You have Apache gear up and serving your sites to perfection. Or so y'all thought.

A team member informs yous she tin can navigate through the binder bureaucracy of your Apache server. This could end in security issues you don't want to face.

The gear up for this is quite easy and allows you to do it for individual sites or for your document root (i.e., the default location where your Apache sites are served from). There are two like shooting fish in a barrel methods of achieving this; I'll show you both.

I assume yous have Apache running and serving up sites. I too assume yous take sites in standard and nonstandard locations. For the sake of this example, our server will have a document root of /var/www/ and our nonstandard sites will exist served from /srv/www. My demo volition be with Apache2 on Ubuntu Server 16.04.

SEE: Network Security Policy (Tech Pro Research)

Working with the Apache configuration file

Our document root is /var/world wide web. Let's say (for testing purposes) we take the folders /var/world wide web/html/examination and /var/www/test/test1.

Before making these changes, if we point a browser to http://IP_OF_SERVER/test (IP_OF_SERVER is the IP accost of the server), we'll run across the test1 binder displayed (Figure A).

Figure A

Let's prevent this from happening. Open a terminal window and change into the /etc/apache2 directory. Open up the file apache2.conf in your favorite text editor (you'll need admin rights to edit the file). Curlicue down until you see the <Directory /> section (Effigy B).

Figure B

We'll edit this section:


​ Options Indexes FollowSymLinks
​ AllowOverride None
​ Require all granted
​

Switch off Indexes by removing the Indexes pick. The new section volition look like this:


​ Options FollowSymLinks
​ AllowOverride None
​ Require all granted
​

Relieve and close that file. Restart the web server with this control:

sudo service apache2 restart

Signal your browser back to the same directory, and you'll be presented with a 404 Not Institute error.

Using htaccess

Let's expect at a unlike method of handling this trouble. This time around nosotros'll apply htaccess, so y'all can hands cake a directory listing on any binder, in whatsoever defined virtual host on your server.

Nosotros'll configure a site served up from /srv/wwdue west. Y'all will accept already configured the .conf file for this site in /etc/apache2/sites-bachelor (and linked it to /etc/apache2/sites-enabled). Open that .conf file in your favorite editor and in the Directory department modify AllowOverride None to AllowOverride All. Save and shut the file.

Now we must create a new .htaccess file in the target folder (in our case /srv/world wide web). From your terminal window, issue the command sudo nano /srv/www/.htaccess. In this new file, add together the line:

Options -Indexes

Save and shut the file. Restart Apache with this control:

sudo service apache2 restart

Your nonstandard site will show a 403 Access Forbidden error when you try to view a sub-directory.

Done and done

Congratulations! Your Apache site no longer lists directories. This is a very simple step you can have to secure your Apache web server and preclude people from seeing directories and files they shouldn't see.