httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonesy <SPAM_TRAP_gm...@jonz.net>
Subject [users@httpd] Re: Help configure non-SSL webpages on an SSL site?
Date Wed, 16 Sep 2015 03:01:50 GMT
On Tue, 15 Sep 2015 18:12:24 -0400, . wrote:
>
> I am a novice website admin, running Apache 2.4.7 on a Ubuntu box. I 
> want to be able to serve a subset of my website as http (port 80), even 
> though the overall site is on https (port 443).  I managed to convert it 
> all to https this summer by providing links in 
> /etc/apache2/sites-enabled/ to sites-available/default-ssl.conf and 
> sites-available/http-redirect.conf.  The redirect just permanently 
> redirects everything to use https.
>
> I tried adding another VirtualHost for port 80, with a DocumentRoot 
> pointed at my "freely-available" subdirectory.  That seemed to work, but 
> the problem is that if somebody just browses to that subdirectory, they 
> get a directory listing that includes a hyperlink to the parent 
> directory.  By clicking on that hyperlink, they can escape into the rest 
> of the website using http instead of https.
>
> I suspect there's a "proper" way to do this, but I don't know what it 
> is.  Any help, or pointers, would be appreciated.

$ cat index.html
<!DOCTYPE HTML><HTML><HEAD></HEAD>
<BODY BGCOLOR="#CC0033"></BODY></HTML>

I put that in every sub-directory that I do not ever want folks poking 
around in. /images , /scripts , /includes , /temp ... whatever. 

Additionally, each sensitive directory's ,htaccess could include:
Options -Indexes 

But, Murphy's Law tells us that someday a critical .htaccess will get  
bollixed.

In your httpd.conf you can remove the "Indexes" option from the likes 
of:
Options Includes Indexes FollowSymLinks MultiViews

That'll do it globally.
But, Murphy's Law tells us that someday a the httpd.conf will get
bollixed.

So, I also put 
<!DOCTYPE HTML><HTML><HEAD></HEAD>
<BODY BGCOLOR="#CC0033"></BODY></HTML>
in every sub-directory that I do not ever want folks poking around in.

Too bad you don't have access to Google in your section of the internet.
Jonesy


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message