Hi all, Is it possible to protect the root of the server (/var/www) with a htaccess file. At this moment, if you type in the ip-address of the website, you get to see the listing of the var/www dir. I wanted to prevent that by placing a htaccess restriction, but that also streams down to underlying dirs. Is it possible to only protect the /var/www dir somehow? Thanx Randy
also Also I noticed that everytime I start apache I get the message: "warn namevirtualhost xx.xx.xx.xx has no virtual hosts. I found that in the sites-available dir I have a default file with a NamevirtualHost * directive. Now since I have learned from Till That ISPConfig does not use namebased virtual hosting, this directive must have been created during the installation of appache..? Could I totally remove the contents? Or alter it so that when you time the ip-address of the server in the browser that you don't see the content of /var/www? (was first question above)... See below: NameVirtualHost * <VirtualHost *> ServerAdmin webmaster@localhost DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place # RedirectMatch ^/$ /apache2-default/ </Directory> ##################### #<Directory "/var/www"> # AuthType Basic # AuthName "Restricted" # AuthUserFile /var/www/.htpasswd # require valid-user #</Directory> ########## ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> Thanx all !!
You should see the Shared-IP page. Which ISPConfig version are you using? You can ignore that warning. It just means that you have listed an IP address in your Apache configuration which doesn't host any web sites (yet).
I observed the same behaviour: full directory browsing of /var/www instead of the shared IP page when accessing with another IP address than the default one... This is a very serious security flaw! Using ISPConfig 2.2.21 on GNU/Linux Ubuntu 6.06 LTS My /etc/apache2/sites-available/default look the same than Randy's one. As a quick workaround, just disable indexes on /var/www globally ("-Indexes" instead of "Indexes"), like this: <Directory /var/www/> Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place # RedirectMatch ^/$ /apache2-default/ </Directory>
