Dealing with a new Server that came pre-installed with Apache.
Directory Indexing is turned on - thats fine.
We utilize specific system directories such as : logs, cgi-local, stats,
cgiemail, and errors. For these directories, we don't want users to be
able to list their contents in a Web Based FTP format, so in the
access.conf, each of these directories has their own <Directory>
Document Root is /web and each domain is in a separate sub-directory
such as /web/mydomain
# Errors Directory
allow from all
The above works great to keep the Web visitors from listing the contents
of the "errors" directory and if they try to do so, the appropriate 403
Error Page is displayed.
However, if a user knows the name of a file inside of the "errors"
directory, Apache will gladly serve that file up and display it.
They can't list the directory, but if they know the name of myfile.txt,
they can type in:
and Apache will display the file.
How on earth do you keep Apache from doing this other than making the
directory a "Script Alias" directory (which so far seems to be the only
thing that prevents users from viewing files, but it also produces an
error log entry saying that the file is not executible)?
Any feedback will be most appreciated.