Hi,

Since I have a multi web hosting, I can't browse all my directories
All my directories have the right permissions....
When I tried to connect I have :

[Sun Feb 11 20:46:25 2007] [error] [client 192.168.9.2] Directory index
forbidden by rule: /home/toto/support/download/

I can display correctly all HTML pages, but cannot display a folder content.

Using a Vistualhost -> Directory : /home/toto
I suspect that I have to add some directive like
AllowOverride None
(I add this in to my virtual host, but wihtout any success...)
I am not sure of what I need to add exactly

- Should I add something into the Main config section ? or should I add
something in each Virtualhost section ?

Thanks for your

Stephane

On 11 Feb, 21:38, Stephane M <Steph...@M.com> wrote:
> Hi,
>
> Since I have a multi web hosting, I can't browse all my directories
> All my directories have the right permissions....
> When I tried to connect I have :
>
> [Sun Feb 11 20:46:25 2007] [error] [client 192.168.9.2] Directory index
> forbidden by rule: /home/toto/support/download/
>
> I can display correctly all HTML pages, but cannot display a folder content.
>
> Using a Vistualhost -> Directory : /home/toto
> I suspect that I have to add some directive like
> AllowOverride None
> (I add this in to my virtual host, but wihtout any success...)
> I am not sure of what I need to add exactly
>
> - Should I add something into the Main config section ? or should I add
> something in each Virtualhost section ?
>
> Thanks for your
>
> Stephane

Options +Indexes

in your vhost, or better in a httpd-per-directory.conf file
which you include in your main conf.

if you have alot of vhosts they will get cluttered, and unless
you _really_ want to enable this site-wide you should limit it to
only the directory in question, (not forgetting that you will have
to override it to turn it off in all subdirectories)

having indexes switched off s prevent path traversal attacks,
where the attacker guesses about your OS and therefore how to attack
it based on the setup of directories, and also knows where to aim
for if they get the chance.

shimmyshack a écrit :
> On 11 Feb, 21:38, Stephane M <Steph...@M.com> wrote:
>> Hi,
>>
>> Since I have a multi web hosting, I can't browse all my directories
>> All my directories have the right permissions....
>> When I tried to connect I have :
>>
>> [Sun Feb 11 20:46:25 2007] [error] [client 192.168.9.2] Directory index
>> forbidden by rule: /home/toto/support/download/
>>
>> I can display correctly all HTML pages, but cannot display a folder content.
>>
>> Using a Vistualhost -> Directory : /home/toto
>> I suspect that I have to add some directive like
>> AllowOverride None
>> (I add this in to my virtual host, but wihtout any success...)
>> I am not sure of what I need to add exactly
>>
>> - Should I add something into the Main config section ? or should I add
>> something in each Virtualhost section ?
>>
>> Thanks for your
>>
>> Stephane
>
> Options +Indexes
>
> in your vhost, or better in a httpd-per-directory.conf file
> which you include in your main conf.
>
> if you have alot of vhosts they will get cluttered, and unless
> you _really_ want to enable this site-wide you should limit it to
> only the directory in question, (not forgetting that you will have
> to override it to turn it off in all subdirectories)
>
> having indexes switched off s prevent path traversal attacks,
> where the attacker guesses about your OS and therefore how to attack
> it based on the setup of directories, and also knows where to aim
> for if they get the chance.
>

But with Options +Indexes, Can I just allow a specific directory ?

I don't want to show all my directories..
For each VirtualHost, I just need to allow 1 directory for downloading....

Should be quite secure ??

On 11 Feb, 22:17, Stephane M <Steph...@M.com> wrote:
> shimmyshack a écrit :
>
>
>
> > On 11 Feb, 21:38, Stephane M <Steph...@M.com> wrote:
> >> Hi,
>
> >> Since I have a multi web hosting, I can't browse all my directories
> >> All my directories have the right permissions....
> >> When I tried to connect I have :
>
> >> [Sun Feb 11 20:46:25 2007] [error] [client 192.168.9.2] Directory index
> >> forbidden by rule: /home/toto/support/download/
>
> >> I can display correctly all HTML pages, but cannot display a folder content.
>
> >> Using a Vistualhost -> Directory : /home/toto
> >> I suspect that I have to add some directive like
> >> AllowOverride None
> >> (I add this in to my virtual host, but wihtout any success...)
> >> I am not sure of what I need to add exactly
>
> >> - Should I add something into the Main config section ? or should I add
> >> something in each Virtualhost section ?
>
> >> Thanks for your
>
> >> Stephane
>
> > Options +Indexes
>
> > in your vhost, or better in a httpd-per-directory.conf file
> > which you include in your main conf.
>
> > if you have alot of vhosts they will get cluttered, and unless
> > you _really_ want to enable this site-wide you should limit it to
> > only the directory in question, (not forgetting that you will have
> > to override it to turn it off in all subdirectories)
>
> > having indexes switched off s prevent path traversal attacks,
> > where the attacker guesses about your OS and therefore how to attack
> > it based on the setup of directories, and also knows where to aim
> > for if they get the chance.
>
> But with Options +Indexes, Can I just allow a specific directory ?
>
> I don't want to show all my directories..
> For each VirtualHost, I just need to allow 1 directory for downloading....
>
> Should be quite secure ??


