, images or temp folders.

As I recall last time I fixed it one of three ways

1. Make a link directly to /zm

or

2. Changed the permissions for said folders.

or

3. Changed something in the apache.conf folder

Any suggestions as to what is the best way ?

I really should take notes of these little tweaks for future reference :-)

Tim

EDIT

Looks like I've recovered a few brain cells and created a temporary but not perfect fix by simply putting and index.html link in the /var/cache/zoneminder folder ie the page root of apache.

Now to figure a 'proper' fix
Top
Pada
Posts: 69
Joined: Fri Jul 30, 2010 12:29 am

Post by Pada »

The best solution would be to customize the Apache2 configuration files.

The first step would be to remove the "Indexes" from the "Options" line.
That will not prevent the users who know how the folder structure looks on accessing the stuff.

Then you would want to restrict the person to getting access to like the .jpg files located in /events and for that you can also modify the Apache configuration file by using something like:

Code: Select all

<Directory /var/www/zm/events>
    <FilesMatch "\.jpg$">
        Order Deny,Allow
        Deny from all
    </FilesMatch>
</Directory>
Unfortunately, that would prevent EVERYONE from viewing the Stills of the events. So you'll have to add a php script that could give you those jpg files, but it should first check if you have permissions to view them first.
Of course you'll have to modify the ZoneMinder skins too use the new script too.

Alternatively, you could setup Apache2's authentication module to ask the user for a username/password if he wants to gain access to those folders.
Top
river100
Posts: 145
Joined: Sun Oct 07, 2007 5:52 pm
Location: Louisiana

Post by river100 »

I use Apache2's authentication module and disable Indexing.
along with that i install fail2ban and set it up for apache
works pretty well

you don't get the password right in 3 or 4 tries and you are multi-port
banned for a few hours. your server doesn't respond on any ports from
the requesting IP address
Top
Locked

Return to “ZoneMinder 1.24.x”