On Tue, 15 Sep 2015 18:12:24 -0400, . wrote: > > I am a novice website admin, running Apache 2.4.7 on a Ubuntu box. I > want to be able to serve a subset of my website as http (port 80), even > though the overall site is on https (port 443). I managed to convert it > all to https this summer by providing links in > /etc/apache2/sites-enabled/ to sites-available/default-ssl.conf and > sites-available/http-redirect.conf. The redirect just permanently > redirects everything to use https. > > I tried adding another VirtualHost for port 80, with a DocumentRoot > pointed at my "freely-available" subdirectory. That seemed to work, but > the problem is that if somebody just browses to that subdirectory, they > get a directory listing that includes a hyperlink to the parent > directory. By clicking on that hyperlink, they can escape into the rest > of the website using http instead of https. > > I suspect there's a "proper" way to do this, but I don't know what it > is. Any help, or pointers, would be appreciated.
$ cat index.html <!DOCTYPE HTML><HTML><HEAD></HEAD> <BODY BGCOLOR="#CC0033"></BODY></HTML> I put that in every sub-directory that I do not ever want folks poking around in. /images , /scripts , /includes , /temp ... whatever. Additionally, each sensitive directory's ,htaccess could include: Options -Indexes But, Murphy's Law tells us that someday a critical .htaccess will get bollixed. In your httpd.conf you can remove the "Indexes" option from the likes of: Options Includes Indexes FollowSymLinks MultiViews That'll do it globally. But, Murphy's Law tells us that someday a the httpd.conf will get bollixed. So, I also put <!DOCTYPE HTML><HTML><HEAD></HEAD> <BODY BGCOLOR="#CC0033"></BODY></HTML> in every sub-directory that I do not ever want folks poking around in. Too bad you don't have access to Google in your section of the internet. Jonesy --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