I see, I did this by using an alias like so: (so that all my
virtualhosts can share the download folder)
Alias /downloads "/usr/local/apache2/vhosts/private/downloads"
<Directory "/usr/local/apache2/vhosts/private/downloads">
Options +Indexes +FollowSymLinks
IndexOrderDefault Ascending Description
IndexOptions +FancyIndexing -IconsAreLinks +FoldersFirst
+NameWidth=* +IgnoreCase +SuppressDescription +SuppressHTMLPreamble
+SuppressColumnSorting
AllowOverride None
# Order deny,allow
# Deny from bandwidth_slurping_bots
</Directory>

then whenever someone requests

http://sub1.server.com/downloads/
or
http://sub2.server.com/downloads/
etc...
they all get redirected to the folder which does alllow indexing.
The virtual hosts remain unaffected by the +indexes rules, and there
is no subdirectory of the downloads folder.
I put these rules in a httpd-autoindex.conf file - where all the
indexed directories live, so I can check through them to make sure
they are all secure.

Is that what you need?

shimmyshack a écrit :
> On 11 Feb, 22:17, Stephane M <Steph...@M.com> wrote:
>> shimmyshack a écrit :
>>
>>
>>
>>> On 11 Feb, 21:38, Stephane M <Steph...@M.com> wrote:
>>>> Hi,
>>>> Since I have a multi web hosting, I can't browse all my directories
>>>> All my directories have the right permissions....
>>>> When I tried to connect I have :
>>>> [Sun Feb 11 20:46:25 2007] [error] [client 192.168.9.2] Directory index
>>>> forbidden by rule: /home/toto/support/download/
>>>> I can display correctly all HTML pages, but cannot display a folder content.
>>>> Using a Vistualhost -> Directory : /home/toto
>>>> I suspect that I have to add some directive like
>>>> AllowOverride None
>>>> (I add this in to my virtual host, but wihtout any success...)
>>>> I am not sure of what I need to add exactly
>>>> - Should I add something into the Main config section ? or should I add
>>>> something in each Virtualhost section ?
>>>> Thanks for your
>>>> Stephane
>>> Options +Indexes
>>> in your vhost, or better in a httpd-per-directory.conf file
>>> which you include in your main conf.
>>> if you have alot of vhosts they will get cluttered, and unless
>>> you _really_ want to enable this site-wide you should limit it to
>>> only the directory in question, (not forgetting that you will have
>>> to override it to turn it off in all subdirectories)
>>> having indexes switched off s prevent path traversal attacks,
>>> where the attacker guesses about your OS and therefore how to attack
>>> it based on the setup of directories, and also knows where to aim
>>> for if they get the chance.
>> But with Options +Indexes, Can I just allow a specific directory ?
>>
>> I don't want to show all my directories..
>> For each VirtualHost, I just need to allow 1 directory for downloading....
>>
>> Should be quite secure ??
>
>
> I see, I did this by using an alias like so: (so that all my
> virtualhosts can share the download folder)
> Alias /downloads "/usr/local/apache2/vhosts/private/downloads"
> <Directory "/usr/local/apache2/vhosts/private/downloads">
> Options +Indexes +FollowSymLinks
> IndexOrderDefault Ascending Description
> IndexOptions +FancyIndexing -IconsAreLinks +FoldersFirst
> +NameWidth=* +IgnoreCase +SuppressDescription +SuppressHTMLPreamble
> +SuppressColumnSorting
> AllowOverride None
> # Order deny,allow
> # Deny from bandwidth_slurping_bots
> </Directory>
>
> then whenever someone requests
>
> http://sub1.server.com/downloads/
> or
> http://sub2.server.com/downloads/
> etc...
> they all get redirected to the folder which does alllow indexing.
> The virtual hosts remain unaffected by the +indexes rules, and there
> is no subdirectory of the downloads folder.
> I put these rules in a httpd-autoindex.conf file - where all the
> indexed directories live, so I can check through them to make sure
> they are all secure.
>
> Is that what you need?
>

Yes, that is what I need
Thank you !!!