I would like to have any directory auto-indexing by Apache not display a link to the parent directory. In my current setup, I have only enabled access to all subdirectories, thereby implicitly denying access to the one parent directory of each of those subdirectories. Unfortunately, the auto-indexing is still displaying a link to the parent directory even though clicking on that link results in a 403 response.
IndexIgnore ..
You can read more on the Auto-Index options on Apache Docs.
Related
I took over a website which I'm supposed to admin and somebody brought to my attention that certain Indexes and Files are available, which shouldn't be. I will be using dummy names.
You were able to access example.com/intern before, but I changed a line in /etc/apache2/apache2.conf according to this https://stackoverflow.com/a/31445273 . This worked partly, as I get a 403-Forbidden when I now navigate to example.com/intern and that's basically what I want.
However the directory intern governs a file called file.php.bak aswell as file.php. When I navigate to example.com/intern/file.php I get a white website. I am however not sure, if you are able to access file.php in another way, because the site does load and I don't get a 403 like before. What is way worse and the reason I am struggling with this is: If I go to example.com/intern/file.php.bak then my Browser (Firefox) offers me to download file.php.bak, which I can read in plaintext. I want all files in intern to not be accessible via the website, but I have no idea how to do this. Can anybody help?
Things I've tried:
Removing the Indexes from the apache2.conf file like mentioned above. It only puts the 403 on the directory itself and not recursively for all the files in it.
Writing a .htaccess file as described here: https://fedingo.com/how-to-prevent-direct-file-download-in-apache-server/ and putting it in intern with the same result as in 1)
Putting an empty index.html file in the intern directory. This leads to no more 403 in example.com/intern, but the download on example.com/intern/file.php.bak is still possible. I've also tried index.php with the same result.
File System:
The application runs from /var/www/application which is also the folder for the /var/www/application/index.php I want to use. The /var/www/application/intern directory is also there. While it isn't browsable anymore, the files in it still are accessible. /var/www/application/intern/file.php can be navigated to via example.com/intern/file.php, but it seems like it can't be downloaded or read as it results in a white page. /var/www/application/intern/file.php.bak can however be downloaded via example.com/intern/file.php.bak.
Let's say Apache document root is set to DocumentRoot "/folder_one/folder_two"
Placing files in a folder_one will prevent people browsing your apache server and requesting the files directly.
Place index file in folder_two and include some code such as PHP to tell apache to include whatever files you want from folder_one.
In this manor Apache will still be able to serve whatever files you want from folder_one and people will not be able to request the files directly as the are located in a directory above the Apache document root.
Is it possible to configure Apache to disallow websurfers to access particular folders and seeing a directory listing but allow browsers to retrieve files from those folders. Let's say you have some images in a folder, you might want to allow users to see specific ones but not to view the contents of the entire folder. The user can only see the ones known to exist on the server in a particular folder.
Yes it is indeed possible using any of these directives:
Options -Indexes
OR
IndexIgnore *
Is there a way to stop people from accessing directories where all my members file's are stored.
For example, I have mysite.com/members/$mem_id and in there that particular members files are stored, such as images. Is there a way to stop all of these been accessed directly from the URL bar, without placing index.php in every folder, possibly with .htaccess?
Also, once the folders have being blocked, the site itself still needs to access the files in them to display round the site.
To disable directory listing you can use .htaccess and adding this line
Options -Indexes
How do I customize the list that web server does in absence of index.* file in the web root or its child directory, if we do not put any index files in the web root directory and the directory has the read permission?
you can set the page to show for a directory url with the index directive, it doesn't need to point to something called index.*, might just as well be whatever.html. See http://nginx.org/en/docs/http/ngx_http_index_module.html#index for details
or you can set autoindex on to give a generated file/directory listing, you can use the autoindex_exact_size and autoindex_localtime to further customize that listing. See http://nginx.org/en/docs/http/ngx_http_autoindex_module.html for details
3th option, if your nginx is compiled with it, is the random_index, see http://nginx.org/en/docs/http/ngx_http_random_index_module.html for details.
NOTE: to find out if your nginx is compiled with the needed --with-http_random_index_module option use the command nginx -V
Well, it depends on what webserver you are using.
In case of Apache, direcory indexes handled by a module called mod_autoindex.
When you want to customize the directory listing, then you have to know that Apache need three 'view' files:
The Header — by default automatically generated by Apache The
Directory Listing — necessarily generated by Apache
The Footer — referred to as the “Readme” file
The Header and Footer parts are basically written in plain HTML. The directory listing is generated by Apache but you can apply CSS on it..
The whole thing is a rather long story, so what I can suggest is a well written article with the details about this 'directory listing customisation':
Better Default Directory Views with .htaccess
I want to stop people from viewing the contents of my images directory. I've built an app using Codeigniter and notice that they just have index.html pages with a 403 Forbidden message in all directories - is this a secure method to use? Is an index.html page in the directory sufficient or do I need to update config or .htaccess?
The .htaccess solution should work if you're comfortable using it.
Options -Indexes
If you are on a shared host with cPanel, you can change your settings in Index Manager
Cpanel - Index Manager
The index.html should be enough and secure, but it is not really a clean solution, because it is not actually returning a error message, it is probably still returning HTTP 200 and then showing the html page with error 403.
The clean solution would be adding
Options -Indexes
to the .htaccess file.
In general you need more than just an index.html, depending on you server configuration you can still get a directory listing. None of the files in the directory will be protected either.
Your best bet is to do al of the above, update the server config to limit access and also set policy via .htaccess if that is appropriate. Finally, if you don't want it to be served it really should not be part of the directory structure being published by the server.