|
1 | | -.. include:: /Includes.rst.txt |
2 | | -.. index:: pair: Security guidelines; Directory indexing |
3 | | -.. _security-directory-indexing: |
| 1 | +:navigation-title: Directory indexing |
| 2 | + |
| 3 | +.. include:: /Includes.rst.txt |
| 4 | +.. index:: pair: Security guidelines; Directory indexing |
| 5 | +.. _security-directory-indexing: |
4 | 6 |
|
5 | 7 | ========================== |
6 | 8 | Disable directory indexing |
7 | 9 | ========================== |
8 | 10 |
|
9 | | -Depending on the operating system and distribution, Apache’s default configuration may have directory indexing enabled by default. |
10 | | - |
11 | | -This allows search engines to index the file structure of your site and potentially |
12 | | -reveal sensitive data. The screenshot below shows an example of the kind |
13 | | -data that can be retrieved with a simple HTTP request. |
14 | | - |
15 | | -.. figure:: /Images/ManualScreenshots/Security/DirectoryIndexing.png |
16 | | - :class: with-shadow |
17 | | - :alt: Screenshot of an example directory index |
18 | | - |
19 | | -In this example only the list of extensions are revealed, but more |
20 | | -sensitive data can also be exposed. |
21 | | - |
22 | | -It is strongly recommended that you disable directory indexes. |
23 | | - |
24 | | -If your web server requires directory indexing in other places |
25 | | -outside of your TYPO3 installation, you should consider deactivating the option globally |
26 | | -and only enable indexing on a case-by-case basis. |
| 11 | +Directory indexing allows web servers to list the contents of directories |
| 12 | +when no default file (like `index.html`) is present. If enabled, it can |
| 13 | +expose sensitive file structures to the public or search engines. |
27 | 14 |
|
| 15 | +This section explains how to disable directory indexing for TYPO3 across |
| 16 | +common web servers. |
28 | 17 |
|
29 | | -.. contents:: |
| 18 | +.. contents:: |
30 | 19 | :depth: 1 |
31 | 20 | :local: |
32 | 21 |
|
33 | | -Apache web server |
34 | | -================= |
| 22 | +.. _security-directory-indexing-apache: |
35 | 23 |
|
36 | | -By removing the `Indexes` from `Options` (or not setting it in the first place), |
37 | | -Apache does not show the list of files and directories. |
| 24 | +Disable indexing in Apache (.htaccess) |
| 25 | +====================================== |
38 | 26 |
|
39 | | -In TYPO3, the default :file:`.htaccess` already contains the |
40 | | -directive to disable directory indexing. Check if the following is |
41 | | -in your :file:`.htaccess`: |
| 27 | +This applies to Apache web servers, especially in shared hosting environments |
| 28 | +where configuration is done via :file:`.htaccess` files. |
42 | 29 |
|
43 | | -.. code-block:: apacheconf |
44 | | - :caption: /var/www/myhost/public/.htaccess |
| 30 | +In Apache, directory indexing is controlled by the `Indexes` flag within the |
| 31 | +`Options` directive. |
45 | 32 |
|
46 | | - # Make sure that directory listings are disabled. |
47 | | - <IfModule mod_autoindex.c> |
48 | | - Options -Indexes |
49 | | - </IfModule> |
| 33 | +TYPO3's default :file:`.htaccess` disables indexing with the following setting: |
| 34 | + |
| 35 | +.. code-block:: apacheconf |
| 36 | + :caption: /var/www/myhost/public/.htaccess |
50 | 37 |
|
51 | | -This example, does not set all `Options`, it just removes `Indexes` from the |
52 | | -list of Options. Directory indexing is provided by the module `autoindex`. |
53 | | -By setting the options this way, it will be disabled in any case, even if the |
54 | | -module is currently not active but might be activated at a later time. |
| 38 | + <IfModule mod_autoindex.c> |
| 39 | + Options -Indexes |
| 40 | + </IfModule> |
