How to not 'expose' directory tree by default

Maxim Dounin mdounin at
Mon Jan 21 00:55:10 UTC 2013


On Fri, Jan 18, 2013 at 01:21:44PM +0100, Jan-Philip Gehrcke wrote:

> Hello,
> error 403 means that the location exists and access is not allowed
> while 404 means that the location does not exist.
> Based on this, with mostly default settings, it is (in theory)
> possible to determine the directory structure below the document
> root via guessing or dictionary attack. This may or may not be
> considered a security risk (what do you think?).

It is always possible to determine all files available under 
document root as long as you have enough time or luck.  
Directories are just special case of files which return directory 
listing if they are requested with traling slash and listing is 

> I know that there are ways to make nginx return 404 for specific
> locations, including directories. In am wondering, however, if there
> is a neat approach making nginx return 404 generally for each
> directory that
> - has not explicitly enabled autoindex and
> - contains no 'index' file (HttpIndexModule)

Simple solution would be to redefine 403 to be 404, something like

    error_page 404 = /error/403;

    location = /error/403 {
        return 404;

Note though, that it will be still possible to find out there is a 
directory, as on request without trailing slash a 301 redirect will 
be returned with trailing slash added.  (You may use similar 
aproach to override 301 redirects as well, but it will as well 
affect directories with autoindex enabled/index files present, 
resulting in bad user experience.)

Maxim Dounin

More information about the nginx mailing list