LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Apache2: Prevent Directory Listing (https://www.linuxquestions.org/questions/linux-software-2/apache2-prevent-directory-listing-424520/)

nick1 03-13-2006 05:15 PM

Apache2: Prevent Directory Listing
 
Greetings,

I am using Ubuntu 5.10 (Breezy Badger).
I would like to know how to prevent directory listings in Apache2 on Ubuntu.
For example, I am able to view the contents of a folder called "test" that I created inside /var/www. I don't want visitors to be able to view the contents of directories.

Thank you for your time,

Nick

gilead 03-13-2006 05:26 PM

Have a look in your httpd.conf file. There will be an Options directive in the Directory section that has the Indexes option set. If there are other options that you want to keep, just remove Indexes. For example, the following displays indexes (I've removed the other lines):
Code:

<Directory "/var/www/html">
  Options Indexes FollowSymLinks
  IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort NameWidth=*
</Directory>

The following does not:
Code:

<Directory "/var/www/html">
  Options FollowSymLinks
</Directory>

IIRC, If Indexes is turned on at a higher level, you can also turn it off for a single Directory entry with Options -Indexes

brian_lad 03-13-2006 05:27 PM

You might try placing the following in your httpd.conf file

<Directory /var/www/test>
Options -Indexes
</Directory>

Also I believe if you create an index.html file in the test directory this would also stop the viewing of the folder contents.

Brian

tomdkat 03-13-2006 05:38 PM

Quote:

Originally Posted by brian_lad
Also I believe if you create an index.html file in the test directory this would also stop the viewing of the folder contents.

Yep, that also works. That might even be simpler. :)

Have an index.html file with nothing in it except the most basic HTML:

Code:

<html><body></body></html>
Or you could have some fun with it:

Code:

<html><body><H1>GOTCHA!!!!!</h1><br><br><H2>You know you shouldn't try to view the raw images like this... Tisk, tisk tisk...</h2></body></html>
You could also include a redirect in the "head" section of the HTML file to redirect to a gallery page or something after a certain amount of time.

Peace...

spooon 03-13-2006 07:13 PM

Or you can make the directory not readable by the Apache user; then it will certainly not display a listing. This is probably the simplest option. I do this for all of my webspaces, whether or not I use an index page.

jiml8 03-13-2006 08:49 PM

I routinely put an index.html file in every directory. I do this because if I am hosted on someone else's server then I don't want to have to deal with how they may have configured their Apache, and on my own servers it makes it easier for me to tell directly when I do a directory listing - and it is one less thing I have to deal with when I move the site to another server.

My index.html file is always a redirect, taking the visitor to where I want them to start.

You also could put a DirectoryIndex directive into .htaccess

nick1 03-13-2006 11:32 PM

Thanks to everyone who replied.

I first started using Apache on Fedora Core 4 and was used to having all the config settings in httpd.conf. Now that I'm using Ubuntu 5.10 (Breezy Badger), I've noticed the Apache settings are handled a bit differently. There's an apache2.conf file, httpd.conf file, and ports.conf file.

In order to prevent listing the contents of /var/www/testdir (using the indexes method), I had to edit the httpd.conf file, as shown below:

Code:

# This is here for backwards compatability reasons and to support
#  installing 3rd party modules directly via apxs2, rather than
#  through the /etc/apache2/mods-{available,enabled} mechanism.
#
#LoadModule mod_placeholder /usr/lib/apache2/modules/mod_placeholder.so
#
<Directory "/var/www/testdir">
  Options -Indexes
</Directory>

That's the entire content of my httpd.conf. Isn't there supposed to be a lot more in this file?

Another option to prevent listing the contents of /var/www/testdir (using the indexes method), was to edit /etc/apache2/sites-available/default. Here are the contents of that file:

Code:

NameVirtualHost *
<VirtualHost *>
        ServerAdmin webmaster@localhost
       
        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                # Commented out for Ubuntu
                #RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

I removed Indexes from:

Code:

<Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

Even though it now does what I want it to, I'm very confused and wondering if I'm editing settings in the right place. Can someone please explain why things are quite different in Ubuntu compared to FC4? Why not just one file to edit, httpd.conf? I guess I'm just trying to understand Ubuntu's way of doing things.

Thanks a lot,

*Nick*

jiml8 03-14-2006 03:44 PM

You are using Apache2 in Ubuntu and, I presume, you were using Apache 1.3 in FC4.

Apache2 makes a lot of changes. I suggest you visit apache.org to learn about it.

tomdkat 03-14-2006 03:49 PM

Quote:

Originally Posted by jiml8
Apache2 makes a lot of changes. I suggest you visit apache.org to learn about it.

True, but not in this case. The Indexes option is the same. In fact, I use it on some sites and not on others hosted on an Apache 2 server I run.

Peace...

spooon 03-14-2006 04:55 PM

Quote:

Originally Posted by jiml8
I presume, you were using Apache 1.3 in FC4.

No, FC2/3/4 all come with Apache 2.

arpals 02-21-2014 05:40 PM

Apache2: Prevent Directory Listing
 
Quote:

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
</Directory>
My default page doesn't have the "Options Indexes" in it and it still allows directory browsing. I only have Options FollowSymLinks, nothing else. I've added -Indexes (restarted Apache2) but it still allows listing the directory. I've added a <Directory> entry for the specific directory also (/var/www/mydirectory) but still listing is allowed! I'm at my wits end, somebody have any ideas???? Thanks.


All times are GMT -5. The time now is 10:14 AM.