RobinHood: Understanding the DirectoryHandler
If you’re serving your site with the Robin Hood web server, you’ll discover that it’s default configuration is to let users view the contents of directories on your site when an
index.html file is not present.
If this is not the behavior you want, you can either put a blank or redirecting
index.html file in each directory you want to be off-limits, or you can remove the DirectoryHandler module altogether. If you do this, however, you’ll notice that further accesses on that directory name cause the server to loop, because the requests are passed on to the FileHandler, which tries to append a ‘/’ to the end of the URL, and so on.
If you don’t want to display your directories to the world (and give them a 404 message instead), comment out the following line in your virtual resources file and restart the rhdaemon:
VRes: pattern="*index.html" pattern="index" type="application/x-vnd.Be-directory" real=false;
The purpose of this line is to make the DirectoryHandler display the contents of a directory when
index.html file is absent and provide the means to display the contents of the root directory when
index.html file is present.
Joe Kloss, RobinHood’s author, adds the following information:
If you don’t want to let other people see a directory listing, clear the ‘x’ bit for others on the directory. For example:
chmod o-x myPrivateDirectory
If you try to access such a directory listing, you will be prompted for the username/password for the Realm in which the directory lives.
Note: The older version of RobinHood (1.0) used the ‘r’ bit instead of the ‘x’ bit.
David Muszynski (firstname.lastname@example.org) offers additional information:
To properly implement the RHDirectoryHandler you need to pay special attention to the permissions you assign to each directory that lives in your webroot folder. If you want people to be able to see a listing of the files in a particular directory, for example ‘foo’ first make sure you don’t have an index.html file in it, then set the executable bit for others to on (a nice graphical way to do this is to use SetPerms). That means that http://www.test.com/foo will show the contents of ‘foo’.
If you don’t want people to see the contents set the executable bit to off and they will be greeted with a dialog asking for a username and password. You must also keep in mind that when working with RobinHood http://www.test.com/foo is requesting something totally different than http://www.test.com/foo/ The first URL is asking for the contents of the directory ‘foo’, while the second is actually mapping that trailing ‘/’ to index.html. So if you have full sites that live in sub-directories of your webroot folder be sure that all your links to them have the trailing ‘/’ hard coded in them.
Finally, Joe Kloss chimes in with the definitive word:
If the RHDirectoryHandler is removed, the directory request will then be passed to the file handler. The file handler will then send a redirect as the reply pointing to the original URL with a ‘/’ appended. If the browser follows the redirect and issues a new request, the URL pre-processor will append “index.html” to the request and attempt to handle the new request. This is the standard behavior seen by most web- servers and it’s the reason your browser appears to automatically append the ‘/’ when you omit it from a directory name.
You could do this selectively using RobinHood if you don’t want to remove the Directory Handler. You could add an entry to the Virtual Hosts file for any directories the user is likely to manually type where a directory listing is not appropriate or desired.
If you had directories named “alice” and “bob/carol”, the following line will force these directories to be handled by the File Handler instead of the Directory Handler. The File Handler will do the automatic directory redirection for these requests, while all other directory request would be handled by the Directory Handler.
VRes: pattern="alice" pattern="bob/carol" type="application/x-vnd.RHV.File" real=true;
This behavior could be reversed if the priority of the File Handler and Directory Handler were exchanged. In this case, the File Handler would handle ( and redirect ) directories by default and you have to have explicit entries for the directories you wish to allow listings for. This would require a recompile of the modules.
The server does not actually need to be restarted when you add or remove a RobinHood module. The Module Roster node-monitors the modules directory and will automatically load or unload modules on-the-fly without being restarted. Removing the Directory Handler from the modules directory will disable it without needing to restart the server.
This is not true of the VH file, but it’s something I have been wanting to do. I could node-monitor the VH file for changes and reparse it when it does. With this feature there would never be a need to restart the server, with the exception of replacing the actual server with a newer version.
Posted in Networking
(comments are closed).