The simplest version of access control involves unconditionally denying access to certain files. Lighttpd has mod_access
, which defines a url.access-deny
directive that gets a list of patterns to look for. If one of these patterns match, Lighttpd will give a 404 (File not Found) error instead of sending the file. Combined with our trustworthy selectors, we can deny access to certain files, to certain remote addresses, to certain browsers, to clients without a certain cookie, or to files not coming from a certain referrer:
# deny access to files with a "~" or ".bak" in the name url.access-deny = ("~", ".bak")
By the way, the reason for sending a 404 error is to keep the attacker in the dark if a file that he or she might not access is there or not.
# deny access to all files below a certain path $HTTP["url"] =~ "/certain-path/" { url.access-deny = ("") } # deny access on all jpeg images to the Google bot $HTTP["useragent"] =~ "Google" { url.access-deny = (".jpg") } # deny...