Im attempting to secure the mod_userdir module in apache..
Currently the directory structure for my users sites is
/home/{user}/domains/{domain}/public_html/site
The issue is, a number of my users store files that shouldnt be stored in the /domains/ directory (private files), but they do, and id rather work round it than make them move them.
Basically I have denied access to all directories in /{domain}/, except public_html, HOWEVER, files can still be viewed.
Here is my usermod.conf config.
<IfModule mod_userdir.c>
UserDir /home/*/domains
UserDir disabled root
<Directory /home/*/domains/*/*>
Order allow,deny
Deny from all
</Directory>
<FilesMatch /home/*/domains/*/*>
Order deny,allow
Deny from all
</FilesMatch>
<Directory /home/*/domains/*/public_html>
Order allow,deny
Allow from all
</Directory>
<Directory /home/*/domains>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
You can see how I have tried to remove access to the files in /{domain}/ with , however this just isnt working.
Any help would be appreciated.
Maybe your problem is in the FilesMatch directive; FilesMatch uses regex to match directives, therefore, to obtain what you want, you should write:
I don't believe you can specify a path in any of the Files directives. And also it doesn't look like you really need the FilesMatch directive, as you aren't really using any complex pattern to require regex's. I usually put my Files directives inside the directory though to make it simple.
This seemed to work for me with a setup similar to yours. Under /var/www/domains there is 1/ 2/ and 3/ each with various html files. None are accessible now.