Securing your apache web server is one of the most important task, specially when you setting up a new website.
For example, if you create a new website directory called “tecmint” under your Apache server (/var/www/tecmint or /var/www/html/tecmint) and forgot to place an “index.html” file in it, you may surprised to know that all your website visitors can get a complete listing of all your important files and folders simply by typing http://www.example.com/tecmint in the browser.
In this article, we will show you how to disable or prevent directory listing of your Apache web server using .htaccess file.
This is how directory listing will be shown to your visitors when index.html not present in it..
For starters, .htaccess (or hypertext access) is a file which enables a website owner to control the server environment variables as well as other vital options to enhance functionality of his/her website(s).
For additional information about this important file, read the following articles to secure your Apache web server using .htaccess method:
- 25 Apache Htaccess Tricks to Secure Apache Web Server
- Password Protect Apache Web Directories Using .htaccess File
Using this simple method, the .htaccess file is created in any and/or every directory in the website directory tree and provide features to the top directory, subdirectories and files inside them.
First of all, activate the .htaccess file for your website in master apache configuration file.
$ sudo vi /etc/apache2/apache2.conf #On Debian/Ubuntu systems $ sudo vi /etc/httpd/conf/httpd.conf #On RHEL/CentOS systems
Then look for the section below, where the value of the AllowOverride directive must be set to AllowOverride All.
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
However, if you have an existing .htaccess file, make a backup of it as follows; assuming you have it in /var/www/html/tecmint/( and want to disable listing of this directory):
$ sudo cp /var/www/html/tecmint/.htaccess /var/www/html/tecmint/.htaccess.orig
Then you can open (or create ) it in the particular directory for modification using your favorite editor, and add the line below to turn off Apache directory listing:
Options -Indexes
Next restart the Apache web server:
-------- On SystemD based systems -------- $ sudo systemctl restart apache2 $ sudo systemctl restart httpd -------- On SysVInit based systems -------- $ sudo /etc/init.d/apache2 restart $ sudo /etc/init.d/httpd restart
Now verify the result by typing http://www.example.com/tecmint in the browser, you should get a message similar to the following.
That’s all! In this article, we described how to disable directory listing in Apache web server using .htaccess file. We will also cover two other useful as well as easy methods for the same purpose in upcoming articles, until then, stay connected.
As usual, make use of the feedback form below to send us your thoughts about this tutorial.
My website runs on the IIS configured Windows server. So I can’t use the Apache related options. It could’ve been helpful to me if you add configuration details related to the IIS server.
Hi,
In my case the particular section of file /etc/httpd/conf/httpd.conf looks something like this:
So do I have to make it:
Thanks
I followed these instructions precisely but it did not work at all.
I’m using CentOS 7 with apache web server
I found the issue: the httpd.conf file on my CentOS 7 server has multiple Directory sections: entirety of file system, document root, cgi-bin, etc.
thanks for the tip, it helped a lot
@[email protected]
We are glad that you found this guide helpful. Many thanks for the feedback.
Thank you for your advice!
“Options -Indexes ”
But I am not sure how the final contents of this file .htaccess should be shown:
Options -Indexes
AllowOverride All
Is that right?
@Alexey
Simply add the line Options -Indexes in the .htaccess file and save the it.