Disable directory browsing

Adsakis3 years ago

Hello,
I set up Reverse Proxy as indicated on the official instructions (https://www.traccar.org/secure-connection/) and everything seems to be working fine, meaning I can see the server using its DNS name (https://myexampletraccar.com) via secure HTTPS protocol with the proper SSL certificates.

My only issue is that the directories and files in /opt/traccar/web are still visible in the web. Is there a way to disable directory browsing/listing with reverse proxy in apache2 (Linux Ubuntu server 20.04)?

Thank you

Anton Tananaev3 years ago

I think you did something wrong because directory listing should be disabled by default.

Adsakis3 years ago

Not sure where I went wrong, but here is the conf file of traccar.conf

<IfModule mod_ssl.c>
       <VirtualHost _default_:443>
                ServerName mywebsite.com
                ServerAdmin webmaster@localhost
                DocumentRoot /opt/traccar/web
                ProxyPass /api/socket ws://localhost:8082/api/socket
                ProxyPassReverse /api/socket ws://localhost:8082/api/socket
                ProxyPass / http://localhost:8082/
                ProxyPassReverse / http://localhost:8082/
                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/certificate.cer
                SSLCertificateKeyFile /etc/ssl/private/certificate.key
       </VirtualHost>
</IfModule>

Traccar is installed in /opt/traccar directory.

Anton Tananaev3 years ago

This part is wrong:

DocumentRoot /opt/traccar/web
Adsakis3 years ago

Changing the document root to

DocumentRoot /var/www/html

had no affect. I tried this before and I retied it again just right now. I can still navigate into the /opt/traccar/web/images directory for example.

Anton Tananaev3 years ago

And obviously you reloaded Apache after changing the config?

Adsakis3 years ago

Yes sir, I restarted apache2. I even tried the following in the apache2 main configuration file located in the /etc/apache2/apache2.conf

<Directory /opt/traccar/web/>
        Options -Indexes +FollowSymLinks
        AllowOverride None
       Require all granted
</Directory>

and still did not work. This is how I usually block directory browsing, but this is the first time I am dealing with reverse proxy.

Anton Tananaev3 years ago

Why would you even give Apache path to Traccar? It should not need to know where Traccar web app is located. Do you understand what a proxy is and how it works?

Adsakis3 years ago

As stated above, this is the first time I am dealing with reverse proxy so I am not familiar with it which is another way of stating that I do not know how it works. So I was trying different ways to prevent directory browsing.

On the hand, why does it matter where the DocuementRoot is? Both DocumentRoot /var/www/html and DocumentRoot /opt/traccar/web work fine, or I can even delete this line DocumentRoot /var/www/html from the configuration file and the content is still being delivered.

So your instructions are not 100% correct.

Anton Tananaev3 years ago

There are two ways you could be getting directory listing:

  1. You enabled something in Traccar (by default directory listing is disabled)
  2. You misconfigured Apache and put Traccar path somewhere in the Apache config

None of those things are part of the instructions.

Track-trace3 years ago

@Adsakis

Since you already forward your domain through proxy below to traccar server with.

            ProxyPass /api/socket ws://localhost:8082/api/socket
            ProxyPassReverse /api/socket ws://localhost:8082/api/socket
            ProxyPass / http://localhost:8082/
            ProxyPassReverse / http://localhost:8082/

You should not state any document root in your apache conf for traccar server

So remove DocumentRoot /opt/traccar/web from your apache conf and restart your server.
Then check your root listing. And refresh the page with F5

Just a Anton stated.

Adsakis3 years ago

So where exactly in the traccar files is the directory listing disabled in so I can check it?
This is a brand new installation v4.13 with all settings as default., except some ports disabled in the default.xml file.

Adsakis3 years ago

@Track-Trace

You should not state any document root in your apache conf for traccar server

Here are the instructions from (https://www.traccar.org/secure-connection/)

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>

                ServerName demo.traccar.org
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ProxyPass /api/socket ws://localhost:8082/api/socket
                ProxyPassReverse /api/socket ws://localhost:8082/api/socket

                ProxyPass / http://localhost:8082/
                ProxyPassReverse / http://localhost:8082/

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        </VirtualHost>
</IfModule>

Here is what I said above:

On the hand, why does it matter where the DocuementRoot is? Both DocumentRoot /var/www/html and DocumentRoot /opt/traccar/web work fine, or I can even delete this line DocumentRoot /var/www/html from the configuration file and the content is still being delivered.
So your instructions are not 100% correct.

Deleting the whole line about the directory root still DOES NOT solve the issue. Directories are still visible.

Anton Tananaev3 years ago

With default settings Traccar won't show directories. You can also verify if it's the case by connecting to Traccar directly via port 8082.

Adsakis3 years ago

Directly connecting with chrome with local ip at 192.168.1.5:8082 I am able to see the directories. So I am not sure where exactly in the traccar files the directory browsing is disabled.