I’m setting up a new Ubuntu server and while most of the defaults are fine, there are some things that I need to adjust. I have a very shallow understanding of this stuff, so there could be better and more secure ways to do this, but this works for me.
Disallow access to PHP include files
There isn’t any reason that people need to see the include files that I use in my websites. You could name them .inc.php so that the raw code isn’t available, but that’s not very elegant, and outsiders can still access the file. There isn’t anything particularly sensitive in them, but by themselves, they don’t display correctly. So I added a few lines to my /etc/apache2/apache2.conf file. Just below the section that disallows viewing .htacess files.
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
# The following lines prevent .inc files from being
# viewed by Web clients.
#
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
#
Prevent directory browsing
If you have a bunch of images in a directory, then anyone who wants can view all of them just by looking at the web page source and putting the directory name after your URL. I’d rather they not do that, so I restrict listing of the files by adding this line to my /etc/apache2/httpd.conf file. On my default Ubuntu install this file is empty.
Options Includes FollowSymLinks MultiViews
Restart Apache for the changes to take effect.
Alternate method to prevent directory browsing
If you want to prevent directory browsing in just one directory and either don’t want to change the whole site or don’t have access to the files named above, add this line to your .htaccess file.
Options -Indexes
Probably don’t have to restart Apache for changes to take effect.
Prevent Directory Browsing on a Per Site Basis
Changing the httpd.conf file will change the behavior of all sites on your server. If you want to change the behavior of just one site, edit its file in /etc/apache2/sites-avalilable. Find the line that has Options FollowSymLinks in it and if it has Indexes in it, delete it. This is what the default Ubuntu install has.
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Probably do have to restart Apache for changes to take effect.
Prevent access to your include directory
Add this to your site’s file in /etc/apache2/sites-avalilable.
#<Directory /www/MySite/include.php>
# Deny from all
#</Directory>
Show an error document instead of the default 404 error
Create a normal php document with your sites navigation and a message that says the file can’t be found and maybe you can find it with the nav menus. Add this to your site’s file in /etc/apache2/sites-avalilable. And while you are at it, there is no reason you need to tell anyone that they don’t have permission to see a particular file, just tell them it’s not found, so add the same line for a 403 error. I take them back to the main page and display the missing file in the main page.
ErrorDocument 404 /index.php?p=missing
ErrorDocument 403 /index.php?p=missing