AjaXplorer is a handy explorer-like file sharing application, especially useful when you cannot use FTP, SCP or WebDav, for example in a low-cost hosting environment.

Some nice features:

• configuration of multiple repositories;
• many types of repositories: local filesystem, ftp, ssh, ...
• rich user interface;
• embedded media player;
• multi-language;
• authentication plugins, useful for integration with CMSes;
• and many more.

Installation on Apache is straightforward, because the package comes with all the necessary .htaccess files that protect subfolders from unauthorized access. However, I needed to install AjaXplorer on Lighttpd, but documentation and support forums don't offer much help on this, so I needed to figure out a solution.

A security problem

Without any additional configuration, AjaXplorer subfolders would be publicly browsable when installed on Lighttpd (and anything that does not support .htaccess). This is not exactly the security level we would like to have on our file repository!

Lighttpd has many configuration options and folder protection is easily supported via the url.access-deny directive:

$HTTP["url"] =~ "^(/files/.*|/plugins/.*|/server/.*|/tests/.*)" {
    url.access-deny = ( "" )
}

In this example we are protecting the four folders that reside under a default AjaXplorer installation.

The "files" directory is the default pre-configured repository: you're free to remove it, change it, move it somewhere else. Whatever you do, modify the above directive to reflect the change. So for example if you rename it "my-files" but you keeo it under the public folder, you should modify the configuration to:

$HTTP["url"] =~ "^(/my-files/.*|/plugins/.*|/server/.*|/tests/.*)" {
    url.access-deny = ( "" )
}

That was easy, wasn't it?