Controlling access to specific directories in Apache is essential for securing your web server. Unauthorized users should not be able to access sensitive directories that contain configuration files, scripts, or private data. This can be achieved by configuring Apache to allow or deny access based on your specific needs.

In a default Apache setup, directories are accessible unless you explicitly restrict them. This can expose critical files to unauthorized users if left unchecked. By using directives like Deny and Allow, you can manage who has access to certain directories, enhancing the security of your web server.

Managing directory access involves modifying the Apache configuration files, such as .htaccess or httpd.conf. These files let you define rules to block or permit access to directories. Properly configuring these settings ensures that your web server operates securely and efficiently, preventing unauthorized access to critical resources.

Steps to disable access to directories in Apache:

  1. Identify the directory you want to restrict by locating the appropriate Directory section in the configuration file.
    $ sudo grep -nr "<Directory" /etc/{apache2,httpd}/
    /etc/apache2/sites-available/default-ssl.conf:98: <Directory /usr/lib/cgi-bin>
    /etc/apache2/sites-available/000-default.conf:20:        <Directory /home/user/website/>
    /etc/apache2/apache2.conf:159:<Directory />
    /etc/apache2/apache2.conf:165:<Directory /usr/share>
    /etc/apache2/apache2.conf:170:<Directory /var/www/>
    /etc/apache2/apache2.conf:176:#<Directory /srv/>
    /etc/apache2/mods-available/alias.conf:15:<Directory "/usr/share/apache2/icons">
    /etc/apache2/mods-available/userdir.conf:4:<Directory /home/*/public_html>
    /etc/apache2/conf-available/localized-error-pages.conf:50:#     <Directory "/usr/share/apache2/error">
    /etc/apache2/conf-available/serve-cgi-bin.conf:12:    <Directory "/usr/lib/cgi-bin">
  2. Open the Apache configuration file with your preferred text editor.
    $ sudo vi /etc/apache2/sites-available/000-default.conf
  3. Insert a Deny directive inside the Directory block to block all access to the directory.
    <Directory /home/user/website/>
            Require all granted
    </Directory>
    <Directory /home/user/website/forbid/>
            Order deny,allow
            Deny from all
    </Directory>

    Deny directive could be set to subdirectories of existing folder with allow permission.

  4. Use the Allow directive if you want to permit access for specific IP addresses.
    Allow from 192.168.1.100

    This example allows access only from the IP address 192.168.1.100, replacing it with the desired IP or range.

  5. Save the configuration file and exit the text editor.
  6. Restart the Apache service to apply the changes.
    $ sudo systemctl restart apache2 # For Ubuntu/Debian
    $ sudo systemctl restart httpd # For CentOS/Red Hat
  7. Verify that access to the directory is correctly restricted by navigating to it in a web browser or using a command-line tool like curl.
    $ curl 127.0.0.1/forbid/
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access this resource.</p>
    <hr>
    <address>Apache/2.4.55 (Ubuntu) Server at 127.0.0.1 Port 80</address>
    </body></html>

    If configured correctly, the server should respond with a 403 Forbidden status.

Discuss the article:

Comment anonymously. Login not required.