List Dir Contents - Forbiddden - Options +Indexes - httpd.conf

rooftop · October 5, 2012, 11:57am

Hi

I’d like to view the contents of a Directory (without an index file set up).

But my VPS is configured to prevent this. I’m very new to this - very inexpert.

I have tried uploading a .htaccess file with the following:

Order allow,deny
    Allow from all
    Options +Indexes

But that doesn’t work.

I understand from searching Google that

Options -Indexes

in my httpd.conf would prevent .htaccess files from functioning.

How do I safely view the contents of httpd.conf? (I can use Putty / SSH though I am a beginner but not sure of the cmd)
If it is wise to do so - how do I edit httpd.conf and set to Options -Indexes to Options +Indexes

— OR —

Is this a better idea?
http://serverfault.com/questions/350447/apache-options-indexes-still-results-in-403-forbidden-or-apache-test-page

— OR —

Is there a better alternative?

PromptSpace · October 5, 2012, 2:16pm

If you have SSH, SSH to your account. Find the location of your httpd.conf file by typing the command:

find / -name httpd.conf

Once you find the location of the file, use a text editor like Nano or Vim to edit the file:

nano /path to the httpd.conf

Edit is as you like and save it.

rooftop · October 5, 2012, 3:34pm

Thanks for your prompt advice.

And do you think changing the instances of -Indexes in my httpd.conf is smartest way for me to get the files/dirs listed in that ONE dir I need?

I’d like to keep the server as secure as possible and I get the feeling here that I am turning on the ‘listing’ for all dirs across the server.

rooftop · October 5, 2012, 3:45pm

wow. this pretty hair raising stuff. i can see me trashing the vps.

How do I find out if I have Vim or nano installed on my VPS (I guess thats where i should expect them to be?)
Is there a nice tutorial somewhere on opening a ssh connection in either and editing a file.
Is there a site out there for beginners like me about managing my vps… my host is reluctant to help.

PromptSpace · October 5, 2012, 6:32pm

Why dont you opt for a managed vps? They are pretty cheap now a days.

cpradio · October 5, 2012, 6:41pm

If you are on a linux server, chances are you have vim, emacs, or nano available (maybe all 3, nano is very user friendly)

Use PuTTY, type in your domain name, Port should be 22, and when asked for a username and password, enter your username and password of your SSH account (sometimes this is the same as your FTP account, sometimes it is a separate account)

If you have a linux server, my best recommendation is to get a security book about securing apache on linux, I don’t have one specifically in mind, I just know they exist and would likely be very helpful to you.

dklynn · October 6, 2012, 4:53am

TIME OUT!

Displaying directory contents “in the wild” can make hacking easy. Simply FTP to your website and view the contents with your FTP client. If you HAVE to display it in a browser, edit that ONE directory’s .htaccess and add Options +Indexes - but remove it when you’re done.

Regards,

DK

rooftop · October 6, 2012, 9:03pm

Thanks DK

I tried editing that ‘ONE directory’s .htaccess and adding Options +Indexes’ but it didn’t make any difference.

I guess as Shane Madden replies in this thread the ‘AllowOverride None would prevent .htaccess files from functioning’. See Here.

But I’m afraid I don’t know where to put his suggested code and if, following your advice, its a good idea at all.

Would it be safer to ask the client to upload an index.html with a hardcoded list of the files and sub-directories?

dklynn · October 7, 2012, 7:20am

rt,

For a thorough overview of Apache’s core AllowOverride directive (including options), here’s your link: http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride. Basically, it enables (All) or disables (None) use of the .htaccess file, i.e., All is required if you want to use your .htaccess file. I rely on mod_rewrite and change my code often enough that I need to use .htaccess.

You can use your Options +Indexes in the httpd.conf, httpd-vhosts.conf or .htaccess file.

No, if this is your client, then he/she should be able to give you FTP access (username and password to the domain’s DocumentRoot directory, i.e., the client’s public_html or www directory) even if only on a temporary basis.

As before, IMHO, it’s NOT advisable to provide directory listings to the public so FTP is my recommendation. It can be setup quickly and deleted by the client even faster.

I have used a script to read a directory and list files but I removed that script upon completing my task.

Regards,

DK