Enable or disable directory listing in Apache config : Part 1

Posted under » Apache » LAMP Security on 20 August 2011

For a more updated and short article on this, click here.

It is a security issue if you enable people to browse your directory when you don't have and index file on it. There are things (files or folders) you don't want the public to see.

It is for the sake of convenience on development stages that we enable directory browsing. Normally its not needed. The config will look like this.

Options Indexes FollowSymLinks MultiViews

It is safer to disable index listing by

Options -Indexes -FollowSymLinks

or

	<Directory /www/abodkt/>
        Options FollowSymLinks
        AllowOverride Indexes
	</Directory>

However, if there is no index page, there will be an "page not found" page with the following as a footer.

Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at www.anoneh.com Port 80

You can turn it off by

ServerSignature Off

Read this.

If not, this in itself a security issue because hackers will now know your web server config. An elegant way is create custom error messages by adding error document.

	<Directory /www/abodkt/>
        Options FollowSymLinks
        AllowOverride Indexes
	</Directory>

ErrorDocument 401 "Sorry, no go." 
ErrorDocument 403 http://www.iras.gov.sg/
ErrorDocument 404 /errors/missing.html

A bit of explantion on common error codes;

Note : Use of ErrorDocument is enabled when the AllowOverride is set accordingly.

web security linux ubuntu python django git Raspberry apache mysql php drupal cake javascript css AWS