|
List Info
Thread: Disable directory browsing
|
|
| Disable directory browsing |
|
2007-09-26 11:27:44 |
I have been reading on
http://httpd.apache.org/docs/2.2/mod/core.html#options
and in a couple
of tutorials on the net, but I cannot seem to get this to
work as I
want.
What I want is to disable _all_ directory browsing on my
server. What
I have tested is to att an "Options -Indexes"
within the <Directory
/>-clause (and restarted Apache), but with no luck.
Adding it in a
<Directory /images> still doesnt disable it for the
/images-directory.
Only when I added a <Directory
"/full/path/to/images"> I got it to
work, but only for that particulary directory.
How do you add a -Indexes that affects the *whole* site?
--
- Rikard - http://bos.hack.org/cv/
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe httpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
| Re: Disable directory browsing |
 
United States |
2007-09-26 11:44:22 |
Rikard:
Since the default setting is Options ALL - meaning it would
include directory
browsing by default - I would guess that you've
inadvertently done something to
remove that default. Is it possible there might be index
files in those
directories, which would thwart the process? What about
this warning, might it
apply?
Warning
Mixing Options with a + or - with those without is not valid
syntax, and is
likely to cause unexpected results.
I would suggest commenting out all the Options directives in
httpd.conf
temporarily, AND also make sure that there are no .htaccess
files lurking about
that might confound the process, and then test it again.
With no Options
directives at all, directory browsing should be enabled for
every directory
(without a directory index file, that is).
Mark
-------- Original Message --------
Subject: [usershttpd] Disable directory browsing
From: Rikard Bosnjakovic <rikard.bosnjakovicgmail.com>
To: usershttpd.apache.org
Date: Wednesday, September 26, 2007 09:27:44 AM
> I have been reading on
> http://httpd.apache.org/docs/2.2/mod/core.html#options
and in a couple
> of tutorials on the net, but I cannot seem to get this
to work as I
> want.
>
> What I want is to disable _all_ directory browsing on
my server. What
> I have tested is to att an "Options -Indexes"
within the <Directory
> />-clause (and restarted Apache), but with no luck.
Adding it in a
> <Directory /images> still doesnt disable it for
the /images-directory.
> Only when I added a <Directory
"/full/path/to/images"> I got it to
> work, but only for that particulary directory.
>
> How do you add a -Indexes that affects the *whole*
site?
>
>
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
| Re: Disable directory browsing |
|
2007-09-26 14:06:34 |
On 9/26/07, Rikard Bosnjakovic <rikard.bosnjakovicgmail.com> wrote:
> I have been reading on
> http://httpd.apache.org/docs/2.2/mod/core.html#options
and in a couple
> of tutorials on the net, but I cannot seem to get this
to work as I
> want.
>
> What I want is to disable _all_ directory browsing on
my server. What
> I have tested is to att an "Options -Indexes"
within the <Directory
> />-clause (and restarted Apache), but with no luck.
Adding it in a
> <Directory /images> still doesnt disable it for
the /images-directory.
> Only when I added a <Directory
"/full/path/to/images"> I got it to
> work, but only for that particulary directory.
>
> How do you add a -Indexes that affects the *whole*
site?
You can't, really. A quick work-around might be
<Location />
Options -Index
</Location>
Or simply get rid of mod_autoindex from your loaded
modules.
But the correct solution is to search through all your conf
files and
remove "Indexes" from every Options directive that
you find.
The reason the single -Indexes doesn't work is because it
will be
overridden by other Options directives applying to more
specific parts
of the filesystem.
Joshua.
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
| Re: Disable directory browsing |
|
2007-09-27 00:55:21 |
On 26/09/2007, Joshua Slive <joshuaslive.ca> wrote:
> But the correct solution is to search through all your
conf files and
> remove "Indexes" from every Options directive
that you find.
There is no Options Indexes anywhere in any of my config
files, that's
what confusing me.
