I'm running Apache on CentOS 7. I have configured multiple virtual hosts. Their root directories are in /var/www/html/{example.com, sub1.example.com, etc.}. I have also configured a 000-default.conf vhost to redirect all incoming traffic (which is not covered by one of the virtual hosts) to the main document root (/var/www/html) and show a blank page.
But know I face a critical security issue: If a visitor is redirected into the document root with the blank index.html file, he can append the URL with "/example.com" and visit this directory. This might not seem dangerous, but imagine if for example a Laravel application is installed there, which has it's one public folder (/var/www/html/example.com/public). Then a visitor would be able to browse the laravel directory with all it's configuration files!
How can I prevent this?
Best Answer
You can prevent directory listings using the following apache directives:
You can set this globally in httpd.conf, for a particular directory using the
<Directory </Directory>block as below or using.htaccessfile inside the directory.For further reference: Directory Listing Configuration