Of Stack

Apache security configuration configuration method that disables directory access

  • 2020-05-09 19:48:06
  • OfStack

In the development of PHP website, in order to ensure the security of website directory files and program code, we must control the access rights of some directories or files to improve the security of the website. So how can we realize this kind of function? You can configure Apache to prevent websites from listing their content as a directory.

When no directory access is configured in Apache, when you access http://localhost  , the relevant directory and file list will be listed. We can disable directory/file list by modifying Apache configuration file httpd.conf as follows:

1. Open the configuration file "httpd.conf" of apache.

2. Find the following section 

<Directory />
Options Indexes
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Simply change Options Indexes to Options None.

Note: depending on the installation package of PHP running environment, Options Indexes may also be Options Indexes FollowSymLinks, 1 and change to Options None.

Save httpd.conf and restart apache. If not, continue to modify the following configuration: 


<Directory "E:/web">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    Options none
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None
    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all
</Directory>

As above: change the red part inside, 1 and change it.

3. Save httpd.conf and restart Apache. At this point, access http://localhost   again, if there is no index.html or index.php, the default file will be reported to apache http 403. 

Forbidden
You don't have permission to access / on this server.

Related articles: