Need to allow only specific file extensions via Apache config

Question

I'm struggling with allowing only specific file extensions via Apache (2.4.58).

I'm doing this in httpd.conf.

The problem is if I deny all files at first either like that:

<Files *>
    Require all denied
</Files>

or just Require all denied within required <Directory> and then enable what I need like this:

<Files ~ "(.html|.php|.js|.css|.png|.jpg|.gif|.ico|.pdf)">
   Require all granted
</Files>

This seem to be disabling the directory index logic and when I navigate to a directory Apache no longer redirects to index.php, unless I target the index.php in the URL directly.

There's an option to try to list all extensions to block, but I don't like it, because in general it is unknown. And I'd like to use the principle of least privilege here and base restricition on explicitly allowed list instead.

So how can I do this but still preserve the directory index functionality?

AFAIK duplicate of https://serverfault.com/questions/541171/apache2-require-all-granted-doesnt-work — Marcel, Dec 20 '23 at 13:06

score 0 · Answer 1 · answered Dec 20 '23 at 13:17

0

Ok, resolved this

<FilesMatch "((^$)|(^.+\.(html|php|js|css|png|jpg|gif|ico|pdf)$))">
       Require all granted
</FilesMatch>

using hint from FilesMatch configuration to Restrict File Extensions served

answered Dec 20 '23 at 13:17

Gino Pane

101

Need to allow only specific file extensions via Apache config

1 Answers1