You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "S. David Sheeks" <sd...@isdponline.com> on 2001/12/02 22:01:29 UTC

diretory browsing

How do I prevent directory browsing?

Re: Apache/2.0.28 - SSL bug?

Posted by Irmund Thum <it...@it97.dyn.dhs.org>.

Joshua Slive wrote:
> 
> Sorry, but I really don't believe that servername is ok.  Not when your
> server is sending trailing-slash redirects to new.host.name:443.  Does the
> SSL vhost have a proper servername?
you're right, I've simply forgotten this "standard" line within the
ssl.conf though editing the lines above and below.
This explains the link behavior with the missing trailing slash but not
why the page content is 
- well displayed with the Opera browser on Linux/Win - Netscape, IE Win
- page source is shown by Netscape, Galeon, w3m on Linux 

thanks
-- 
_ ___
|  |  Irmund    Thum
|  |

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Apache/2.0.28 - SSL bug?

Posted by Joshua Slive <jo...@slive.ca>.

> From: ithum@it97.dyn.dhs.org [mailto:ithum@it97.dyn.dhs.org]> >
> > It sounds to me like ServerName is not set correctly, so when the server
> > tries to redirect you to the proper URL (with the trailing slash
> > included), you get sent to a bad hostname.
> >
> ServerName is ok (domain name), it was missing the trailing slash in
> https://it97.dyn.dhs.org/misc/LDAP
>                                   ^
> what produced that behaviour and thats brandnew for Apache 2.028,
> but doesn't still explain the different behaviour of displaying page
> content in different
> browsers (linux and win)

Sorry, but I really don't believe that servername is ok.  Not when your
server is sending trailing-slash redirects to new.host.name:443.  Does the
SSL vhost have a proper servername?

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache/2.0.28 - SSL bug?

Posted by Irmund Thum <it...@it97.dyn.dhs.org>.

Joshua Slive schrieb:
> 
> On Sun, 2 Dec 2001, Irmund Thum wrote:
> 
> > hi,
> > I'm testing Apache/2.0.28 (Unix) mod_ssl/3.0a0 OpenSSL/0.9.6b
> > on my linux box for SSL connections.
> > When I connect  to
> >     https://it97.dyn.dhs.org/
> > the server is pretty fast, but I've observed some strange behavior, e.g.
> > if you click on the link
> > https://it97.dyn.dhs.org/misc/LDAP
> > the server responds
> > ***
> > While trying to retrieve the URL:
> > new.host.name:443
> > The following error was encountered:
> > Unable to determine IP address from host name for
> > new.host.name
> > ***
> 
> It sounds to me like ServerName is not set correctly, so when the server
> tries to redirect you to the proper URL (with the trailing slash
> included), you get sent to a bad hostname.
> 
ServerName is ok (domain name), it was missing the trailing slash in
https://it97.dyn.dhs.org/misc/LDAP
                                  ^
what produced that behaviour and thats brandnew for Apache 2.028,
but doesn't still explain the different behaviour of displaying page
content in different
browsers (linux and win)

thanks

-- 
_ ___
|  |  Irmund    Thum
|  |

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache/2.0.28 - SSL bug?

Posted by Joshua Slive <jo...@slive.ca>.

On Sun, 2 Dec 2001, Irmund Thum wrote:

> hi,
> I'm testing Apache/2.0.28 (Unix) mod_ssl/3.0a0 OpenSSL/0.9.6b
> on my linux box for SSL connections.
> When I connect  to
>     https://it97.dyn.dhs.org/
> the server is pretty fast, but I've observed some strange behavior, e.g.
> if you click on the link
> https://it97.dyn.dhs.org/misc/LDAP
> the server responds
> ***
> While trying to retrieve the URL:
> new.host.name:443
> The following error was encountered:
> Unable to determine IP address from host name for
> new.host.name
> ***

It sounds to me like ServerName is not set correctly, so when the server
tries to redirect you to the proper URL (with the trailing slash
included), you get sent to a bad hostname.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Apache/2.0.28 - SSL bug?

