Re: Apache configuration and security

To: Keith Seldon <keith@keithjas.aquiss.com>
Cc: debian-apache@lists.debian.org
Subject: Re: Apache configuration and security
From: Adam Conrad <adconrad@0c3.net>
Date: Mon, 08 May 2006 10:15:22 +1000
Message-id: <[🔎] 445E8D9A.9070103@0c3.net>
In-reply-to: <[🔎] 000501c67209$c40100b0$1501a8c0@kjasamillo>
References: <[🔎] 000501c67209$c40100b0$1501a8c0@kjasamillo>

Keith Seldon wrote:
> 
> If you goto http://domain or http://domain./ all is fine.  Unfortunately, if 
> you goto http://domain//  or append any number of '/' to the uri, then you 
> will be served with a directory listing instead of the index page.
> 
> I have fixed this localy by editiing /etc/apache2/sites-available/default . 
> I have changed "RedirectMatch ^/$ /apache2-default/" to "RedirectMatch ^/*$ 
> /apache2-default/"

This isn't a security issue.  A directory listing isn't a security
problem at all (if it were, we wouldn't have them on by default at all).

The only reason for that RedirectMatch is so the admin can see the
default apache2 start page instead of a directory listing, making things
a bit more "friendly".  You may note that in more recent versions of the
packaging, I've commented out that line in the default config anyway,
since some users found the behavior rather confusing.

... Adam

Reply to:

References:
- Apache configuration and security
  - From: "Keith Seldon" <keith@keithjas.aquiss.com>

Prev by Date: Bug#366124: apache2: should mark its listening socket close-on-exec
Next by Date: Bug#365925: marked as done (ssl-cert: post-installation script exits with error 1)
Previous by thread: Apache configuration and security
Next by thread: Bug#366559: apache-common: apache-shared/restart template misleading after mod install
Index(es):
- Date
- Thread