Apache is one of the most popular open-source web servers available, used by many websites globally. One of its features is the ability to list directories and their contents when there’s no index file present. This feature, while handy for some uses, can expose sensitive information about your website’s structure or content to the public. In this article, we will walk you through how to disable directory listing in Apache to enhance your website’s security.
What is Directory Listing?
Before we delve into disabling directory listing, it’s crucial to understand what it is. Directory listing is a feature that allows users to view the contents of a directory when there’s no index file (like index.html or index.php) present in that directory. When a user accesses such a directory, they see a list of the files and subdirectories contained therein.
While this can be useful in some instances, it can also be a security concern. If the feature is enabled, anyone can see your directories’ content and potentially access sensitive files or information. Therefore, disabling directory listing is an important step in hardening your Apache server’s security.
How to Disable Directory Listing
Here is a step-by-step guide to disabling directory listing in Apache:
Step 1: Access Apache Configuration File
To start, you need to access the Apache configuration file on your server. The location of this file depends on your server setup. The most common locations are ‘/etc/httpd/conf/httpd.conf’ for Red Hat/Fedora/CentOS distributions, and ‘/etc/apache2/apache2.conf’ for Debian/Ubuntu distributions.
You can use a command-line text editor such as nano or vim to open the configuration file:
sudo nano /etc/apache2/apache2.conf
Or for Red Hat based systems:
sudo nano /etc/httpd/conf/httpd.conf
Step 2: Modify Directory Configuration
Look for the <Directory> directive in the configuration file, which would look something like this:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
In the `Options` line, the ‘Indexes’ value allows the server to generate directory listings. To disable directory listings, you need to remove ‘Indexes’ or replace it with ‘-Indexes’.
The modified directive should look something like this:
<Directory /var/www/>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Or this:
<Directory /var/www/>>
Options -Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Step 3: Save and Close the Configuration File
After you’ve made your changes, save the file and exit. If you’re using nano, you can do this by pressing CTRL+X, then Y, and then ENTER.
Step 4: Restart Apache Server
For the changes to take effect, you’ll need to restart your Apache server. You can do this with the following command:
- On Ubuntu/Debian:
sudo systemctl restart apache2
- On CentOS/Red Hat:
sudo systemctl restart httpd
Step 5: Test Your Changes
Now you should test your changes to ensure that directory listing has been successfully disabled. Navigate to a directory on your website that doesn’t have an index file. You should no longer see a list of files but an HTTP 403 Forbidden error, meaning access to the resource is denied.
Conclusion
Directory listing can be a useful feature, but it often poses more of a risk than a benefit. Disabling this feature on your Apache server can help protect sensitive files and information, reducing your website’s potential security vulnerabilities. Following the steps outlined in this article, you should be able to disable directory listing on your Apache server easily. Always remember to ensure your web server’s security settings are appropriately configured to fit your specific use case and needs.
9 Comments
It has worked thanks, I’m so happy that i have been able to do this.
thanks man useful post for new apache users
very helpful , useful for new apache installation
thanks For Help
I got it working by removing Indexes out of my httpd.conf file.
It may look something like this “Options Includes Indexes FollowSymLinks MultiViews” and just remove the word indexes and restart the apache service.
I am using XAMPP for Windows and it works the same since it is Apache config and not an OS config.
EG’s comment works for me. Removing the word ‘Indexes’
Thanks, working for me.
This isn’t working for me.
Thank you, working in Ubuntu server 16