How to not 'expose' directory tree by default
Maxim Dounin
mdounin at mdounin.ru
Mon Jan 21 00:55:10 UTC 2013
Hello!
On Fri, Jan 18, 2013 at 01:21:44PM +0100, Jan-Philip Gehrcke wrote:
> Hello,
>
> error 403 means that the location exists and access is not allowed
> while 404 means that the location does not exist.
>
> Based on this, with mostly default settings, it is (in theory)
> possible to determine the directory structure below the document
> root via guessing or dictionary attack. This may or may not be
> considered a security risk (what do you think?).
It is always possible to determine all files available under
document root as long as you have enough time or luck.
Directories are just special case of files which return directory
listing if they are requested with traling slash and listing is
allowed.
> I know that there are ways to make nginx return 404 for specific
> locations, including directories. In am wondering, however, if there
> is a neat approach making nginx return 404 generally for each
> directory that
> - has not explicitly enabled autoindex and
> - contains no 'index' file (HttpIndexModule)
Simple solution would be to redefine 403 to be 404, something like
error_page 404 = /error/403;
location = /error/403 {
return 404;
}
Note though, that it will be still possible to find out there is a
directory, as on request without trailing slash a 301 redirect will
be returned with trailing slash added. (You may use similar
aproach to override 301 redirects as well, but it will as well
affect directories with autoindex enabled/index files present,
resulting in bad user experience.)
--
Maxim Dounin
http://nginx.com/support.html
More information about the nginx
mailing list