I probably want to keep mod_autoindex, in case I want to
enable
directory browsing for some particular directory (using
.htaccess I
guess), but unless otherwise stated, browsing should be
off.
--
- Rikard - http://bos.hack.org/cv/
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
| Re: Disable directory browsing |
|
2007-09-27 08:09:43 |
On 9/27/07, Rikard Bosnjakovic <rikard.bosnjakovicgmail.com> wrote:
> On 26/09/2007, Joshua Slive <joshuaslive.ca> wrote:
>
> > But the correct solution is to search through all
your conf files and
> > remove "Indexes" from every Options
directive that you find.
>
> There is no Options Indexes anywhere in any of my
config files, that's
> what confusing me.
>
> I probably want to keep mod_autoindex, in case I want
to enable
> directory browsing for some particular directory (using
.htaccess I
> guess), but unless otherwise stated, browsing should be
off.
I should have also mentioned that you need to remove any
"Options
All", which includes Indexes. And you need to make sure
that you are
starting from the off state, so you'll also need a
<Directory />
Options None (or perhaps FollowSymLinks for performance
reasons)
</Directory>
Joshua.
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
| Re: Disable directory browsing |
United States |
2007-09-27 12:26:53 |
Sorry I got the sense of things backwards earlier. Isn't
there another more
brute-force option, to simply place an empty index.htm file
in every directory
that shouldn't be browsed? Doesn't the presence of an index
file disable
browsing even when it's enabled in principle for that
directory? The open
source blog software I use in fact came pre-packaged that
way, with index files
placed in all the directories where browsing wasn't
desirable.
Mark
-------- Original Message --------
Subject: Re: [usershttpd] Disable directory browsing
From: Joshua Slive <joshuaslive.ca>
To: usershttpd.apache.org
Date: Thursday, September 27, 2007 06:09:43 AM
> On 9/27/07, Rikard Bosnjakovic
<rikard.bosnjakovicgmail.com> wrote:
>> On 26/09/2007, Joshua Slive <joshuaslive.ca> wrote:
>>
>>> But the correct solution is to search through
all your conf files and
>>> remove "Indexes" from every Options
directive that you find.
>> There is no Options Indexes anywhere in any of my
config files, that's
>> what confusing me.
>>
>> I probably want to keep mod_autoindex, in case I
want to enable
>> directory browsing for some particular directory
(using .htaccess I
>> guess), but unless otherwise stated, browsing
should be off.
>
> I should have also mentioned that you need to remove
any "Options
> All", which includes Indexes. And you need to make
sure that you are
> starting from the off state, so you'll also need a
> <Directory />
> Options None (or perhaps FollowSymLinks for performance
reasons)
> </Directory>
>
> Joshua.
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
| Re: Disable directory browsing |
United States |
2007-09-27 12:37:41 |
Mark A. Craig wrote:
>Sorry I got the sense of things backwards earlier.
Isn't there
>another more brute-force option, to simply place an
empty index.htm
>file in every directory that shouldn't be browsed?
Doesn't the
>presence of an index file disable browsing even when
it's enabled in
>principle for that directory? The open source blog
software I use
>in fact came pre-packaged that way, with index files
placed in all
>the directories where browsing wasn't desirable.
>
>Mark
---------------- End original message.
---------------------
Sure, that will work. But it relies on the presence of that
file and
that is a potential security hole if somebody forgets to
include it
or deletes it thinking it is not needed.
Personally, I think fixing it in the configuration file is a
better way to go.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti
sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
| Re: Disable directory browsing |
|
2007-09-29 01:02:16 |
On 27/09/2007, Joshua Slive <joshuaslive.ca> wrote:
> I should have also mentioned that you need to remove
any "Options
> All", which includes Indexes.
There is no Options All either. I am using the
out-of-the-box
httpd.conf that came with Apache, but I will try the tip
regarding
using "Options None" and see if that helps.
--
- Rikard - http://bos.hack.org/cv/
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|
|
[1-8]
|
|