This article explains enabling or disabling the Apache directory listing on Ubuntu 24.04.
When directory listing is enabled, anyone can see the contents of a directory on the server. Disabling directory listing helps prevent users from quickly browsing directories on your server, which can deter potential attackers or intruders from finding exploitable files.
This can expose sensitive files, scripts, or application resources that should not be publicly visible, leading to security vulnerabilities.
Without a directory listing, users who navigate to a directory without an index file (like index.html or index.php) will get a 403 Forbidden error instead of a list of files.
Disable directory listing
Apache global configuration file is located at this path: /etc/apache2/apache2.conf.
You will find a section in this file dealing with directory listing. Directory listing is enabled by default.
Run the command below to open the global configuration file.
sudo nano /etc/apache2/apache2.conf
This block with the ‘Indexes‘ option enables directory listing in Apache’s default root directory (/var/www).
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Remove the ‘Indexe‘ from the Options line to disable the directory listing.
If you want to disable directory listing for all content in the /var/www/ default directory, change the block above to the one below.
<Directory /var/www/>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Save the exit the file.
Restart Apache to apply your changes.
Add the ‘Indexes‘ to re-enable the directory listing if you wish.
Disable directory listing selectively
If you do not want to change Apache’s global configuration file, you can selectively disable directory listing in individual website configuration files.
For example, here’s a basic configuration for a website that disables directory listing.
<VirtualHost *:80>
ServerName banking.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/banking
<Directory /var/www/banking/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
This configuration only impacts the /var/www/banking/ website in Apache’s directory.
That should do it!
Conclusion:
- Enabling or disabling Apache directory listing is crucial for maintaining server security.
- Disabling directory listing prevents unauthorized access to files and sensitive information within directories.
- Users without an index file will encounter a 403 Forbidden error, enhancing security.
- Configurations can be made globally or selectively for individual websites, providing flexibility.
- Always restart Apache after making changes to ensure they take effect.
- Regularly review and update your server configurations to keep security measures current.
Leave a Reply