httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Lasiewski <lasiew...@gmail.com>
Subject [users@httpd] Deny Directory: "Deny from All" vs. "404 Not Found"
Date Mon, 01 Mar 2010 23:21:15 GMT
I've inherited with a web host which contains some sensitive files &
directories like .svn, .htaccess and about 10 others. We are in the
process of cleaning these up, but that may take a while.

I want to prevent Apache from returning any information whatsoever
regarding these files & directories. Ideally, I want to:
       1. Force a "404 Not Found" for these files & directories
       2. If "Options Indexes" is enabled, prevent these files &
directories from being viewable from the parent directory.

Each of these problems is easy to solve on it's own. I'm not sure the
best way to solve both of these problem at once.

I tried using 'RedirectMatch' (Recommended at
http://stackoverflow.com/questions/398008/deny-access-to-svn-folders-on-apache/):

       RedirectMatch 404 .*/\.svn(/|$)

This solves problem #1. The following will return a '404 Not Found'
for .svn. However, if 'Options Indexes' is enabled, I can still see
the .svn and .htaccess directories from the parent directory .
Luckily, I cannot enter the .svn directory, because I get a '404 Not
Found'. However, I don't want the webserver to show the existence of
the .svn directory from the parent directory at all.

So then, I tried using a "Deny from all", which we see in the default
httpd.conf, and at
http://subversion.apache.org/faq.html#website-auto-update

       # Disallow browsing of Subversion working copy administrative dirs.
       <DirectoryMatch "^/.*/\.svn/">
               Order deny,allow
               Deny from all
       </DirectoryMatch>

This prevents the .svn directory from appearing from the directory
listing. The default behavior of "Deny from all" is to return '403
Forbidden'. This means that if I go to http://example.com/foo/.svn , I
get a '403 Forbidden' which still provides a clue to potential hackers
that the directory named '.svn' exists. I'd like to force a "404 Not
Found" instead.

The only solution that I have found is to simply use both of these two
directives, like this:

       # Disallow browsing of Subversion working copy administrative dirs.
       <DirectoryMatch "^/.*/\.svn/">
               Order deny,allow
               Deny from all
       </DirectoryMatch>
       # Also, force a "404 Not Found" for .svn itself.
       RedirectMatch 404 .*/\.svn(/|$)

It works, but this seems a little redundant. Is there a better way to
force a "404 Not Found", and prevent it from being listed in the
parent directory,

Thanks,

-= Stefan

-- 
Stefan Lasiewski
http://stefanco.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message