Apache - Reason for Indexes Directive

amygrant

amygrant

Guru
Joined
Apr 4, 2010
Messages
132
Reaction score
3
Looking through an IncrediblePBX install and I notice that the httpd.conf has "Options Indexes FollowSymLinks" as a directive

I am a new user but I don't understand why Indexes would be in there. Is there any reason I should leave Indexes?

To me it screams security hole and I can't see a use for it
 
The use is to provide a file listing in a web directory with no index file if memory serves me correctly. There shouldn't be a security issue since there is no Internet web exposure with Incredible PBX.
 
Ok that kind of makes sense. I was going through various config files and as a long time web admin, that directive set off alarms in my head.

I like how Incredible PBX is so security conscious. Everything is closed and you open just what you need to get the job done. That's why it surprises me to see that directive. I don't see a need for it, and simply having it there for no reason opens the server to unnecessary exposure.

Example, it is assumed that piaf is sitting behind a firewall of some sort and not fully exposed to the net.However, it is still encouraged to tighten security up and give deny/permit restrictions on extensions.

I guess, to me, I'd rather not have the indexes directive. If I find a need for it, I can always loosen security and add it later. Until then, I'd rather keep my directories private, such as http://whateverdomain.com/admin/modules/
 
In addition to a hardware-based firewall, any subdirectories under /admin already are protected by a username and password. That's why we left Apache open for directory listings. We ASS-U-MEd that the use would be carefully limited already by virtue of the required password access.

P.S. I'm not arguing with you. Just explaining our thought process. You obviously can set it more securely if you want to. That's the beauty of the project. :wink5:

As far as design goes, my preference always has been to leave indexes access in place. But the very first thing I do when creating a new directory is to also create a blank index.html file to "turn off" file access... unless I really want it. To me, that's much easier (unless you forget) than having to create specific access rules for directories. Different strokes for different folks as they say.
 
Totally agree with you. Sorry if it seemed I was arguing, that wasn't my intention. I love nerdvittles and everything you do. I just saw something that popped out to me in the scope of things I do.

Thanks for the explanation :)
 
You must log in or register to reply here.

Members online

Total: 35 (members: 1, guests: 34)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,410
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top