This question about Configuration: Answered

Shared hosting forbids Options -Indexes

My hosting, awardspace, forbids Options -Indexes in .htaccess.

How should I configure root .htaccess?

-- DavidRimmer - 02 May 2016

That's used to prevent the web server from indexing a directory. Hopefully they block it by default, so there is no security exposure. If you visit a folder using the web interface and you don't get a generated list of files, you probably don't need this option. If they don't allow you to turn off directory indexing, and users (and bots) are able to poke around and look at directory contents, I suggest you find a different hosing site. That sounds like a huge security issue.

-- GeorgeClark - 03 May 2016

For various reasons, changing hosting is not an option.

They have suggested a work-around.

1. You may use the empty index.php file that we have placed in the directory on your behalf - by having an index file directory listing is automatically disabled.

Their index.php in the subdirectory wasn't empty - it contained

<? php

//phpinfo();

echo '' . "\xA";

?>

( I've clobbered the syntax slightly as I haven't sussed how to show php as plain text)

So, this dummy php just displayed a blank page.

404 would have been better - any suggestions on how to get a 404 response?

-- DavidRimmer - 03 May 2016

I don't know much at all about php, but searching the web found this: http://php.net/manual/en/function.http-response-code.php

-- GeorgeClark - 03 May 2016

The following inde.php file worked for me (space inserted after 1st ?)

<? php
header("HTTP/1.0 404 Not Found");
$root = $_SERVER['DOCUMENT_ROOT'];
include($root."error404.php");
?>

with an HTML base statement in the error document.

I haven't tried this out on the wiki yet - I'm trying to set up a private wiki for members of a group, so I want to get the privacy right.

The main problem with this approach is that it requires this file in every sub-directory and sub-sub-directory not to show its index.

I was hoping for a solution based on Apache rewrites, but Perl regular expressions are very new to me.

If I want to use the index.php method, I suppose I'll have to scatter them throughout the directory tree.

But what about any directories that Foswiki creates on the fly?

-- DavidRimmer - 06 May 2016

Every web server has facilities to block indexing of directories. This is completely outside of the control of Foswiki. It's pretty surprising that your provider doesn't allow you to block directory indexes. With the .htaccess option -Indexes, it's also inherited, so if you set that at a top level, it is blocked at the lower levels.

Rewriting the pub directory to the viewfile would probably work for pub protection, but it is extremely slow compared direct file access. The rewrite rule for a conventional http config is:
# Rewrite pub as viewfile
RewriteRule ^/+foswiki/+pub/+(.*)$  /foswiki/bin/viewfile/$1 [L,PT]

I don't have easy access to a .htaccess configured apache to try to test this.

-- GeorgeClark - 06 May 2016

I share your frustration, and can only thank you for being so helpful.

The only thing I can think of is that they may be blocking all Options for some other reason - Indexes just being collateral damage.

Below, fyi is their latest response.


FriMay 6 2016 10:41am
I don't know what you mean by
"We regret to inform you that disabling directory listing on the /xxx subdirectory is not allowed because "xxx" is a system directory that cannot be fully modified."

The xxx directory I'm talking about is just under the document root.

I've managed to cobble together some php based on your suggestion, but unfortunately it needs to go in every subdirectory and subsubdirectory not requiring indexing.

It also doesn't cope with dynamically created subdirectories.

Do you have a better solution - perhaps based on Apache rewrites?

I don't understand why Options -Indexes isn't the default.

The only use for allowing index listings that I can see is for a download site.
FriMay 6 2016 1:17pm - Pxxxx Sxxxx
Rate this answer: (Poor) (Excellent)
Hello David Rimmer,

I think what he was referring to, was the Apache extension "mod_alias", which is enabled on all Shared servers. When this extension is enabled, each domain/subdomain has an /icons directory at the website's root level. You can see the list of Apache icons here:

http://example.org.uk/icons/

As explained already, we do not support "Options -Indexes" on our Shared hosting platform. We apologize if this restriction causes you any inconvenience.

The only solutions currently available are:

- password protect the /xxx directory
- place a blank index.html/index.php page
- create an .htaccess file there (/example.org.uk/xxx/.htaccess) and paste the following code:

order allow,deny
deny from all

- create an .htaccess file in the root directory of your site (/example.org.uk/.htaccess) and paste the following code:

RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_URI} ^([^/]*)/(([^/]*)/)*$
RewriteCond %{REQUEST_FILENAME}index.php !-f
RewriteCond %{REQUEST_FILENAME}index.html !-f
RewriteCond %{REQUEST_FILENAME}index.htm !-f
RewriteRule (.*) /index.php [L]

The above code will deny your visitors the ability to list your sub-directories and files. The above code has already been tested and it works perfectly.

For the time being there are no other options available.

Feel free to reopen this ticket in case you have more questions or you need further assistance. Thank you for choosing our services.

Best Regards,
Pxxxx Sxxxx
Dedicated Support Team
Supportindeed.com

Ticket will be reopened on message post

-- DavidRimmer - 07 May 2016
 

QuestionForm edit

Subject Configuration
Extension
Version
Status Answered
Related Topics
Topic revision: r8 - 07 May 2016, DavidRimmer
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy