Hi all,

Is it possible to protect the root of the server (/var/www) with a htaccess file. At this moment, if you type in the ip-address of the website, you get to see the listing of the var/www dir. I wanted to prevent that by placing a htaccess restriction, but that also streams down to underlying dirs. Is it possible to only protect the /var/www dir somehow?

Thanx

Randy

Also I noticed that everytime I start apache I get the message: "warn namevirtualhost xx.xx.xx.xx has no virtual hosts. I found that in the sites-available dir I have a default file with a NamevirtualHost * directive. Now since I have learned from Till That ISPConfig does not use namebased virtual hosting, this directive must have been created during the installation of appache..? Could I totally remove the contents? Or alter it so that when you time the ip-address of the server in the browser that you don't see the content of /var/www? (was first question above)...

See below:

NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# RedirectMatch ^/$ /apache2-default/
</Directory>
#####################
#<Directory "/var/www">
# AuthType Basic
# AuthName "Restricted"
# AuthUserFile /var/www/.htpasswd
# require valid-user
#</Directory>
##########

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

Thanx all !!

Hi all,

Is it possible to protect the root of the server (/var/www) with a htaccess file. At this moment, if you type in the ip-address of the website, you get to see the listing of the var/www dir. I wanted to prevent that by placing a htaccess restriction, but that also streams down to underlying dirs. Is it possible to only protect the /var/www dir somehow?

Thanx

Randy
You should see the Shared-IP page. Which ISPConfig version are you using?

Also I noticed that everytime I start apache I get the message: "warn namevirtualhost xx.xx.xx.xx has no virtual hosts. You can ignore that warning. It just means that you have listed an IP address in your Apache configuration which doesn't host any web sites (yet).

I observed the same behaviour: full directory browsing of /var/www instead of the shared IP page when accessing with another IP address than the default one... This is a very serious security flaw!

Using ISPConfig 2.2.21 on GNU/Linux Ubuntu 6.06 LTS
My /etc/apache2/sites-available/default look the same than Randy's one.
As a quick workaround, just disable indexes on /var/www globally ("-Indexes" instead of "Indexes"), like this:

<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# RedirectMatch ^/$ /apache2-default/
</Directory>