How to not 'expose' directory tree by default

Hello,

error 403 means that the location exists and access is not allowed while
404 means that the location does not exist.

Based on this, with mostly default settings, it is (in theory) possible
to determine the directory structure below the document root via
guessing or dictionary attack. This may or may not be considered a
security risk (what do you think?).

I know that there are ways to make nginx return 404 for specific
locations, including directories. In am wondering, however, if there is
a neat approach making nginx return 404 generally for each directory
that

  • has not explicitly enabled autoindex and
  • contains no ‘index’ file (HttpIndexModule)

Thanks,

Jan-Philip

Hello!

On Fri, Jan 18, 2013 at 01:21:44PM +0100, Jan-Philip Gehrcke wrote:

Hello,

error 403 means that the location exists and access is not allowed
while 404 means that the location does not exist.

Based on this, with mostly default settings, it is (in theory)
possible to determine the directory structure below the document
root via guessing or dictionary attack. This may or may not be
considered a security risk (what do you think?).

It is always possible to determine all files available under
document root as long as you have enough time or luck.
Directories are just special case of files which return directory
listing if they are requested with traling slash and listing is
allowed.

I know that there are ways to make nginx return 404 for specific
locations, including directories. In am wondering, however, if there
is a neat approach making nginx return 404 generally for each
directory that

  • has not explicitly enabled autoindex and
  • contains no ‘index’ file (HttpIndexModule)

Simple solution would be to redefine 403 to be 404, something like

error_page 404 = /error/403;

location = /error/403 {
    return 404;
}

Note though, that it will be still possible to find out there is a
directory, as on request without trailing slash a 301 redirect will
be returned with trailing slash added. (You may use similar
aproach to override 301 redirects as well, but it will as well
affect directories with autoindex enabled/index files present,
resulting in bad user experience.)


Maxim D.
http://nginx.com/support.html

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs