Apache is a corner stone of most web applications. The modern open source web server is critical in running your hosted websites and software. It supports most Operating systems including Windows and Linux so it should work pretty well with your Ubuntu 16.04 distribution.
However, since Apache is placed at the edge of your network, it can become potentially vulnerable. Majority of web applications attacks occur due to information leakage. Malicious attackers can utilize directory listing to gain a better insight of your web application’s directory and file structure.
For instance an attacker can run a URL like http://example.com/config from any browser. If directory browsing is not disabled your Apache server will list all the files in that directory and this would speed up the hackers’ reconnaissance process.
One of the most practicable steps in securing your Apache web server is to disable directory browsing. This limits the Apache server from listing the directory files if there is no default index file (e.g. index.html) defined on that directory.
- A VPS account running Ubuntu 16.04. Sign up with Digital Ocean today and get $100 free to test VPS hosting.
- A non-root username with sudo privileges
- An Apache web server. See the instructions for installing Apache.
Step 1: Open the Apache Base Configuration File for Editing Using nano Text Editor
If you are running a single site, editing the Apache base configuration file might a good option. This will eliminate the need of creating separate configuration files and symbolic links which can be time consuming for a single website.
To edit the base Apache configuration file using nano, type the command below.
sudo nano /etc/apache2/apache2.conf
- Once the nano text editor opens, find the directory option directives and you will see some text similar to the below excerpt.
<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
In Apache, options pertaining to a particular directory are enclosed in a paired <Directory> and </Directory> tags inside a configuration file.
- The Options None directive tells Apache that there are no specific features applied to that directory.
- AllowOverride None specifies that the directory options will not be overridden by any .htaccess file.
- The option Followsymlinks simply tells the Apache web server to follow symbolic links in that directory. This is very useful for shared applications such as PhpMyadmin which must be shared across different websites.
- The Indexes option instructs Apache to prepare and display a list of pre-formatted index in case the directory does not contain a default index file such as index.html or index.php.
- The allow from alldirective authorizes any host to access documents and services within that directory.
We are interested in the Indexes options and we are going to change it to disable directory listing
Step 2: Changing the Indexes Directive
We need to change Options Indexes FollowSymLinks to Options -Indexes +FollowSymLinks on the nano text editor that we opened above. Please note, adding a preceding “-” sign on an option disables and adding a “+” sign enables a directive as shown below.
<Directory /var/www/> Options -Indexes +FollowSymLinks AllowOverride All Require all granted </Directory>
Once you have finished editing the file, press CTRL+X, Y and then Enter to save the changes
Step 3: Disabling Directory Browsing on Virtual Hosts Files
Apache’s lion market-share is attributed to its capability of running unlimited virtual hosts in a single instance. This allows website owners to run numerous sites, sub-domains and application on a single instance.
Some websites do not consume a lot of server resources and the best way to get the most from your Vultr VPS is to utilize this Apache virtual hosting feature.
While the virtual host is a bullet-proof for hosting multiple sites, its configuration can become a double-edged sword.
Managing the configuration files for virtual hosts can be difficult. However, there is a better approach. Each virtual website configuration file can be placed under the /etc/apache2/sites-available/ and a symbolic link would be maintained under /etc/apache2/sites-available directory.
Apache will then maintain and load the configurations for each website independently.
With that in mind, if you are hosting multiple sites, you may disable directory browsing directly on each virtual host configuration file. By default, Apache comes with a single default virtual host.
Type the command below to edit the configuration file:
sudo nano /etc/apache2/sites-available/000-default.conf
Add the details below before the </virtual host> closing tag at the end of the file to disable directory browsing.
<Directory /var/www/html > Options -Indexes +FollowSymLinks -MultiViews AllowOverride All Require all granted </Directory>
The Order allow,deny directive makes deny directives to take precedence as they are applied after the allow directives.
Remember to press CTRL+X then Y and Enter, when you finish editing the /etc/apache2/sites-available/000-default.conf file for the changes to take effect.
You may follow the same procedure above for any virtual websites that you have on your Ubuntu 16.04 server. Remember all virtual hosts configuration files end with a .config extension. For example, to edit the configuration file for an example.com virtual host, enter the command below.
sudo nano /etc/apache2/sites-available/example.com.conf
Then, add the following details at the end of the example.com.conf file just before the </virtual host> closing tag.
<Directory /var/www/example.com/public_html > Options -Indexes +FollowSymLinks -MultiViews AllowOverride All Require all granted </Directory>
Important: Remember to match your virtual host directory to your website’s public folder. In the above example, our website files are found under /var/www/example.com/public_html
Step 4: Restarting Apache Web Server
Finally, we need to restart Apache for the changes to take effect by typing the command below:
sudo service apache2 restart
That’s all when it comes to disabling directory browsing. Remember to double check whether the changes have been effected by typing your domain/IP address on your browser followed by a forward slash and the folder you want to check.
For example, to double check a config folder under your website, we should type. http://www.example.conm/config.
If the directory browsing was successfully disabled, we should be greeted with a forbidden error message, “Forbidden you don’t have permission to access /config on this server. Enjoy your Apache web server!
New to VPS hosting, sign up with Digital Ocean today and get $100 free to test VPS hosting.