How to restrict access to specific directories in Apache

Disabling access to certain directories in Apache is a common practice for security and privacy. Restricting access ensures that unauthorized users cannot access sensitive data or files.

In a standard Apache installation, directories may be accessed freely unless specifically restricted. It may include directories that hold configurations, scripts, or data files that are not intended to be publicly accessible.

The practice of disabling access to specific directories is fundamental in web server administration. Whether you are running a website, web application, or any HTTP service, proper directory restriction is vital. The configuration is typically done in the Apache configuration files, such as .htaccess or httpd.conf.

Steps to disable access to directories in Apache:

Locate the Directory section you want to restrict, or create new Directory directive.

$ sudo grep -nr "<Directory" /etc/{apache2,httpd}/
/etc/apache2/sites-available/default-ssl.conf:98: <Directory /usr/lib/cgi-bin>
/etc/apache2/sites-available/000-default.conf:20:        <Directory /home/user/website/>
/etc/apache2/apache2.conf:159:<Directory />
/etc/apache2/apache2.conf:165:<Directory /usr/share>
/etc/apache2/apache2.conf:170:<Directory /var/www/>
/etc/apache2/apache2.conf:176:#<Directory /srv/>
/etc/apache2/mods-available/alias.conf:15:<Directory "/usr/share/apache2/icons">
/etc/apache2/mods-available/userdir.conf:4:<Directory /home/*/public_html>
/etc/apache2/conf-available/localized-error-pages.conf:50:#     <Directory "/usr/share/apache2/error">
/etc/apache2/conf-available/serve-cgi-bin.conf:12:    <Directory "/usr/lib/cgi-bin">

Open Apache's configuration file using your preferred text editor.
```
$ sudo vi /etc/apache2/sites-available/000-default.conf
```
Related: Location for Apache configuration file

Add Deny directive inside the Directory block to deny access to all.

<Directory /home/user/website/>
        Require all granted
</Directory>
<Directory /home/user/website/forbid/>
        Order deny,allow
        Deny from all
</Directory>

Deny directive could be set to subdirectories of existing folder with allow permission.

Add Allow directive if you want to allow some exceptions.
```
Allow from 192.168.1.100
```
This example allows access only from the IP address 192.168.1.100, replacing it with the desired IP or range.
Save the file and exit the text editor.

Restart Apache to apply the changes.

$ sudo systemctl restart apache2 # For Ubuntu/Debian
$ sudo systemctl restart httpd # For CentOS/Red Hat

Verify the directory is no longer accessible by navigating to it through a web browser or using a tool like curl.

$ curl 127.0.0.1/forbid/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.55 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

If configured correctly, the server should respond with a 403 Forbidden status.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.

Discuss the article:

Comment anonymously. Login not required.