Stop visitors from viewing content of sub folders

[Patti]

How can I stop visitors from viewing the content of my subfolders. I want them to receive an error when they try. Thanks for any help.
Patti

[Buya]

I'm sure there is a better way, but I just drop an index.html in the subfolder that says something like "OOOppps you Don't belong here!" or something to that effect.

[Patti]

That was what I thought, Thank you for replying.
Patti

[JonathanB]

How can I stop visitors from viewing the content of my subfolders. I want them to receive an error when they try.

If you put the line "Options -Indexes" in your .htaccess file that will give users the following message:

Forbidden
You don't have permission to access /folder-name/ on this server.

Then you won't have to remember to add an index.html to any folder you create.

[Spathiphyllum]

JonathanB's tip is the way to go. In the top-level .htaccess, it is easy and effective.

You might also consider adding:

ServerSignature Off
DirectoryIndex /homepage.html

The first keeps prying eyes from viewing your server info easily (not terribly effective but better than nothing); the second makes any attempt at "indexing" (browsing by directory/sub-folder) a "redirect" to your homepage. Just substitute the path to the homepage file you use and don't forget the "/" (slash) which indicates that you are starting at the "root" of the publicly accessible webspace. If your homepage file is welcome.html, then the directive would look like this:

DirectoryIndex /welcome.html

[Buya]

See, I knew there was a better way!

[gerilya]

You might also consider adding:

ServerSignature Off

IMHO, there is no point turning off Server Signature if ServerTokens is Full.

[Spathiphyllum]

IMHO, there is no point turning off Server Signature if ServerTokens is Full.

True since ServerTokens, if set to Full, cannot be superceded by .htaccess directives. I was able to disable Server Signature some time ago on my server but have not reviewed the output recently to confirm that ServerTokens now trumps it. At some point I'll investigate. Still, it's a nice default to include just in case ServerTokens Full is not the setting du juor.

[fade]

How can I stop visitors from viewing the content of my subfolders. I want them to receive an error when they try. Thanks for any help.
Patti

Go into the Contro Panel, choose the folder and change the permissions to 711. That way they'll get the "Forbidden" error message.

[gerilya]

Go into the Contro Panel, choose the folder and change the permissions to 711. That way they'll get the "Forbidden" error message.

That way you will also disable directory index.

[gerilya]

I was able to disable Server Signature some time ago on my server but have not reviewed the output recently to confirm that ServerTokens now trumps it.

Well, all you had to do is ask

gerilya@virginia$ curl -I http://www.histosoft.com/
HTTP/1.1 200 OK
Date: Sat, 31 Dec 2005 00:56:25 GMT
Server: Apache
Last-Modified: Thu, 29 Dec 2005 22:02:19 GMT
ETag: "204ae1-802d-43b45ceb"
Accept-Ranges: bytes
Content-Length: 32813
Content-Type: text/html

I guess I will have to install nmap to learn more about your server

BTW, I liked your idea of having DirectoryIndex's local URL relative to website root. Much safer than putting empty index.html inside each directory.

[Spathiphyllum]

gerilya,

Thanks for saving me a step. And I thought I had a mod rule to block curls... Hmm. Need to revisit that too.

nmap, eh? I'll keep my eyes peeled and logs verbose.

Glad the indexing idea helps. Yes, it's a great time-saver.

[gerilya]

gerilya,

Thanks for saving me a step. And I thought I had a mod rule to block curls... Hmm. Need to revisit that too.

I probably should have mentioned that 'curl' is in fact an alias:

gerilya@virginia$ alias curl
alias curl='curl --user-agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"'

Though it doesn't really matter for this particular purpose as no mod rewrite rule would help you to disable HTTP headers

nmap, eh? I'll keep my eyes peeled and logs verbose.

I am really not sure how you log nmap scans executed from root Care to elaborate?

Glad the indexing idea helps. Yes, it's a great time-saver.

It's even bigger time saver to disable Indexes in httpd.conf file

[Spathiphyllum]

Well, if you use an alias, then I might be out of luck. However, for the header bit, I can make them whatever I want if your HEAD/GET/POST via curl includes "curl". I set a mod_rewrite to detect the desired string, redirect to my own script, and spit back an NPH reply which will substitute/create and define whatever headers I want - valid or invalid.

Well, if you run nmap on the server, then I'll know nothing from my server logs. Of course, the server may record shell commands and you'll need to cover tracks lest the Jag police track you down like the evil bugger you are. I'll still be oblivious to the snoop, unfortunately.

Finally, I hope Jaguar admins don't follow your httpd.conf advice. Too much of a sledgehammer to my liking. But, yes, that would work pretty well too.