You are not logged in.

#1 2019-09-15 12:37:55

francis1691
Member
Registered: 2019-09-15
Posts: 4

HTTP Responses (SOLVED)

I have basic doubts about how access to /~root/ should be hidden, or any other directory outside of /srv/http.
In the browser I get the expected result. When a user requests to enter domain.com/~root/ they receive a generic error that I explicitly configured:
ErrorDocument 301 /missing.html
ErrorDocument 302 /missing.html
ErrorDocument 403 /missing.html
ErrorDocument 404 /missing.html
ErrorDocument 410 /missing.html
ErroDocuement 451 /missing.html

However, wmap shows in several cases:
File found. / Directory found.
GET Res code: 403

The directories in httpd.conf are configured as follows:

<Directory />
   AllowOverride none
   Require all denied
</Directory>

DocumentRoot "/srv/http"
<Directory "srv/http">
   Option Indexes FollowSymLinks
   AllowOverride none
   Require all granted
</Directory>

Include conf/extra/httpd-autoindex.conf is included. Here I configured:
Alias /icons/ "/usr/share/httpd/icons/"
<Directory "/usr/share/httpd/icons">
   OptionFollowSymlinks
   AllowOverride None
   Order allow, deny
   Deny from all
</Directory>

I was able to block the directory but the same thing happens when doing:
curl -I https://domain.com/icons/
HTTP / 1.1 403 Forbidden

Should I delete the directory?

Thank you very much for your help.

Last edited by francis1691 (2019-10-06 07:40:42)

Offline

#2 2019-09-15 12:43:41

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: HTTP Responses (SOLVED)

Your document root is /srv/http, so by definition, nothing outside of that should be accessible unless you explicitly add more configuration.  Have you enabled the userdirs config?  I doubt that includes the root user by default.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2019-09-15 13:38:13

francis1691
Member
Registered: 2019-09-15
Posts: 4

Re: HTTP Responses (SOLVED)

Trilby wrote:

Your document root is /srv/http, so by definition, nothing outside of that should be accessible unless you explicitly add more configuration.  Have you enabled the userdirs config?  I doubt that includes the root user by default.

Yes, userdir mod is enabled. httpd-userdir.conf contains:

UserDir public_html
<Directory "/home/*/public_html">
   AllowOverride FileInfo AuthConfig Limit Indexes
   Option MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
   Require method GET POST OPTIONS
</Directory>

In other words, directories are blocked but I would like them to be unavailable(no serve), or receive a different error code. If someone tries:
curl -I domain.com/icons/
The 403 Forbidden shows that such directory exists. Is it possible to change this?
I don't consider it a security issue now, but it is an open door if the server is vulnerable, isn't it?

Last edited by francis1691 (2019-09-15 13:55:09)

Offline

#4 2019-09-15 13:54:40

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: HTTP Responses (SOLVED)

francis1691 wrote:

Yes, userdir mod is enabled. ... In other words, directories are blocked but I would like them to be unavailable

Then why are you enabling userdir at all?  What is your end goal?

Note that /root/public_html does not match /home/*/public_html, so the server does not provide a response for http://domain.tld/~root/

Also domain.tld/icons/ has nothing to do with userdir settings.  Now I'm even less clear on what you are asking.

Last edited by Trilby (2019-09-15 13:57:07)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2019-09-15 14:52:00

francis1691
Member
Registered: 2019-09-15
Posts: 4

Re: HTTP Responses (SOLVED)

Trilby wrote:
francis1691 wrote:

Yes, userdir mod is enabled. ... In other words, directories are blocked but I would like them to be unavailable

Then why are you enabling userdir at all?  What is your end goal?

Note that /root/public_html does not match /home/*/public_html, so the server does not provide a response for http://domain.tld/~root/

Also domain.tld/icons/ has nothing to do with userdir settings.  Now I'm even less clear on what you are asking.


/icons/, /~root/ or other directories are blocked and the browser shows the same error page that I configured, whatever the res code. But they can be found, for example, with the curl command. It's just information, but it's revealing that there are directories, as in the case of "403 Forbidden"
Those directories must exist?

Last edited by francis1691 (2019-09-15 14:59:28)

Offline

#6 2019-09-15 15:20:21

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: HTTP Responses (SOLVED)

I am … confused.
You add the icons dir in a specific rule that also sets its access denied but you don't want it 403 but 404? Just don't add it itfp.
You can add RedirectMatch ot AliasMatch to "hide" subdirectories, but

Trilby wrote:

What is your end goal?

Offline

#7 2019-09-16 07:11:42

runninghorse
Banned
Registered: 2019-07-20
Posts: 10
Website

Re: HTTP Responses (SOLVED)

You can add RedirectMatch ot AliasMatch to "hide" subdirectories

Offline

#8 2019-09-19 00:06:26

francis1691
Member
Registered: 2019-09-15
Posts: 4

Re: HTTP Responses (SOLVED)

It has worked. Thank you!
I changed some things in httpd.conf:

#RewriteEngine On
#RewriteCond% {HTTPS}  !=on
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

#to 

<VirtualHost *:80>
    Redirect permanent / https://my_domain.com/
    ServerName my_domain.com
    ServerAlias my_domain.com
    UseCannonicalName On
    DocumentRoot /srv/http
 </VirtualHost>

Now the HTTP header shows "301 Moved Permanently."
I also noticed that it is the most effective way to redirect to the HTTPS version of the site.

Last edited by francis1691 (2019-09-19 00:08:47)

Offline

#9 2019-09-19 06:09:54

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: HTTP Responses (SOLVED)

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Also, @runninghorse: wtf was that supposed to be? Point out the "or/ot" typo in my statement??

Offline

#10 2019-09-19 14:04:47

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,783
Website

Re: HTTP Responses (SOLVED)

I was unsure before, but I'm now almost certain that it's a spam bot that tries to be vaguely on topic by reposting parts of the conversation. I've banned it now.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Board footer

Powered by FluxBB