LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 

limit directory access in GWEB server

Hello all,

we are Using the gweb server to run our analysis web site, and found a security concern.  Our web system needs access to the cgi-bin directory and all its sub directories (20+) in order for the system to operate properly, but we have found this also allows any user to be able to do a directory listing and download any files in these directories.  Because our system is not using the gweb server for access control, we cannot just deny all access to all theses directories, as it prevents our system from access them as well.  We have found a solution to this, but we are hoping to be able to tune it:

 

if we use the following commands in the access.cfg file we can prevent the list command but allow the system to work properly:

<Directory cgi-bin/*>
AllowOverride all
<Limit GET>
Order deny,allow
deny from all
allow from 127.0.0.1
Satisfy all
</Limit>
</Directory>

 

however the issue is this only prevent access to the cgi-bin directory and not the sub directories, so someone could still access say cgi-bin/system/

we can not seem to find any syntax in the above command to apply the limits to all the sub folders, and we really don't want to have to create a section for each sub folder, for all of the obvious reasons, including managing new directories in the future, as it seems an easy way of inadvertently opening up security holes if someone forgets/

 

Any help in simplifying the configuration so that all sub directories are covered by default would be greatly appreciated, please keep in mind that any solution must allow the localhost 127.0.0.1 address to have full access and prevent any other IP address from access.

 

As always, thank you in advance for any help!

0 Kudos
Message 1 of 6
(3,288 Views)

Hello NPI_Chris,

 

I saw no one had posted a reply to your question- hopefully this will start some activity. I don't have a quick answer so I will need to do some research and get back to you!

Regards,
Claire Reid
National Instruments
0 Kudos
Message 2 of 6
(3,255 Views)
NPI_Chris, What version of LabVIEW are you using for this application?
Regards,
Claire Reid
National Instruments
0 Kudos
Message 3 of 6
(3,252 Views)
We are using LV 8.6.1
0 Kudos
Message 4 of 6
(3,241 Views)

Hi Chris,

 

Please check this link.

Regards,
Claire Reid
National Instruments
0 Kudos
Message 5 of 6
(3,234 Views)
Claire thank you for the reference, but for several different reasons, that solution wont work for us, what we need to to is allow localhost access to the Get command while denying everyone else, and the localhost doesnt have a user name or password
0 Kudos
Message 6 of 6
(3,226 Views)