Skip to main content

Security

If your Files Gallery installation is public, you should consider security, especially if you have multiple users or file manager capabilities enabled.

File manager

If you have multiple users with file manager capabilities, you should make sure to disable execution of PHP files within your root dir. If you allow untrusted users to create and execute PHP files, they can easily hack your website or even the entire server. You can use one or more of the suggestions:

  • Setup your Apache or Nginx to only execute PHP on the main /index.php file.
  • Or block requests to *.php files within the root dir from Apache or Nginx.
  • Consider using a service like Cloudflare.com to block all *.php requests.
  • Use config option upload_allowed_file_types to allow only certain file types to be uploaded.
  • Assign read-only permissions to files and dirs that should not be writeable.

Users and logins

If you have login or multiple users, you should consider:

  • Use strong passwords that nobody can guess.
  • If you are the only user, you can hide the login button, see Javascript config.
  • Use a free service like Cloudflare.com to block bots or limit access by IP, country or user-agent.
  • Make sure you are using SSL so that data is encrypted.

allow_settings enabled

The allow_settings option should only be assigned to trusted users, since this setting allows creating new users and changing critical settings like the root option. If you have trusted users with this option enabled, but still don't want to allow them to change all settings, you can create a file _filesconfig.php with certain pre-configured and locked config options.

index.php
_filesconfig.php

How to block direct access to my files?

Although Files Gallery can block access to the application itself, it can't control access directly to your files which may otherwise be public. If you want to block access to your files, unless the user is logged in, you will need to do one of the following:

  1. Assign the root dir somewhere outside of your server's document_root, so that files are not directly accessible. In this case, Files Gallery will proxy the files, but only if the user is logged in.
  2. Or block access to files in your root dir directly from Apache or Nginx. In this case, files are no longer directly accessible, and you will need to enable the load_files_proxy_php option to make sure Files Gallery will proxy the files only for logged in users.

Cloudflare

Personally, I use Cloudflare.com to add a layer of security on top of my server.

  • Block bad bots, or even trigger a challenge to make sure all your visitors are human.
  • Limit access to login url's by IP, user-agent or country.
  • Limit access by email address (one-time code).
  • Hide server IP.
  • Basic CDN capabilities.