how to enable and disable web directory listing on your web server
The web server that you use to host your website has not only the ability to render and display web pages but also the ability to display directories and it content. This feature is also referred to as the directory listing of the server. To be honest, there is usually never a reason to enable the directory listing for a normal website.
Having said that, there are some cases where it might be useful. If you have an ftp web server, then the feature allow the users to easily browse the content of the server and download specific files. Sometimes you have a website that exposes files and executables that are constantly changing or being built. You can expose the directory so that the users can easily download the latest or the specific versions of the files they need. I am sure you have seen such file download websites.
If you have a "normal" website that displays rendered web pages, then there is no reason to have the directory listing feature. Actually, disabling it would be a good idea so that users cannot see and view your files, such as resource files or unused files. You could argue that this is kind of a security feature, where security is mostly by obscurity.
The easiest way to test whether you have the feature enabled or not is to create a folder that does not contain any files that you have designed as welcome files. The welcome files are usually the files that gets rendered by default when you access a URL without an explicit filename. Usually, these files are named index followed by a file extension (eg. index.htm, index.html, index.jsp etc).
Once you have created a folder (eg. newfolder/) on your web server, try to access the folder using a web browser. A typical URL will look something like http://www.example.com/newfolder/. If you are able to see the files that are in the folder listed, then you have the directory listing enabled on your server.
There are several popular web servers: Apache HTTP Server, Nginx, Jetty and Apache Tomcat are some of the widely used servers. All of these servers provide the ability to either enable or disable the directory listing features. We will see how you can do it for each of these servers.
Apache HTTP Server
Apache HTTP Server is probably the most widely used web server of all. If your website is hosted on a commercial host with shared resources, then it is very unlikely that you have the rights to configure the entire web server. That is because many web sites other than yours are hosted on the same server.
But Apache provides the ability to configure your website differently or separately, using what is called Server Side Overrides. This gives you the ability to customize some of the web server behaviour using a configuration file called .htaccess. You will have to make sure that this feature is enabled and you have access to edit your .htaccess file.
It is very likely that you already a .htaccess file in your file sysem. Ideally, every directory could have a .htaccess file that controls the access rights to that folder and its sub-folders unless overridden by another one in the sub-folder.
So, open the appropriate .htaccess file in text editor. Add the following line to the file and save the file.
Options -Indexes
This will disable the directory listing feature for the folders that is controlled by this file. To disable the feature site-wide you can modify the .htaccess file in the root folder. Now, if you want to enable the feature then you either remove the option line completely or do modify the same line as below:
Options +Indexes
If you have a dedicated server where you have access to the Apache configuration file, then you have another option in addition to the .htaccess method above. First locate the apache configuration file on your server which is usually located at /etc/apache2/apache2.conf.
Open the apache2.conf file in a text editor and find the section that handles the directory where your pages are served from. You will see a section or directive that looks similar to this:
<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
Now modify this section by removing the Indexes from the list of Options. After you modify the file, it should look something like this:
<Directory /var/www/> Options FollowSymLinks AllowOverride None Require all granted </Directory>
You can now save and restart the server so to make sure that you have modified the file correctly and that the new options are effective.
Apache Tomcat
Apache Tomcat is a widely used java servlet container for websites or web applications that needs an application server. Other popular application servers are Oracle Weblogic or IBM Websphere. Though not as feature rich as other commercial products, the Tomcat Server is a open source product that works quite well and is widely used to host web applications.
Apache Tomcat server uses a global configuration called web.xml to handle the configuration of all deployed applications. You can find this global web.xml at <Catalina_Home>/conf/web.xml. Open this file in a text editor and find the section that configures the default servlet.
You will find the section that looks something like this:
<servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> ...... <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>
The param-name called listings is the parameter that controls the directory listing feature in the Tomcat server. You can disable the directory listing feature by setting the param-value to false for this param. You can set it to true if you want to enable the feature.
Many other servlet containers such as JBoss also follows the same pattern. You will need to locate the global web configuration and the default servlet configuration and modify the param-value to false.
Now restart the server and test to make sure that the configuration is correct.
Nginx
Nginx is open source web server that has gained quite a bit of following. It is a direct competitor to Apache Server and is designed and built to outperform the Apache Server.
The module that processes server requests that ends with a "" (slash) and no specific file name is called /ngx_http_autoindex_module. When the http module cannot find an index file in the directory, it passes the request on to this module.
The parameter that controls the directory listing or indexing is called autoindex in the configuration file. The configuration file is named nginx.conf. Open the nginx.conf in a text editor and find the server configuration section. You will see something like the following:
server { listen 80; server_name example.com www.domainexample.com; root /path/to/root; location / { index index.php index.html index.htm; } location /newfolder { autoindex off; } }
You can add the line autoindex off inside any of the location section. In order to disable directory listing throughout the website, add the autoindex parameter to the root location (""). You can specify specific locations to disable it selectively. To enable directory listing, you use the /*autoindex on* option in the file.
Jetty
Just like Tomcat Server, Jetty is a HTTP web server and a Java servlet container. Again, the directory listing is controlled by the default servlet in this case.
If you use a web.xml in your web application, you can modify the web.xml and default configuration params to disable directory listing. Open the web.xml and find the default servlet section. It will look something like this:
<servlet> <servlet-name>default</servlet-name> <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class> <init-param> <param-name>dirAllowed</param-name> <param-value>false</param-value> </init-param> </servlet>
The parameter that handles the directory listing is called dirAllowed. You can set that to false to disable the directory listing and to true to enable it.
No matter which web server you use, you should have a setting or configuration that will allow you to enable and disable directory listing of your folders. Most of the web servers and application servers will follow the patterns that were described above, so you should be able to figure how exactly to do it quite easily.