Posted by Irmund Thum <it...@it97.dyn.dhs.org>.

hi,
I'm testing Apache/2.0.28 (Unix) mod_ssl/3.0a0 OpenSSL/0.9.6b
on my linux box for SSL connections.
When I connect  to
    https://it97.dyn.dhs.org/
the server is pretty fast, but I've observed some strange behavior, e.g.
if you click on the link
https://it97.dyn.dhs.org/misc/LDAP
the server responds 
***
While trying to retrieve the URL:
new.host.name:443
The following error was encountered:
Unable to determine IP address from host name for
new.host.name
***
this is very strange and with the Netscape or Galeon browser you will
mostly get the source code of the page.

Should I report this as a bug? Can anyone proof that?
Of course, I'm going to install .22 as ssl server within the next
days...
thanks i.a.
   
-- 
_ ___
|  |  Irmund    Thum
|  |

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: diretory browsing

Posted by "S. David Sheeks" <sd...@isdponline.com>.

thanks worked
----- Original Message -----
From: "Joshua Slive" <jo...@slive.ca>
To: "apache" <us...@httpd.apache.org>
Sent: Sunday, December 02, 2001 4:15 PM
Subject: Re: diretory browsing


>
> On Sun, 2 Dec 2001, S. David Sheeks wrote:
>
> > How do I prevent directory browsing?
>
> Remove "Indexes" from the appropriate "Options" line in httpd.conf.
>
> Joshua.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: diretory browsing

Posted by David McCabe <da...@mcgill.ca>.

-bill- wrote:

> Ok, I want to prevent directory browsing for all directories except one.
> Can that be done ?

Sure, make the default for the whole dir structure be NoIndexes in the 
Options, and then make that one dir's Options include Indexes. (Check 
syntax of my advice, or anybody elses, for that matter. People tend to 
write responses from their often-wrong memory. :):)

This is actually the way you should approach dir browsing, default off, 
only on where necessary.

--
David McCabe                    Senior Systems Analyst
Network and Communications Services, McGill University
Montreal, Quebec, Canada        david.mccabe@mcgill.ca
rm -rf /bin/Laden

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: diretory browsing

Posted by -bill- <bi...@TechServSys.com>.

Thank you David and Owen 
-- 
- bill -

bill@TechServSys.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: diretory browsing

Posted by Owen Boyle <ob...@bourse.ch>.

-bill- wrote:
> 
> Ok, I want to prevent directory browsing for all directories except one.
> Can that be done ?

Too easy...

# At server-config level - switch off Indexes for all
Options -Indexes

# In a directory container - switch it on again
<Directory /one/single/dir>
  Options +Indexes
</Directory>


But read (please!!) the documentation on the Options directive - the
ordering of multiple Options directives and the presence/absence of "+"
and "-" is *very* important..

Rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: diretory browsing

Posted by -bill- <bi...@TechServSys.com>.

Ok, I want to prevent directory browsing for all directories except one.
Can that be done ?
-- 
- bill -

bill@TechServSys.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: diretory browsing

Posted by Joshua Slive <jo...@slive.ca>.

On Sun, 2 Dec 2001, S. David Sheeks wrote:

> How do I prevent directory browsing?

Remove "Indexes" from the appropriate "Options" line in httpd.conf.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: diretory browsing

Posted by "S. David Sheeks" <sd...@isdponline.com>.

MessageI was going to do that, but I figured there was a flag somewhere that I could turn on/off that would make more sense.
  ----- Original Message ----- 
  From: PaddlerAT 
  To: users@httpd.apache.org 
  Sent: Sunday, December 02, 2001 4:12 PM
  Subject: RE: diretory browsing


  The easiest way is to drop an index.html file into each directory.

  -t

    -----Original Message-----
    From: S. David Sheeks [mailto:sdsheeks@isdponline.com] 
    Sent: Sunday, December 02, 2001 4:01 PM
    To: apache
    Subject: diretory browsing


    How do I prevent directory browsing?

RE: diretory browsing

Posted by PaddlerAT <pa...@yahoo.com>.

The easiest way is to drop an index.html file into each directory.

-t

-----Original Message-----
From: S. David Sheeks [mailto:sdsheeks@isdponline.com] 
Sent: Sunday, December 02, 2001 4:01 PM
To: apache
Subject: diretory browsing


How do I prevent directory browsing?