A. Directory Indexes (from mod_autoindex.c
)
When you access a directory and there is no default file found in this directory AND Apache Options Indexes
is not enabled for this directory.
A.1. DirectoryIndex
option example
DirectoryIndex index.html default.php welcome.php
A.2. Options Indexes
option
If set, apache will list the directory content if no default file found (from the above option)
If none of the conditions above is satisfied
You will receive a 403 Forbidden
Recommendations
- You should not allow directory listing unless REALLY needed.
- Restrict the default index
DirectoryIndex
to the minimum. - If you want to modify, restrict the modification to the needed directory ONLY, for instance, use
.htaccess
files, or put your modification inside the<Directory /my/directory>
directive
B. Deny, Allow
directives (Apache 2.2)
Mentioned by @Radu, @Simon A. Eugster in the comments You request is denied, blacklisted or whitelisted by those directives.
I will not post a full explanation, but I think some examples may help you understand, in short remember this rule:
IF MATCHED BY BOTH, THE LAST IS WILL WIN
Order Allow, Deny
Deny will win if matched by both directives (even if an Allow
directive is written after the Deny
in the conf)
Order Deny, Allow
Allow will win if matched by both directives
Example 1
Order Allow, Deny
Allow from localhost mydomain.com
Only localhost and *.mydomain.com can access this, all other hosts are denied
Example 2
Order Allow, Deny
Deny from evil.com
Allow from safe.evil.com # <-- has no effect since this will be evaluated first
All requests are denied, the last line may trick you, but remember that if matched by both the last win rule (here Deny is the last), same as written:
Order Allow, Deny
Allow from safe.evil.com
Deny from evil.com # <-- will override the previous one
Example 4
Order Deny, Allow
Allow from site.com
Deny from untrusted.site.com # <-- has no effect since this will be matched by the above `Allow` directive
Requests are accepted from all hosts
Example 4: typical for public sites (allow unless blacklisted)
Order Allow, Deny
Allow from all
Deny from hacker1.com
Deny from hacker2.com
Example 5: typical for intranet and secure sites (deny unless whitelisted)
Order Deny, Allow
Deny from all
Allow from mypc.localdomain
Allow from managment.localdomain
C. Require
directive (Apache 2.4)
Apache 2.4 use a new module called mod_authz_host
Require all granted
=> Allow all requests
Require all denied
=> Deny all requests
Require host safe.com
=> Only from safe.com are allowed
D. Files permissions
One thing that most people do it wrong is configuring files permissions,
The GOLDEN RULE is
STARTS WITH NO PERMISSION AND ADD AS PER YOUR NEED
In linux:
- Directories should have the
Execute
permission - Files should have the
Read
permission - YES, you are right DO NOT ADD
Execute
permission for files
for instance, I use this script to setup the folders permissions
# setting permissions for /var/www/mysite.com
# read permission ONLY for the owner
chmod -R /var/www/mysite.com 400
# add execute for folders only
find /var/www/mysite.com -type d --exec chmod -R u+x {};
# allow file uploads
chmod -R /var/www/mysite.com/public/uploads u+w
# allow log writing to this folder
chmod -R /var/www/mysite.com/logs/