HTTP Responses (SOLVED)

francis1691 · 2019-09-15 12:37:55

I have basic doubts about how access to /~root/ should be hidden, or any other directory outside of /srv/http.
In the browser I get the expected result. When a user requests to enter domain.com/~root/ they receive a generic error that I explicitly configured:
ErrorDocument 301 /missing.html
ErrorDocument 302 /missing.html
ErrorDocument 403 /missing.html
ErrorDocument 404 /missing.html
ErrorDocument 410 /missing.html
ErroDocuement 451 /missing.html

However, wmap shows in several cases:
File found. / Directory found.
GET Res code: 403

The directories in httpd.conf are configured as follows:

<Directory />
AllowOverride none
Require all denied
</Directory>

DocumentRoot "/srv/http"
<Directory "srv/http">
   Option Indexes FollowSymLinks
   AllowOverride none
   Require all granted
</Directory>

Include conf/extra/httpd-autoindex.conf is included. Here I configured:
Alias /icons/ "/usr/share/httpd/icons/"
<Directory "/usr/share/httpd/icons">
   OptionFollowSymlinks
   AllowOverride None
   Order allow, deny
   Deny from all
</Directory>

I was able to block the directory but the same thing happens when doing:
curl -I https://domain.com/icons/
HTTP / 1.1 403 Forbidden

Should I delete the directory?

Thank you very much for your help.

Last edited by francis1691 (2019-10-06 07:40:42)

Trilby · 2019-09-15 12:43:41

Your document root is /srv/http, so by definition, nothing outside of that should be accessible unless you explicitly add more configuration. Have you enabled the userdirs config? I doubt that includes the root user by default.

francis1691 · 2019-09-15 13:38:13

Trilby wrote:

Your document root is /srv/http, so by definition, nothing outside of that should be accessible unless you explicitly add more configuration. Have you enabled the userdirs config? I doubt that includes the root user by default.

Yes, userdir mod is enabled. httpd-userdir.conf contains:

UserDir public_html
<Directory "/home/*/public_html">
AllowOverride FileInfo AuthConfig Limit Indexes
Option MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>

In other words, directories are blocked but I would like them to be unavailable(no serve), or receive a different error code. If someone tries:
curl -I domain.com/icons/
The 403 Forbidden shows that such directory exists. Is it possible to change this?
I don't consider it a security issue now, but it is an open door if the server is vulnerable, isn't it?

Last edited by francis1691 (2019-09-15 13:55:09)

Trilby · 2019-09-15 13:54:40

francis1691 wrote:

Yes, userdir mod is enabled. ... In other words, directories are blocked but I would like them to be unavailable

Then why are you enabling userdir at all? What is your end goal?

Note that /root/public_html does not match /home/*/public_html, so the server does not provide a response for http://domain.tld/~root/

Also domain.tld/icons/ has nothing to do with userdir settings. Now I'm even less clear on what you are asking.

Last edited by Trilby (2019-09-15 13:57:07)

francis1691 · 2019-09-15 14:52:00

Trilby wrote:

francis1691 wrote:
Yes, userdir mod is enabled. ... In other words, directories are blocked but I would like them to be unavailable
Then why are you enabling userdir at all? What is your end goal?
Note that /root/public_html does not match /home/*/public_html, so the server does not provide a response for http://domain.tld/~root/
Also domain.tld/icons/ has nothing to do with userdir settings. Now I'm even less clear on what you are asking.

/icons/, /~root/ or other directories are blocked and the browser shows the same error page that I configured, whatever the res code. But they can be found, for example, with the curl command. It's just information, but it's revealing that there are directories, as in the case of "403 Forbidden"
Those directories must exist?

Last edited by francis1691 (2019-09-15 14:59:28)

seth · 2019-09-15 15:20:21

I am … confused.
You add the icons dir in a specific rule that also sets its access denied but you don't want it 403 but 404? Just don't add it itfp.
You can add RedirectMatch ot AliasMatch to "hide" subdirectories, but

Trilby wrote:

What is your end goal?

runninghorse · 2019-09-16 07:11:42

You can add RedirectMatch ot AliasMatch to "hide" subdirectories

francis1691 · 2019-09-19 00:06:26

It has worked. Thank you!
I changed some things in httpd.conf:

#RewriteEngine On
#RewriteCond% {HTTPS}  !=on
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

#to 

<VirtualHost *:80>
    Redirect permanent / https://my_domain.com/
    ServerName my_domain.com
    ServerAlias my_domain.com
    UseCannonicalName On
    DocumentRoot /srv/http
 </VirtualHost>

Now the HTTP header shows "301 Moved Permanently."
I also noticed that it is the most effective way to redirect to the HTTPS version of the site.

Last edited by francis1691 (2019-09-19 00:08:47)

seth · 2019-09-19 06:09:54

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Also, @runninghorse: wtf was that supposed to be? Point out the "or/ot" typo in my statement??

WorMzy · 2019-09-19 14:04:47

I was unsure before, but I'm now almost certain that it's a spam bot that tries to be vaguely on topic by reposting parts of the conversation. I've banned it now.

Arch Linux

#1 2019-09-15 12:37:55

HTTP Responses (SOLVED)

#2 2019-09-15 12:43:41

Re: HTTP Responses (SOLVED)

#3 2019-09-15 13:38:13

Re: HTTP Responses (SOLVED)

#4 2019-09-15 13:54:40

Re: HTTP Responses (SOLVED)

#5 2019-09-15 14:52:00

Re: HTTP Responses (SOLVED)

#6 2019-09-15 15:20:21

Re: HTTP Responses (SOLVED)

#7 2019-09-16 07:11:42

Re: HTTP Responses (SOLVED)

#8 2019-09-19 00:06:26

Re: HTTP Responses (SOLVED)

#9 2019-09-19 06:09:54

Re: HTTP Responses (SOLVED)

#10 2019-09-19 14:04:47

Re: HTTP Responses (SOLVED)

Board footer