cancel
Showing results for 
Search instead for 
Did you mean: 

deny directory listing

N/A

deny directory listing

Hi,

I'm trying to block visitors viewing the contents of my directories without index.html files in them. I have used the .htaccess 'Options -Indexes' directive but it does not work :?

With the code in place, any request to my site just eternally downloads something unknown at 25% of my broadband capacity until I stop the browser.

Anyone managed to successfully block directory listings like this?

- Gareth
5 REPLIES
N/A

Re: deny directory listing

Quote
I'm trying to block visitors viewing the contents of my directories without index.html files in them. I have used the .htaccess 'Options -Indexes' directive but it does not work :?

Don't you require a statement like:
    IndexIgnore *

There's some useful help at http://www.javascriptkit.com/howto/htaccess11.shtml, but perhaps this is what is causing confusion! It starts off by saying:

Quote
Typically a server is setup to prevent directory listing, but sometimes they are not. If not, become self-sufficient and fix it yourself:

IndexIgnore *

and later says:

Quote
And conversely, if your server is setup to prevent directory listing, but you want to list the directories by default, you could simply throw this into an htaccess file the directory you want displayed:

Options +Indexes


I think the second statement needs to be interpreted in the light of the first -- that typically a server is set up to prevent directory listing, so you might want to reverse that behaviour!
N/A

deny directory listing

Thanks for your reply, task.

That does block the files being shown but still returns a directory list-style page. I am hoping to redirect the visitor to a custom Error 403 page.

According to http://httpd.apache.org/docs/mod/core.html#options this should be possible within the .htaccess file.

- Gareth
N/A

deny directory listing

N/A

deny directory listing

Quote
According to http://httpd.apache.org/docs/mod/core.html#options this should be possible within the .htaccess file.


Well, I agree -- according to what I read there, I think your "Options -Indexes" should have worked!

I see, though, for particular directives to be obeyed in .htaccess files, certain parameters have to be set in an "AllowOverrides" statement in the main configuration file, and unless "AllowOverrides Options" is specified, Options directives in .htaccess files will be ignored. [Horrible sentence -- hope you can see what I'm getting at!]

But, looking through the directives, I saw you could do bit of a sneaky thing with the DirectoryIndex directive, which could be adapted to your purpose:
Quote
Note that the documents do not need to be relative to the directory;
    DirectoryIndex index.html index.txt /cgi-bin/index.pl
would cause the CGI script /cgi-bin/index.pl to be executed if neither index.html or index.txt existed in a directory.


So, if you had a page "/errors/err403verboten.html" which provided the message you wanted to send when someone attempted to access a directory with no index file, you could set up your DirectoryIndex as follows:
    DirectoryIndex index.html index.htm /errors/err403verboten.html


At least, I think that'd work!
N/A

deny directory listing

Good theory. Just tested it and it works perfectly Cheesy

And now I can lay my beautifully crafted .htaccess file to sleep, thank you! F9 owe you one, task. You saved them a ticket Wink

- Gareth