Directory Listing does not provide 403 forbidden and is different than unix

Started by doug, August 17, 2012, 05:11:55 PM

Previous topic - Next topic

doug

We have deployments of apache 2.4.2 on OSX, Linux and are using apachehaus version for our windows clients.

Generally, if you want to avoid directory listings, the options in the <directory> looks like below and the 'Indexes' part of Options
is removed.

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>


If I do this on OSX or Linux and attempt to get any directory listing, those Apache 2.4.2 servers provide a 403 error

Forbidden
You don't have permission to access /1/ on this server.



On the windows 2.4.2 server, that same setting in the httpd.conf provides a very different result and error code.  It does not
show the directory listing, but it does confirm that the directory exists with an 'empty' directory

Index of /1/


It may seem like not much difference, but we are trying to get the server to pass a PCI security scan on the server and this is a
huge difference.  Effectively it means that the Apachehaus 2.4.2 server fails to meet the security standards for the credit card
industry.  (PCI is the credit card industry and they have onerous requirements for all servers).


Does anybody know how to make it so that there is no directory listing and apache return a 403 or 404 error if somebody attempts
to do a directory listing ..... rather than simply show the directory with no files in it?


Much appreciated in advance.

mario

Quote from: doug on August 17, 2012, 05:11:55 PM
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

That is not the right Directory container. There is a second one with the path of the document root. There you need to change the "Options" to get the wanted effect

doug

Quote from: mario on August 17, 2012, 05:38:32 PM
That is not the right Directory container. There is a second one with the path of the document root. There you need to change the "Options" to get the wanted effect

Hi Mario.

I think may not have stated things fully.    in the root htdocs directory, the indexes has been taken out of the 'options'.  This is the same as our OSX Htdocs.

Putting 'indexes' in the options on OSX or linux gives directory listings.  Taking it out gives 403 errors.

On windows, putting Indexes in gives directory listings.   Taking it out gives the header that I mention and NOT a 403 error.

<Directory "/Apache24/htdocs">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>


does that help?   Am I missing an option or setting that is different on windows?

Gregg

I would not say you are missing an option, this can happen if you have Indexes set further up a directory tree.
In that case you have to specifically tell Apache -Indexes.


/home/somesite       <- Indexes is set here
/home/somesite/here  <- indexes will show here too


I gave my Apache a test host, it's working as it should for me.
http://indexes.apachehaus.net:81/test.html

In your case, you may have to set your options as so
Options +FollowSymLinks -Indexes