How to disable directory listing for specific directories in Apache?

n00b_noob · 11-17-2020, 10:41 AM

Hello,
I'm using CentOS 8 x86_64 and my server hosting a WordPress website. I scanned my WordPress website with a security scanner and it found some vulnerabilities about directory listing. Some lines of my Virtual Host file are:

Code:

<Directory "/var/www/WP">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>

Some of my WordPress directories are browsable and when I open the URLs, then the content of the directories displayed:

Code:

https://example.net/wp-content/plugins/email-subscribers/
https://example.net/wp-content/plugins/contact-form-7/

How can I disable the directory indexing for those directories? I added below lines to my Virtual Host config file, but not worked:

Code:

<Directory /var/www/WP/wp-content/plugins/email-subscribers>
      Options -Indexes
</Directory>
<Directory /var/www/WP/wp-content/plugins/contact-form-7>
      Options -Indexes
</Directory>

I also did:

Code:

<Directory "/var/www/WP">
Options -Indexes +FollowSymLinks
AllowOverride all
Require all granted
</Directory>

But not matter. How can I solve it?

Thank you.

TenTenths · 11-17-2020, 10:56 AM

Create an empty index.php file in each folder, that's by far the easiest way.

scasey · 11-17-2020, 11:06 AM

Quote:

Originally Posted by TenTenths

Create an empty index.php file in each folder, that's by far the easiest way.

Or even an empty index.html.
Personally, I turn off Indexes server-wide...I’ve yet to find a good reason to allow them...YMMV

TenTenths · 11-17-2020, 11:18 AM

Quote:

Originally Posted by scasey

Or even an empty index.html.

As the OP says they are running WordPress it's a fair assumption that index.php is configured as an index file.
While extremely unlikely, it is possible that index.html / index.htm isn't implemented / disabled

(Yes, I'm being pedantic to justify my answer

)

scasey · 11-17-2020, 11:49 AM

Quote:

Originally Posted by TenTenths

As the OP says they are running WordPress it's a fair assumption that index.php is configured as an index file.
While extremely unlikely, it is possible that index.html / index.htm isn't implemented / disabled

(Yes, I'm being pedantic to justify my answer

)

No worries 😉

n00b_noob · 11-17-2020, 12:35 PM

No other solution?

TenTenths · 11-17-2020, 12:40 PM

Sure, go messing around in your config file and disable it on an individual folder basis. Feel free to make life difficult for yourself by not going with a simple tried and tested solution.

Let us know how you get on.

boughtonp · 11-17-2020, 01:55 PM

The more secure method is to disable it for all directories, and then enable it only on the specific ones you need it for (if any).

That way, you can't forget to create an index file for some obscure location that shouldn't be browsable.

scasey · 11-17-2020, 03:42 PM

You are restarting Apache every time you make a change, aren’t you? Don’t see a reason your config doesn’t work otherwise. Do you get any syntax errors?
Are you using symlinks to those directories? If so, see the fine print in the documentation for the Directory directive.

You’ve been given a couple of the best solutions.

n00b_noob · 11-18-2020, 12:40 AM

Quote:

Originally Posted by boughtonp

The more secure method is to disable it for all directories, and then enable it only on the specific ones you need it for (if any).

That way, you can't forget to create an index file for some obscure location that shouldn't be browsable.

Disable it for all directories, and then enable it only on the specific ones? How?

n00b_noob · 11-18-2020, 12:41 AM

Quote:

Originally Posted by scasey

You are restarting Apache every time you make a change, aren’t you? Don’t see a reason your config doesn’t work otherwise. Do you get any syntax errors?
Are you using symlinks to those directories? If so, see the fine print in the documentation for the Directory directive.

You’ve been given a couple of the best solutions.

I restarted Apache service and it is OK.
Are below lines wrong?

Code:

<Directory /var/www/WP/wp-content/plugins/email-subscribers>
      Options -Indexes
</Directory>
<Directory /var/www/WP/wp-content/plugins/contact-form-7>
      Options -Indexes
</Directory>

Can it because of SELinux?

ondoho · 11-18-2020, 01:48 AM

I shudder to think that user's like this one are allowed to put their servers on the interwebz...

Seriously, a misconfigured server open to any clients is actively endangering all of the internet.

boughtonp · 11-18-2020, 06:38 AM

Quote:

Originally Posted by n00b_noob

Disable it for all directories, and then enable it only on the specific ones? How?

The Directory and Options directives are both well documented, so just read them:
https://httpd.apache.org/docs/current/mod/core.html#directory
https://httpd.apache.org/docs/current/mod/core.html#options

Changing Apache config requires a restart to take effect.

Using apachectl can check the config files for syntax errors before restarting.

scasey · 11-18-2020, 09:09 AM

n00b_noob...RTFM

n00b_noob · 11-19-2020, 04:15 AM

Quote:

Originally Posted by boughtonp

The Directory and Options directives are both well documented, so just read them:
https://httpd.apache.org/docs/current/mod/core.html#directory
https://httpd.apache.org/docs/current/mod/core.html#options

Changing Apache config requires a restart to take effect.

Using apachectl can check the config files for syntax errors before restarting.

Thank you so much.
As I see in the link:

Code:

Context:	server config, virtual host, directory, .htaccess

And I added below lines to my Virtual Host file and restarted httpd service:

Code:

<Directory /var/www/WP/wp-content/plugins/email-subscribers>
      Options -Indexes
</Directory>
<Directory /var/www/WP/wp-content/plugins/contact-form-7>
      Options -Indexes
</Directory>

And:

Code:

$ sudo apachectl configtest
Syntax OK

Then why directory listing for that URLs are enable?