0

On my site, if you browse to http://example.com/images/ the contents of the entire directory are shown like so:

Need to prevent this from showing

How can I make it so that this doesn't happen?

Can I create an .htaccess file in that directory? Or is there a better way? I really want to block directory listing for the entire site (i.e. every directory on that site).

I figure it's either something that has to be done in Apache or using an global .htaccess file and placing it in the public_html folder, perhaps?

EDIT

I diverted this using an index.php file, but I still feel that security is an issue here, how can I fix this permanently?

TessellatingHeckler
  • 5,676
  • 3
  • 25
  • 44
SoLoGHoST
  • 123
  • 1
  • 6
  • OMG, I'm a retard, just changed the permissions from 755 to 751. Is that secure? 751? Should I use something different instead? – SoLoGHoST Feb 26 '11 at 17:09

2 Answers2

5

Depending on how your <directory> directives are defined, you have a couple of options.

For that directory, Options -Indexes will turn that off. This can be done anywhere in the httpd.conf file to disable that sort of thing.

Also, in an .htaccess file in that specific directory you can place IndexIgnore * will still produce the list but hide all the contents. A bit hacky, but if you can't modify httpd.conf can work in a pinch.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Where is the httpd.conf file located? I see a lot of files in my root like this: `.bash_logout`, `.bash_profile`, `.bashrc`, `.contactemail`, `.dns`, `.ftpquota`, `.lastlogin`, and `cpbackup-exclude.conf` do I just create the httpd.conf file? – SoLoGHoST Feb 26 '11 at 17:19
  • 1
    @Sologhost It varies by distro, but is frequently found in /etc/http, or /etc/apache. I sense a shared-hosting account, so you may not be able to edit it. – sysadmin1138 Feb 26 '11 at 18:03
  • Yeah, I believe I am on a shared hosting. So there is no way to do this I suppose. But I do see an `/etc/` folder. Just nothing in there but an `ftpquota` file. – SoLoGHoST Feb 26 '11 at 21:36
  • 2
    .htaccess is your best bet, then. Try an `Options -Indexes` first, then if that doesn't work, try IndexIgnore. – sysadmin1138 Feb 26 '11 at 22:11
3

You need to disable directory browsing. You can do that for the whole server by modifying httpd.conf, or you can do it in a directory of your choice by using a .htaccess file.

In both cases, look for the line that begins with Options and some other words; if it contains Indexes, change it to -Indexes; if it doesn't contain it, add it to the line.

If there is no Options directive, just add Options -Indexes, and that's all.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • OK, thanks. The httpd.conf file did NOT exist, so I created it and, on the first line added this: `Options -Indexes` and uploaded it to the public_html directory and TADA, it is working nicely I think. Cheers :) Is that all that should be added to the `httpd.conf` file? – SoLoGHoST Feb 26 '11 at 17:26
  • Actually, this doesn't work... arggg. – SoLoGHoST Feb 26 '11 at 17:31
  • httpd.conf is located in /etc (or /etc/httpd/, or something similar) and is Apache's global configuration file, it *must* exist or your web server would not be working at all. .htaccess needs instead to be created in the directory where you want to change settings. – Massimo Feb 26 '11 at 17:52
  • Well, I can see the /etc/ directory, but all that is in there is a file `ftpquota` – SoLoGHoST Feb 26 '11 at 17:58
  • Ok, well, I diverted this using an index.php file, but I still feel that security is an issue here, how can I fix this PERMANENTLY! – SoLoGHoST Feb 26 '11 at 21:34
  • Use a .htaccess file in your site's root. – Massimo Feb 27 '11 at 13:37