How do I allow users to view web page on ubuntu server, but not files on the server?

Question

I am trying to figure out how to allow my local webserver to run php and load web pages in the browser, but not files on the file system of the server. For example, www.something.com/ would load the home page but www.something.com/helpers/ displays the php files on my server. How to I prevent this?

Steps taken: - Created a user group - Added www-data (The default php user) to the user group - Verified that the user was added (getent group GROUPNAME) - Performed a chown -R www-data:groupname /var/www/site/ - Then, I tried locking up the permissions on my site with chmod -R 770 /var/www/site

Now, I get a forbidden access page. I thought the chmod is where i messed up, so i changed it to 775 and the site came back up. But how to lock down my file system and allow anonymous users to view web pages and not the list of files in any directory?

I also see that the logs show that includes are getting permission denied when i try to lock down the file system. There must be a simple way to do this without going to each directory and locking it down.

Thanks in advance.

Answer 1

All you had to do was make sure that each of your directories has an index.html file in it. It could be a blank file, or contain a "404: You shouldn't be here" message, but it needs to exist in every directory and be named "index.html" or "index.htm" or "index.php" in the filesystem.

I'm sure Apache has a setting somewhere that also disables browsing directories, but the index.html trick should work across all web servers (like if you happen to not be using Apache).