55 | 41 |
|
56 | | -It is also possible, to configure the `Options` in the Apache configuration, |
57 | | -for example: |
| 42 | +Alternatively, set this directly in your Apache site configuration: |
58 | 43 |
|
59 | | -.. code-block:: apacheconf |
60 | | - :caption: /etc/apache2/sites-available/myhost.conf |
| 44 | +.. code-block:: apacheconf |
| 45 | + :caption: /etc/apache2/sites-available/myhost.conf |
61 | 46 |
|
62 | | - <IfModule mod_autoindex.c> |
| 47 | + <IfModule mod_autoindex.c> |
63 | 48 | <Directory /var/www/myhost/public> |
64 | | - # override all Options, do not activate Indexes for security reasons |
65 | 49 | Options FollowSymLinks |
66 | 50 | </Directory> |
67 | | - </IfModule> |
| 51 | + </IfModule> |
68 | 52 |
|
69 | | -Please note that the `Options` directive can be |
70 | | -used in several containers (for example `<VirtualHost>`, `<Directory>`, |
71 | | -in the Apache configuration) or in the file :file:`.htaccess`. |
72 | | -Refer to the `Options <https://httpd.apache.org/docs/2.4/mod/core.html#options>`__ |
73 | | -directive for more information. |
| 53 | +See the `Apache Options directive documentation <https://httpd.apache.org/docs/2.4/mod/core.html#options>`__ |
| 54 | +for more information. |
74 | 55 |
|
75 | | -Nginx |
76 | | -===== |
| 56 | +.. _security-directory-indexing-nginx: |
77 | 57 |
|
78 | | -For Nginx, directory listing is handled by the `ngx_http_index_module` and |
79 | | -directory listing is disabled by default. |
| 58 | +Disable indexing in Nginx (server block) |
| 59 | +======================================== |
80 | 60 |
|
81 | | -You can explicitly disable directory listing by using the parameter |
82 | | -`autoindex`. |
| 61 | +This applies to Nginx installations where settings are configured in the |
| 62 | +server block (virtual host configuration). |
83 | 63 |
|
84 | | -.. code-block:: nginx |
85 | | - :caption: /etc/nginx/sites-available/myhost.com |
| 64 | +Although directory listing is disabled by default in Nginx, you can explicitly |
| 65 | +disable it by setting `autoindex off;`: |
86 | 66 |
|
87 | | - server { |
88 | | - # ... |
| 67 | +.. code-block:: nginx |
| 68 | + :caption: /etc/nginx/sites-available/myhost.com |
89 | 69 |
|
| 70 | + server { |
90 | 71 | location /var/www/myhost/public { |
91 | 72 | autoindex off; |
92 | 73 | } |
93 | | - } |
| 74 | + } |
| 75 | +
|
| 76 | +.. _security-directory-indexing-iis: |
| 77 | + |
| 78 | +Disable indexing in IIS (Windows Server) |
| 79 | +======================================== |
94 | 80 |
|
95 | | -IIS |
96 | | -=== |
| 81 | +This applies to IIS web servers on Windows Server systems. |
97 | 82 |
|
98 | | -For IIS web servers, directory listing is also disabled by default. |
| 83 | +Directory listing is disabled by default. If enabled, you can turn it off using |
| 84 | +the IIS Manager: |
99 | 85 |
|
100 | | -It is possible to disable directory listing in the event it was enabled because of a |
101 | | -regression or a configuration change. |
| 86 | +- Open the :guilabel:`Directory Browsing` settings |
| 87 | +- Set the feature to :guilabel:`Disabled` |
102 | 88 |
|
103 | | -For IIS7 and above, it is possible to disable directory listing from the |
104 | | -:guilabel:`Directory Browsing` settings using the IIS manager console. |
105 | 89 |
|
106 | | -Alternatively, the following command can be used: |
| 90 | +Or use the command line: |
107 | 91 |
|
108 | | -.. code-block:: shell |
109 | | - :caption: command line |
| 92 | +.. code-block:: shell |
| 93 | + :caption: command line |
110 | 94 |
|
111 | | - appcmd set config /section:directoryBrowse /enabled:false |
| 95 | + appcmd set config /section:directoryBrowse /enabled:false |
0 commit comments