Article

How to Disable Directory Browsing on Apache

Last Updated: Wed, Aug 12, 2020
Ubuntu Web Servers

Introduction

In Apache, directory listing is a default behavior that displays the contents of a directory if there is no default index file such as index.php or index.html. In a production environment, enabling directory browsing is not recommended since it may lead to information leakage and help attackers to determine how a website or web application is structured and increase the attack surface. In this guide, you'll test and disable Apache directory browsing on Ubuntu 20.04.

Prerequisites

Before you begin, ensure you have the following:

1. Create a Test Directory

SSH to your server and create a test directory in the root of your website.

$ sudo mkdir /var/www/html/test

Create two sub-directories in the test directory.

$ sudo mkdir /var/www/html/test/sub-directory_1
$ sudo mkdir /var/www/html/test/sub-directory_2

Add two files to the test directory.

$ sudo touch /var/www/html/test/file1.txt
$ sudo touch /var/www/html/test/file2.txt

Open a web browser and visit the URL below. Replace example.com with the domain name or IP address of your server.

http://www.example.com/test

If Apache directory listing is enabled, you should see a list of all files and sub-directories that you've created.

2. Disable in Apache Configuration

Open the /etc/apache2/apache2.conf file.

$ sudo nano /etc/apache2/apache2.conf

Find the content below.

...
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
...

Change the line:

Options Indexes FollowSymLinks

to:

Options -Indexes +FollowSymLinks

When finished, it should look like this.

...
<Directory /var/www/>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
...

By default, the Indexes option forces Apache to prepare and show a list of files if no default index file is detected in the /var/www directory, by prefixing the Indexes options with a hyphen, you've instructed Apache to disable this behavior.

Save and close the file. Then, restart the Apache webserver.

$ sudo systemctl restart apache2

Try to access the URL of the test directory. Replace example.com with the domain name or the public IP address of your server.

http://www.example.com/test

This time, your access will be forbidden. Please note, this is a system-wide setting. If you need more control, you can disable directory browsing by editing the virtual hosts file.

3. Disable in Virtual Hosts File

If you have several websites hosted on the same Apache web server, you can disable directory listing by editing the virtual host configuration file of each website independently.

List the sites available on your Apache web server by running the command below.

$ sudo ls -lsa /etc/apache2/sites-available

The output below may be different depending on the websites you've hosted on your server.

4 drwxr-xr-x 2 root root 4096 Jul 15 12:19 .
4 drwxr-xr-x 8 root root 4096 Jul 16 11:33 ..
4 -rw-r--r-- 1 root root 1332 Apr 13 20:19 000-default.conf
8 -rw-r--r-- 1 root root 6338 Apr 13 20:19 default-ssl.conf

Get the configuration filename of the website that you want to edit for instance 000-default.conf and open the file.

$ sudo nano /etc/apache2/sites-available/000-default.conf

The content of your file will be somehow similar to the one shown below.

<VirtualHost *:80>
...
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

...
</VirtualHost>

Edit the file by adding the <Directory /var/www/>...</Directory> options as shown below:

<VirtualHost *:80>
...
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
...
    <Directory /var/www/>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

Save and close the file. Then, restart the Apache webserver.

$ sudo systemctl restart apache2

You've successfully disabled directly browsing on that site. You can repeat the procedure if you'd like to disable directory listing for the rest of the websites.

Troubleshooting

If directory browsing is still enabled after performing these steps, look for additional sections in your control files that may override your settings. For example, if you've set Options -Index in the <Directory /var/www/> section, look for conflicting sections such as <Directory /var/www/html/>.

Conclusion

In this guide, you've tested and disabled Apache directory listing on Ubuntu 20.04 server. This is a major step to safeguard your webserver.

Want to contribute?

You could earn up to $300 by adding new articles