2

I need to configure my Apache2 server (version 2.2.22) such that I allow auto-indexing of the WWW root folder and its sub-directories, but restrict access (i.e. restrict download) to just a set of specific file types (i.e. .txt and .log). In other words, anybody can see what files are present, but only certain file types can be downloaded.

I have come up with the following which does restrict download to just the specified file types, but all URLs for a directory index return 403 Forbidden.

<Directory /var/www/>
    Options Indexes FollowSymLinks
    SetOutputFilter DEFLATE
    AllowOverride None
    Order allow,deny
    <FilesMatch "">
        Order deny,allow
        allow from all
    </FilesMatch>
    <FilesMatch ".+\.(?!(txt|log)$)[^\.]+?$">
        Order allow,deny
        deny from all
    </FilesMatch>
</Directory>
Keith Morgan
  • 121
  • 1
  • 3
  • 1
    Regexp seems to be weird. Did you try something like `.+\.(txt|log)$`? This one `FilesMatch ""` seems to be useless here. – Glueon Oct 10 '14 at 09:07
  • 1
    @Glueon, giving the order he's set it's needed to permit listing at all. – Gene Oct 10 '14 at 09:40
  • 1
    Keith, since accessing the directory doesn't match any of the file extensions you've specified Apache is not serving the directory listing. I played around with this configuration for a bit, but couldn't get it to work. You'll most likely have to ditch FilesMatch and use mod_rewrite instead. – Gene Oct 10 '14 at 09:42
  • 1
    Listing files that can't be downloaded seems a bit counterintuitive, why not use the [IndexIgnore](http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexignore) Directive to only list directories and .txt and .log files? – HBruijn Oct 11 '14 at 08:32

2 Answers2

4

You need also to allow index files:

<FilesMatch "^index\.">
    Order allow,deny
    allow from all
</FilesMatch>

because Apache will search for them (like index.html, index.cgi,...) but they are all forbidden. I'm not sure why, but I suppose Apache cannot even check for existence of those files, and then sends a 403. If Apache can check the inexistence of those index files, he will create the directory index, and that needs the <FilesMatch ""> Directive, as the index file name is "".

You can find the information in the error logfile, some lines like:

client denied by server configuration: /var/www/index.html

And because you want that forbidden files are listed too, you need to add:

IndexOptions ShowForbidden

for example after Options Indexes FollowSymLinks. There are plenty of options for directory indexes you can find them in the apache doc.

Hope this helps.

user1338062
  • 165
  • 5
Zimmi
  • 1,071
  • 7
  • 11
0

The FilesMatch needs to hit every possible entry from the DirectoryIndex directive and the empty string. If you have this:

DirectoryIndex index.html index.html.var index.php

then this is your match:

<Files ~ ^index\.(html|php|html.var)$|^$>

It might be easiest to set DirectoryIndex and then match:

DirectoryIndex index.html
<Files ~ ^index\.html$|^$>
    <Limit GET HEAD>
        Order Allow,Deny
        Allow from all
    </Limit>
</Files>
Colt
  • 2,029
  • 6
  • 21
  • 27
Eric Wheeler
  • 1
  • [Apache docs](https://httpd.apache.org/docs/2.4/howto/access.html) recommend switching to require. You should probably add at least the OPTIONS method to the limit, but really I don't see any harm in allowing any method, so I'm wondering why the restriction. – Rick May 05 '20 at 20:22