Last updated on September 21st, 2021 at 10:52 am
Apache directory listing is enabled, by default, allowing anyone to easily discover & access all the files & folders on a web server. This can cause security problems for your website. Here’s how to disable Apache directory listing for your web server so nobody can see your website’s folder structure.
How to Disable Directory Listing in Apache
Let’s look at how to disable directory browsing. Let’s say you have a website directory (e.g /files) in your Apache server (e.g /var/www/html/files) but don’t have an index.html file in it. When a user accesses this folder (e.g http://www.example.com/files), Apache will display all files & subfolders in /product, including parent folders. Here’s an example.
So any user can easily find out your website’s entire structure without any permission, by simply visiting http://www.example.com/files and exploit it to their advantage. Here’s how to disable Apache directory listing. There are 2 ways to disable listing the directory content in apache – using Virtual Hosts and .htaccess file. We will look at both these methods. After you hide website index in Apache, you may want to use a reporting software to monitor the key metrics about your website/application such as signups, traffic, sales, revenue, etc. using dashboards & charts, to ensure everything is working well and spot issues quickly.
How to disable Apache Directory Listing using Virtual Host
If you have setup a virtual host file (e.g /etc/apache2/sites-available/website.conf), then you can simply open it with a editor
$ sudo vim /etc/apache2/sites-available/website.conf
and add the following lines in it. Make sure you mention the correct path to your website directory in <Directory> tag.
<Directory /var/www/files> Options -Indexes </Directory>
In the above configuration, the Options – Indexes will disable Apache directory listing for folder /var/www/html/files. If you want to stop directory listing for a different folder, just change this folder path to something else. If you change the folder path to the website root (e.g /www/var/html) then it will disable directory listing globally for your entire website.
Bonus Read : How to Enable mod_ssl in Apache
How to disable Apache Directory Listing using .htaccess
Open Apache main configuration file
$ sudo vi /etc/apache2/apache2.conf #On Debian/Ubuntu systems $ sudo vi /etc/httpd/conf/httpd.conf #On RHEL/CentOS systems
Look for the section AllowOverride and set it to AllowOverride All
<Directory /var/www/html/> Options Indexes FollowSymLinks AllowOverride All </Directory>
Open your .htaccess file at /www/var/html/.htaccess. If it doesn’t exist, create a new blank file with filename .htaccess
Add the following lines in it. Make sure you mention the correct path to your website directory in <Directory> tag.
<Directory /var/www/files> Options -Indexes </Directory>
In the above configuration, the Options – Indexes will disable Apache directory listing for folder /var/www/html/files. If you want to stop directory listing for a different folder, just change this folder path to something else. If you change the folder path to the website root (e.g /www/var/html) then it will disable directory listing globally for for your entire website.
Bonus read: How to Configure Apache Cache in Ubuntu
Restart Apache Web Server
In both cases, restart Apache web server to apply changes.
-------- On SystemD based systems -------- $ sudo systemctl restart apache2 $ sudo systemctl restart httpd -------- On SysVInit based systems -------- $ sudo /etc/init.d/apache2 restart $ sudo /etc/init.d/httpd restart
Now, when you try accessing the folder via browser, you’ll get a “403:Access Forbidden” response. This way you can protect web directory in Apache.
By the way, if you want to create charts & dashboards to monitor your business or website, you can try Ubiq. We offer a 14-day free trial.
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.