Geek Rewind

Disable Apache Directory Listing on Ubuntu 24.04

Richard

ยท

The article discusses how to enable or disable Apache directory listing on Ubuntu 24.04. It explains that disabling this feature enhances security by preventing unauthorized access to sensitive files, resulting in a 403 Forbidden error for users without an index file. Configurations can be applied globally or selectively, with changes requiring a restart of Apache.

This article explains enabling or disabling the Apache directory listing on Ubuntu 24.04.

When directory listing is enabled, anyone can see the contents of a directory on the server. Disabling directory listing helps prevent users from quickly browsing directories on your server, which can deter potential attackers or intruders from finding exploitable files.

This can expose sensitive files, scripts, or application resources that should not be publicly visible, leading to security vulnerabilities.

Without a directory listing, users who navigate to a directory without an index file (like index.html or index.php) will get a 403 Forbidden error instead of a list of files.

Disable directory listing

Apache global configuration file is located at this path: /etc/apache2/apache2.conf.

You will find a section in this file dealing with directory listing. Directory listing is enabled by default.

Run the command below to open the global configuration file.

sudo nano /etc/apache2/apache2.conf

This block with the ‘Indexes‘ option enables directory listing in Apache’s default root directory (/var/www).

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Remove the ‘Indexe‘ from the Options line to disable the directory listing.

If you want to disable directory listing for all content in the /var/www/ default directory, change the block above to the one below.

<Directory /var/www/>
        Options FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Save the exit the file.

Restart Apache to apply your changes.

Add the ‘Indexes‘ to re-enable the directory listing if you wish.

Disable directory listing selectively

If you do not want to change Apache’s global configuration file, you can selectively disable directory listing in individual website configuration files.

For example, here’s a basic configuration for a website that disables directory listing.

<VirtualHost *:80>
  ServerName banking.example.com
  ServerAdmin [email protected]
  DocumentRoot /var/www/banking
    
  <Directory /var/www/banking/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

This configuration only impacts the /var/www/banking/ website in Apache’s directory.

That should do it!

Conclusion:

  • Enabling or disabling Apache directory listing is crucial for maintaining server security.
  • Disabling directory listing prevents unauthorized access to files and sensitive information within directories.
  • Users without an index file will encounter a 403 Forbidden error, enhancing security.
  • Configurations can be made globally or selectively for individual websites, providing flexibility.
  • Always restart Apache after making changes to ensure they take effect.
  • Regularly review and update your server configurations to keep security measures current.
,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *