I am hosting a website on Linux-Apache server. I have a folder called ‘docs’. I want to be able to link directory to a PDF file within this folder, i.e. www.mydomain.com/docs/filename.pdf. But what I don’t want is the have users be able to see all the files displayed as a list is they were to type in www.mydomain.com/docs/. What do I need to do so the files could be directly linked and downloadable, while not allow visitors to view the complete file list of all content within that folder. Is it a matter of changing a folders permissions or something else?
Never mind my answer… see the one below from dklynn
PP,
That’s a simple one because Apache has a directive specifically for just such a situation (not exposing files contained in a directory):
Options -Indexes
If you need to learn more about all things Apache, go to http://httpd.apache.org/docs/index.html and pick your version of Apache.
Regards,
DK
Thanks for the reply, but I have no idea how to or where to do this? Can anybody please help?
A simple option is to put a file in that folder called index.php
It can even be blank, but it will prevent anyone from viewing that file list you speak of.
Or it can just be called index.html, by the way. I’m on a phone, so couldn’t edit the last post.
Thanks,that was an easy fix 
Ralph,
Sorry, as I explained to Guido via PM:
.htaccess in the DocumentRoot can be used to tell Apache the following:
- The names and order of the DirectoryIndex files to use when none are specified in the URI.
- Options -Indexes is the directive to tell Apache it’s not permitted to provide a file listing of the directory.
- ErrorDocument 404 /404_handler_file is used to tell Apache not to use its default error page but your 404_handler_file.
- Etc.
PLEASE use the correct statements to control Apache functions as the use of an index.php file was serendipitous in its meeting the OP’s request.
Regards,
DK
Thanks David. I knew your solution would be much better, but had sympathy for the OP, who (if anything like me) is probably bewildered by this stuff. Unless I have my hand held and every step laid out in full, I easily get lost in the crevasses of undefined steps, so to speak.
To expand on your advice above, do you mean that, in a .htaccess file in the root folder, the following should be added to deal with situations like this?
Options -Indexes
ErrorDocument 404 /my-404-page.html
Hi Ralph,
Thanks for that.
I was ready to respond with the .htaccess information but saw your back-and-forth with PP and HAD to comment.
In explanation for the serendipity comment, the server must be using index.php somewhere in its DirectoryIndex statement (in httpd.conf). The simple fact that you chose that meant that Apache would serve the (null?) index.php file rather than the (Options +Indexes) directory listing. Serendipity can be a useful tool but, if you actually know what you’re doing, you don’t need it (Luck - “The Good Lord protects babies, drunks and fools” - and it’s best not the be the latter and I’m far too old to be in the first category :drink: ).
Actually, I will tend to use (without comments or going into mod_rewrite code):
# .htaccess in DocumentRoot
# Set Apache Options
Options -Indexes -MultiViews
# Set Directory Indexes
DirectoryIndex index.php index.html home.php other_as_required
# Set ErrorDocument for this domain
ErrorDocument 404 /sitemap.php
# OPTIONAL code to prohibit viewing .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
Explanation(s):
- The .htaccess file is a server file peculiar to Apache in which you can put limited directives aimed at Apache. The only “trick” is to know that (ab)use of .htaccess should be very limited and is only useful to webmasters with no access to the server/virtual host conf files.
- Options -Indexes tells Apache it’s prohibited from providing directory listings.
- Options -MultiViews tells Apache NOT to serve files in directory positions in the URI, i.e., NOT to serve [noparse]http://example.com/index.php/yadda-yadda/whoop-de-do[/noparse]'s index.php file and allow it to parse the remaining parts of the path/file in the URI. To make matters worse, +MultiViews will also attempt to serve any extension with the same filename as a directory name in the path - and this trips-up newbie webmasters!
- DirectoryIndex sets the order Apache will search for a default file to serve when no filename is present in the URI. While generally set in the httpd.conf (the server’s configuration file), a webmaster can change the default name very easily. This is useful when developing/modifying a website as you can serve a “coming soon” or “update in progress” page simply by changing the order and testing using a direct link to the website’s intended (future) DirectoryIndex.
- Apache will serve a default error document script unless you specify one you have built for your website. I’ve used the Home page (index.php), error.php but I’ve shown sitemap.php above as a good alternative (it helps visitors find what they’re looking for).
- This <Files> wrapper has specified that noone is allowed to see, read, download or even know that an .htaccess file even exists (deny access to all).
When I get lazy, I’ll only use the DirectoryIndex and ErrorDocument but the others should be considered the best candidates for inclusion … with the caveat that you don’t need the comments I inserted so they should be removed for efficiency.
I hope that explanation helped everyone.
Regards,
DK
Thanks David. That’s a fantastic little tutorial right there. Thanks for going into such detail. Certainly bookmarked for future reference.
I’m a little hazy about the Multiviews part. Is +Multiviews the default? I use a CMS that does included index.php in the middle of the URI ([noparse]http://example.com/index.php/yadda-yadda/[/noparse]), though I use some htaccess code to hide it, as most others do, too. I wonder how -Multiviews would affect that. I wasn’t clear on what “trips-up newbie webmasters” (says he, flat on his face).
Just open a text editor, and paste the following code.
<?php
header('Location: ../');
Save it as index.php. Now upload it to /docs directory. 
Or, you can configure .htaccess.
Hi ayonkhan,
While your PHP redirect will work, it is generally not the preferred method. It requires that Apache make a route, read a page and then redirect when the .htaccess file is read and redirected prior to having to invoke PHP or load a page. When you get into really complicated rewrites then often using PHP redirects make more sense.
Regards,
Steve
Ralph,
No problem. It seemed that a detailed explanation was necessary.
+MultiViews is not the default … probably because it’s such a PITA!
Sorry, I didn’t understand the question about the CMS with index.php in the middle of the URI. I’m familiar with WP which redirects everything (which does not exist as a file or directory) to its own index.php which then parses ({THE_REQUEST?} … well, that’s my guess). If your CMS DISPLAYS the index.php in the middle of the URI, then it’s got to invoke +MultiViews. As you can tell, I dislike that approach.
“Trips-up newbie webmasters” means that new webmasters don’t understand how MultiViews works so they casually select directory names which might duplicate file names. If that’s the case, they’ll never reach the directory contents. IMHO, that’s a GOTCHA!
Steve,
Spot on! When a webmaster cannot create a RewriteMap (does not have control over the server or virtual host configuration files), I’ve recommended that a PHP handler script be used to perform a file or database lookup for the redirection followed by a header(status) and then header(location) redirection. Since this is only made necessary when a webmaster needs to recreate a website while preserving PR for the old pages (and didn’t bother to use the same script names), this is rarely used.
As far as I’m concerned, mod_rewrite is an exceptionally powerful tool which can perform ALL necessary redirections (given the necessary permissions to modify the requisite files as noted above).
Regards,
DK