아파치 디렉토리 브라우징 막기

how to disable directory browsing in apache
아파치 디렉토리 브라우징 막기
아파치 디렉토리 파일 목록 안보이게 하기
Apache 디렉토리 보안 설정

1 문제상황[ | ]

browsing_test 폴더를 만들고 그 안에 greet.txt 파일 생성

Console

Copy

root@zetawiki:~# mkdir /var/www/html/browsing_test
root@zetawiki:~# touch /var/www/html/browsing_test/greet.txt

browsing_test 폴더를 호출하여 greet.txt 파일이 보이는지 확인

Console

Copy

root@zetawiki:~# curl 'http://localhost/browsing_test/' -s | grep greet
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="greet.txt">greet.txt</a></td><td align="right">2015-12-07 00:56  </td><td align="right">  0 </td><td>&nbsp;</td></tr>

→ 보인다... 보안상 허점이 될 수 있음

2 해결방법 (CentOS)[ | ]

httpd.conf 확인

Console

Copy

[root@zetawiki ~]# cat /etc/httpd/conf/httpd.conf | egrep -v "^[[:space:]]*$" | grep -v ^# | grep '<Directory "/var/www/html">' -A4
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

httpd.conf 사본 만들고 Indexes 옵션 제거

Console

Copy

[root@zetawiki ~]# cp -a /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.old
[root@zetawiki ~]# sed -i 's/Options Indexes FollowSymLinks/Options FollowSymLinks/g' /etc/httpd/conf/httpd.conf
[root@zetawiki ~]# diff /etc/httpd/conf/httpd.conf.old /etc/httpd/conf/httpd.conf
332c332
<     Options Indexes FollowSymLinks
---
>     Options FollowSymLinks

아파치 재시작

Console

Copy

[root@zetawiki ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

확인 2

Console

Copy

[root@zetawiki ~]# curl 'http://localhost/static/' -s | head -7
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /static/
on this server.</p>

→ 디렉토리 접근시 403 오류 발생함

3 해결방법 (우분투)[ | ]

apache2.conf 확인

Console

Copy

root@zetawiki:~# cat /etc/apache2/apache2.conf | grep 'Directory /var/www/' -A4
<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

사본 만들고 편집

Console

Copy

root@zetawiki:~# cp -ai /etc/apache2/apache2.conf /etc/apache2/apache2.conf.old
root@zetawiki:~# vi /etc/apache2/apache2.conf

aconf

Copy

... (생략)
<Directory /var/www/>
        Options FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

변경 내용 확인

Console

Copy

root@zetawiki:~# diff /etc/apache2/apache2.conf.old /etc/apache2/apache2.conf
165c165
< 	Options Indexes FollowSymLinks
---
> 	Options FollowSymLinks

아파치 재시작 후 확인

Console

Copy

root@zetawiki:~# apachectl restart
root@zetawiki:~# curl 'http://localhost/browsing_test/' -s | grep greet
root@zetawiki:~# curl 'http://localhost/browsing_test/' -s
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /browsing_test/
on this server.</p>
</body></html>

4 같이 보기[ | ]

5 참고[ | ]

http://www.linuxscrew.com/2008/06/03/faq-how-to-disable-directory-browsing-in-apachehttpd/