Denying directory browsing

Just looking for a quick answer to a quick question-

I'm looking to prevent people form browsing my images folder but still be able to access those images elsewhere in my site with normal <img> tags etc...
I looked around a bit on the forum and found some stuff about just making a .htaccess file with

Options -Indexes

in it, so I did that, but it cuts off ALL access, even to other parts of my site, like my <img> tags.
Am I on the right track? What exactly does my .htaccess file need to look like? Right now it's JUST
Options -Indexes, but do I need some

<Directory /home/public_html/images/>
Options -options
</Directory>

too or something?

Thanks for any help you can offer

-Quasimodem

Just add a index.html into your images directory and that will come up instead of the directory listing.
terry

>> so I did that, but it cuts off ALL access

That's because Indexes is not allowed to be overridden.

Start here -> http://httpd.apache.org/docs/mod/co...l#allowoverride

Specifically, you need to have AllowOverride Indexes so your -Indexes in .htaccess can override the globally enabled Indexes.

question freebsd???
since i'm a novice at some of this why would you want to be changing/adding the httpd.conf file to accomodate the rather basic needs of of preventing the access to a default directory listing when just adding an index.html to that directory would prevent the listing of its contents? i've always added an index.html to my directories just for that reason???
just curious...
terry

i should note that my index.html for those directories include a redirect...
<html>
<head>
<meta http-equiv="REFRESH" content="01; url=back.to.homepage.html">
<title>Redirect</title>
</head>
<body>
</body>
</html>


[Edited by tlthomas on 03-13-2001 at 07:25 PM]

>> why would you want to be changing/adding the httpd.conf file

Simply because of speed, bandwidth and resource. Telling Apache to load index.html requires additional resource. Apache has the exact directive for that purpose, so why tell Apache to do unnecessary works? Right, your site might not get that many hits and the difference might not be significant but that's just the correct way to configure Apache.

>Simply because of speed, bandwidth and resource
i see your point there, but i'm hosting 6 domains and not everyone (70%) are barely capable of doing updates on their sites much less creating .htaccess files, is the AllowOverride Indexes something that should be implemented as a default (in your opinion) or is it to be used as a last resort??? or am i better off just continuing to tell them to put a blank index.html file in /images , etc directories???
trying to learn here... patience please!!!
terry

>> is the AllowOverride Indexes something that should be implemented as a default (in your opinion)

Yes.

>> or am i better off just continuing to tell them to put a blank index.html file in /images , etc directories???

No. Tell them to put Options -Indexes in their .htaccess and upload it to whatever dirs they don't want to be browsable and you are saving yourself some bandwidth and resource.

what i don't comprehend/understand is that my isp does not have that directive in their .conf file and they are hosting 1000's of sites???
why, (this is a bad question,) should i have to put up a tutorial to teach them (my domains)something that they don't want to learn????
i would love it if everyone was able to learn the basic capabilities of apache... but i can't go there...
?????
terry

Probably for security reasons.

Tell them to go -> http://httpd.apache.org/docs/mod/co...l#allowoverride

and tell them, AllowOverride Indexes is the least insecure one followed by FileInfo, Options, Limit and AuthConfig.

as far as I know, none of the above actually helps with the original question. There's no standard way to have JPG's usable on a webpage without having them accessible via:

http://www.yoursite.com/thepic.jpg

Three ways I can think to achieve what you want:

1) Do some jiggerypokery with the GD graphics library. You could keep all your JPG's in a private (totally protected using .htaccess or above the web root) directory, then generate an on-the-fly graphic from this stored one using the GD library.

2) Store all the images in binary in a mySQL database and retrieve them from there with PHP

3) Encrypt the JPG's in some way and make a decrypt PHP script.

4) Put the images in a .htaccess protected directory then use the HTTP Get within PHP to make a mini-robot/browser type thing that retrieves the image.

There are pretty much in order of sensible-ness. BUT there still seems little point in doing any of them, because although they will prevent URL access to the images, they don't stop a user right-clicking on the image on the webpage and saving it from there. And if you think you can get around this latter problem using snide javascript that detects right-clicks etc, don't bother - I've seen many and not a single one stops a user with a clue!

Anyway, at least that answers your direct question - but I'm not sure it's all that much use to you all the same!

My $0.02.

- Adam
adam@acdinternet.com
http://www.acdinternet.com