# Apache index listing - security risk

## trossachs

Have recently upgraded to v2.2.4-r10, but having looked at my sites from outside of my local LAN, I find that the various sites that I host show listed index of all the files for each Vhost. How can I stop this? The index page does not show the website, just a list of the physical directories which is an obvious security risk.

Whenever anyone uses my IP address, this shows up the root of the web server with all the associated directories.Last edited by trossachs on Sun Sep 30, 2007 1:06 pm; edited 2 times in total

----------

## Aysen

You need to remove "Indexes" from Options in /etc/apache2/vhosts.d/default_vhost.include, I guess. Also remove it from any other config file that you don't need it in.

----------

## trossachs

I had "indexes" listed, but  I used this with an "-Indexes" statement rather than take the entire line out. 

I kept seeing these "GET" statements in the Apache logs, so I knew that people were siphoning the directories off, but did not know why.

----------

## trossachs

The only other issue is that when I view the pages via my local LAN, it all looks good and the pages load fine. Whenever anyone on the Internet side go to view the pages, they get a "Forbidden" message. Have asked people to do a hard refresh of their page, but this does not seem to have helped. 

Any ideas as to why the LAN and WAN should behave differently even from the same web server?

----------

## Hu

Most likely, the server is configured with some sort of address based restriction, such as only serving the pages to peers with a private range IP address.  Check the server's error log for details about why a request was refused.

----------

## trossachs

Have been looking at the error_log for the last few hours and it prints nothing with regards to any restriction of IP ranges. This is the most common error:

```
[Sun Sep 30 15:29:15 2007] [error] [client *.*.*.*] Directory index forbidden by Options directive: /var/www/
```

The main Options directive, I have now changed to list All, but this does not help. I can view the page fine internally but people have called to say that they get a "forbidden" msg when they try and access the site via the Internet. Have asked them to do a hard refresh, but this does not seem to have helped.

----------

## Aysen

Maybe your DirectoryIndex is set incorrectly? I have

```
<IfModule dir_module>

        DirectoryIndex index.html index.html.var

</IfModule>
```

in my /etc/apache2/modules.d/00_default_settings.conf plus some AddDirectoryIndex directives in eg. /etc/apache2/modules.d/70_mod_php5_concurr.conf.

----------

## trossachs

My directory module index is set correctly:

```
<IfModule dir_module>

        DirectoryIndex index.php index.html index.htm index.html.var index.php3 index.shtml index.cgi index.pl index.htm Default.htm default.htm

</IfModule>
```

Whenever I do a graceful start I get the following errors:

```
[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

[Mon Oct 01 19:56:33 2007] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www

```

----------

## Aysen

This might be a silly question, but does the "<IfModule dir_module>" evaluate to TRUE? Maybe somehow that module stopped being loaded? (I don't know if this could be actually causing this error, but I'm out of other ideas)

----------

## trossachs

That module does resort to TRUE. What Options do I need to include in the Virtual Hosts as standard? 

This is what I have thus far and all it does is print an Index of the directories available:

```
Multiviews -Indexes Includes FollowSymLinks
```

----------

## Aysen

 *trossachs wrote:*   

> What Options do I need to include in the Virtual Hosts as standard?

 On my box I have Indexes FollowSymLinks and on a production server there is only FollowSymLinks. No problems so far. I don't think there is anything that you need to include to make vhosts working. Maybe removing the -Indexes would help?

----------

## trossachs

Thanks for this Aysen. Have gone back to an older version of Apache until my new server gets built. Then I can try and work out why the 2.2.6 series of Apache is so troublesome.

----------

