htaccess root var/www possible ?

Discussion in 'Installation/Configuration' started by Randy, Dec 8, 2006.

  1. Randy

    Randy New Member

    Hi all,

    Is it possible to protect the root of the server (/var/www) with a htaccess file. At this moment, if you type in the ip-address of the website, you get to see the listing of the var/www dir. I wanted to prevent that by placing a htaccess restriction, but that also streams down to underlying dirs. Is it possible to only protect the /var/www dir somehow?

    Thanx

    Randy
     
  2. Randy

    Randy New Member

    also

    Also I noticed that everytime I start apache I get the message: "warn namevirtualhost xx.xx.xx.xx has no virtual hosts. I found that in the sites-available dir I have a default file with a NamevirtualHost * directive. Now since I have learned from Till That ISPConfig does not use namebased virtual hosting, this directive must have been created during the installation of appache..? Could I totally remove the contents? Or alter it so that when you time the ip-address of the server in the browser that you don't see the content of /var/www? (was first question above)...

    See below:

    NameVirtualHost *
    <VirtualHost *>
    ServerAdmin [email protected]

    DocumentRoot /var/www/
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    <Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    # This directive allows us to have apache2's default start page
    # in /apache2-default/, but still have / go to the right place
    # RedirectMatch ^/$ /apache2-default/
    </Directory>
    #####################
    #<Directory "/var/www">
    # AuthType Basic
    # AuthName "Restricted"
    # AuthUserFile /var/www/.htpasswd
    # require valid-user
    #</Directory>
    ##########

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined
    ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    </VirtualHost>

    Thanx all !!
     
  3. falko

    falko Super Moderator ISPConfig Developer

    You should see the Shared-IP page. Which ISPConfig version are you using?

    You can ignore that warning. It just means that you have listed an IP address in your Apache configuration which doesn't host any web sites (yet).
     
  4. gorni

    gorni New Member

    I observed the same behaviour: full directory browsing of /var/www instead of the shared IP page when accessing with another IP address than the default one... This is a very serious security flaw!

    Using ISPConfig 2.2.21 on GNU/Linux Ubuntu 6.06 LTS
    My /etc/apache2/sites-available/default look the same than Randy's one.
    As a quick workaround, just disable indexes on /var/www globally ("-Indexes" instead of "Indexes"), like this:

    <Directory /var/www/>
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    # This directive allows us to have apache2's default start page
    # in /apache2-default/, but still have / go to the right place
    # RedirectMatch ^/$ /apache2-default/
    </Directory>
     

Share This Page