Topic: Apache and directory browsing

[Upaboveit]

By default, it seems that directory browsing in 5.6 U3 is enabled. I've read a few pageson the wider 'net that mention what to do to httpd.conf to prevent directory browsing but there are two issues.

1) There is a note at the top of httpd.conf to only modify the template files and not httpd.conf itself as it's updated through the console. OK, where's the template for it? I've looked in the directory it specifies and come up empty handed.

2) If I edit httpd.conf anyway and remove references to 'indexes' in the options areas I can no longer utilise the MP3 jukebox.

Does anyone have a sure fire solution to prevent directory browsing (enabled by default is just crazy) yet allow jukebox enabled iBays to operate?

[Dan Brown]

Can't see why "enabled by default is just crazy", but here are a couple of ideas:

1.  Turn off "execution of dynamic content" for ibays for which you want it disabled.

2.  Create an index.html file with whatever you want people to see.

[Bill Talcott]

Upaboveit wrote:
>
> 1) There is a note at the top of httpd.conf to only modify
> the template files and not httpd.conf itself as it's updated
> through the console. OK, where's the template for it? I've
> looked in the directory it specifies and come up empty handed.

http://www.e-smith.org/custom/

The defaults are in /etc/e-smith/templates/ and your modifications go in /etc/e-smith/templates-custom/.

[Upaboveit]

"Author: Dan Brown (dan_AT_familybrown.org)

Can't see why "enabled by default is just crazy"

Really? Directory browsing is like handing someone a map to your website and saying 'download whatever you like; run up my bandwidth usage; and you might even get some information that you were NEVER meant to get.' Directory browsing is a security hole of gargantuan proportions.

[Dan Brown]

"A security hole of gargantuan proportions"?  Really, isn't that just a _little_ bit extreme?  It's pretty simple--if you don't want a user to be able to see everything in a certain directory, have an index file there.  Directory browsing won't let a user navigate the entire web tree, only directories without an index.{htm|html|shtml|php} file.

In any case, if you want to turn it off for any ibay, just disable execution of dynamic content, as I wrote above.

[Upaboveit]

I don't think it's extreme. I think it's quite accurate.

As for disabling execution of dynamic content, that has undesirable effects. All I wanted to do was disable browsing, not the ability of a site to have value added content.

[Dan Brown]

Having directory browsing enabled allows users to see files that you've placed on a public web server, if you haven't taken even the trouble to "touch index.html" in a directory.  This can't accurately be described as a security hole of any variety, much less "gargantuan".  It also makes things a lot easier for those who actually want visitors to be able to see their files (which is usually why they're on a web server in the first place).

There are two solutions I know of that can be done without making any custom changes to the system, as mentioned upstream:

1.  Create an index file.
2.  Disable dynamic content.  This doesn't have anything to do with "value added" anything (value doesn't depend on CGI or PHP), but if you must run CGI/PHP/whatever in the ibay, this obviously won't work.

There are other ways of doing it, but they're all going to take more work.

One such option is to disable indexes site-wide, but that will, as you've found, break the mp3 jukebox.  No big loss there, really--netjuke is _much_ cooler, and doesn't depend on having indexing enabled (search here for instructions on installing it).  You could do this by editing httpd.conf, but you'll lose your changes whenever you change the system configuration in certain ways; you'd be better off writing a custom template fragment to do this (as Bill's already provided a link about).

Yet another alternative would be to disable indexing on an ibay-by-ibay basis.  You'd need to do some coding to do that, but you might want to take a look at http://www.familybrown.org/howtos/advanced-ibay-howto.html to get you started (I strongly doubt it'll work on SME 5.6, but it might give you some ideas).  FWIW, the 90e-smithAccess40ibays template on SME 5.6 does look very similar to the one on 4.1.2, so you might not need to change much.

[Peter Hollandare]

Upaboveit :

If you dont want people to see the directory structure, theres no point having "secure", "personal", or "bandwide-hooging" files on your server.

Dan explained an "easy-10-sec-way" to prevent *anyone* from seeing the structure,(empty index.html) yet it sounds to me, like you want them to see the structure, and at the same time not?

Theres a quite, few, simple solutions to prevent above described.

1. Use Dan's trick (excellent, fast way)
2. Get more bandwide
3. Allow ONLY trusted IP's into the dirs (Apache allows this * - easy setup, templates)
4. Password protect the dirs (Apache allows this * - easy setup, templates)
5. Turn off Directory Browsing. (Templates)

* For more assistance, refear to Apache's manual + search this superb forum.

Peter

[Upaboveit]

No, I don't want anyone to be able to browse the directory tree using Apache. I don't know where people get the idea that I do.

"If you dont want people to see the directory structure, theres no point having "secure", "personal", or "bandwide-hooging" files on your server."

I completely fail to understand this. It's a server. I should be able to put whatever I please on it without having the public able to crawl through the directory structure. It's not a hard concept.

In any event, I've solved the problem. Advice to remove the files that I want to have on the server is silly. It's what I want my server for: to serve -my- files.

[Terry]

And how did you solvethe problem so we don't go through this again some day?

[Kobus]

Hi Terry

Please can you tell me how you solved this as I tried to find the solution myself.

Thank you in advance.

Kobus