Apache configuration

Ensure the filestore is not browseable by disabling indexing

This can be done by either disabling the autoindex module:

sudo a2dismod --force autoindex
systemctl restart apache2

Or by setting the directory's options directive

sudo nano /etc/apache2/apache2.conf

Adding in -Indexes to the web directory location

<Directory /var/www/resourcespace>
    Options -Indexes

The following locations should be blocked:

  • /batch
  • /include
  • /upgrade
  • /languages
  • /tests
  • /filestore*

This can be achieved by editing the apache .conf file, e.g:

<Directory /var/www/resourcespace/batch>
        Require all denied

...for each folder.

* Note that blocking of filestore requires $hide_real_filepath = true; in your config.php file. This is the default from version 10.4.

Block access to all .svn files

Add the folowing to your apache .conf file:

<Directorymatch "^/.*/\.svn/">
      Order 'deny,allow'
      Deny from all