How to Disable Directory Browsing on Apache?
In Apache, directory listing is a built-in feature that allows users to see what a directory is holding when there is no default index file provided, such as index.php or index.html. This is useful for a developer who is working on a website during the testing phase. In a live or production environment, however, this may allow unauthorized users to view the directory contents, including any sensitive files, while also giving away some of the server’s structure.
If the server is compromised as a result, unauthorized users might be able to access or exploit this information. This is especially concerning for web applications that store configuration files, scripts, or sensitive information in directories that are publicly accessible.
When users are allowed to view directories, it can illustrate critical information that could aid an attacker in compromising your website. Once they view the server structure, the information becomes an analysis for weaknesses and potentially a behavior for them to attack your web application. For instance, your configuration file—which may have your database credentials—or a script that exhibits behavior can be a primary target for mischief or exploitation if directory browsing is not disabled.
The best way to avoid data leakage is to disable directory listing, which prevents unauthorized users from examining the directory structure. Only authorized users who have direct access to the server will be able to browse the directory structure.
In this guide, you will learn how to test whether directory listing is enabled on your Apache web server and implement methods to disable it.
Prerequisites
Before proceeding, ensure you have the following:
- An Ubuntu 20.04 server
- A sudo user
- An Apache web server
1. Create a Test Directory
SSH into your server and create a test directory in the root of your website:
sudo mkdir /var/www/html/test
Next, create two subdirectories inside the test directory:
sudo mkdir /var/www/html/test/sub-directory_1 sudo mkdir /var/www/html/test/sub-directory_2
Now, add two files to the test directory:
sudo touch /var/www/html/test/file1.txt sudo touch /var/www/html/test/file2.txt
Open a web browser and navigate to:
If Apache directory listing is enabled, you will see a list of the files and subdirectories created.
2. Disable Directory Listing in Apache Configuration
To disable directory listing, open the Apache configuration file:
sudo nano /etc/apache2/apache2.conf
Locate the following section:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Modify the Options line to:
Options -Indexes +FollowSymLinks
After the change, it should look like this:
<Directory /var/www/>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
The Indexes option enables Apache to list directory contents if no index file is present. By prefixing it with a hyphen (-Indexes), directory listing is disabled.
Save the file and restart Apache:
sudo systemctl restart apache2
Next, attempt to access the test directory again. You should get a “403 Forbidden” error, confirming that the directory listing has been turned off for your directory.
Disabling Directory Listing in Your Virtual Host Configuration
If you are using your Apache server to host multiple sites, you can disable directory listing for each site in the virtual host configuration.
First, list the available site configurations:
sudo ls -lsa /etc/apache2/sites-available
You will see a list of configuration files. Identify the one corresponding to your site, such as 000-default.conf, and open it:
sudo nano /etc/apache2/sites-available/000-default.conf
Find the section that looks similar to this:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
</VirtualHost>
Modify it by adding the following within the <VirtualHost> block:
<Directory /var/www/>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Save the file and restart Apache:
sudo systemctl restart apache2
Repeat these steps for other virtual host configurations if needed.
Troubleshooting
If directory browsing remains enabled after these steps, check for other configuration overrides. Look for additional <Directory> blocks in Apache configuration files, such as:
<Directory /var/www/html/>
Ensure that the -Indexes option is correctly set.
Conclusion
With this tutorial, you have now disabled Apache directory listing on your Ubuntu 20.04 server. This is a necessary step to secure your web host by stopping unauthorized access to your files and directories.
Now visitors will not be able to see the folder content directory, and instead, they will get a response of “403 Forbidden.” Therefore, your sensitive information should remain secure. Utilizing these security settings will aid in securing a well-guarded web surroundings for all hosted web sites.
