Prevent that everyone can see /media Files

Using Django
1

Hey,

on my server if people are using the /media path they can see a list of the whole folder with every file. How can I block that the people are seeing that, like with a 404 page. But I cant disable it in general because I refer to that path with images and stuff on other pages. So in conclusion I need to disable /media path for users but not for the server itself.

Greetings and thanks for your help

2

This is most likely something being done by the web server and not by Django. How is your project deployed? Are you using Apache, nginx, or something else? How is your server configured to serve that directory?

3

Yes I’m using nginx this is my enabled-sites:

server {
     server_name 176.97.210.80 divusx.com www.divusx.com;

location /static/ {
	alias /var/www/divusx.com/static/;
}

location /media/ {
        autoindex on;
        alias /var/www/divusx.com/media/;
	include /etc/nginx/mime.types;
    }

location / {
	proxy_pass http://176.97.210.80:8000;
	}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/divusx.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/divusx.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}
 
server {
    if ($host = www.divusx.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = divusx.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


     listen 80;
     server_name 176.97.210.80 divusx.com www.divusx.com;
    return 404; # managed by Certbot




}
4

You have the directory listing explicitly enabled. See Module ngx_http_autoindex_module.

5

so I was looking around in StackOverflow and here is an answer which I found very useful
StackOverflow Entry

the only thing i didn’t understand is where he defined the “ProtectedDocument” as parameter when defining document like what is this from where do I get that. I cant comment there because I dont have enough reputation on StackOverflow but maybe you can explain it. I understand now that I can serve files via the URI in the nginx addon like here X-Accel | NGINX and in Django I just have to pass the file via the uri to nginx. But whats with this “ProtectedDocument”

6

I don’t follow SO, so references there don’t provide any information to me.

I thought your question was about the directory list, which is covered by the autoindex directive referenced in the doc link I presented.

7

oh, I didnt expect that its so easy. Thanks!