IndexIgnore is an important security setting in your Apache configuration files which commands what gets displayed to the visitor coming to your website. IndexIgnore is a simple setting which is often forgotten or neglected. Not having IndexIgnore set properly can have negative consequences and compromise your website server security.
What is IndexIgnore?
When your website visitor navigates to a directory or folder where you do not have an index file (index.htm, index.html, index.php, etc. as specified by your DirectoryIndex directive), the browser displays something. What gets displayed depends on your configuration. The browser can display some error page, nothing, or it can also list all or some of the files included in that directory.
IndexIgnore is a directive or a parameter in your server or directory configuration that you can use to exclude certain files or even everything from so-called directory listing or directory browsing. The IndexIgnore directive adds to the list of files to hide when listing a directory. In other words, the IndexIgnore directive is often used to prevent unauthorized directory browsing or access to files.
The following print screen shows you what a visitor of your website might see with IndexIgnore not in place or configured improperly.
Imagine now what can happen if someone with bad intentions can see and gain access to your configuration files.
Where can I find IndexIgnore?
You can find the IndexIgnore directive in two places. One place is the httpd.conf Apache server configuration file (httpd.conf IndexIgnore). You can locate this file in the Apache server folder. This file is what governs your settings globally for the whole server.
The other place is your .htaccess files (.htaccess IndexIgnore). You will most likely find some reference to IndexIgnore in the .htaccess file that is located in your web root folder (usually htdocs).
The .htaccess file stores settings relevant and applicable only to the folder where it resides and its subfolders. If you edit IndexIgnore in your root .htaccess file, it will affect all subdirectories as well. If you want to apply your setting to a subdirectory only, then you have to add a .htaccess file to that subdirectory and edit that.
Does IndexIgnore stop crawlers or spiders from indexing the homepage?Good question. If the IndexIgnore is in the .htaccess file in the root, then theoretically it could stop crawlers from indexing right?
IndexIgnore relates to the default directory listing mechanism that returns a directory listing for directories which do not contain an index.html or other "index" file. If that file is present, then IndexIgnore does not do anything. IndexIgnore does not control or affect ranking in search engine result pages. The robots.txt file and the <meta name="robots" ...> HTML meta-tag are used to control whether search engine robots fetch and index your pages.
Using the IndexIgnore directive is easy. If you open your .htaccess or httpd.conf files, you will likely find some instructions related to IndexIgnore syntax there. If not, here is how you can use it.
IndexIgnore file [file] ...
File is a file extension, partial filename, wildcard expression or full filename for files to ignore. The IndexIgnore directive is case-sensitive, so type in the capitalization as shown.
Let's say you want to disable the readme.txt and .htaccess files from showing in your directory listing. You would do the following:
IndexIgnore readme.txt .htaccess
Now, let's say you want to use the IndexIgnore to block directory listing completely. In this case, you would do the following:
This says to not list any files at all. The IndexIgnore directive adds to the list of files to hide when listing a directory. It means that multiple references to the IndexIgnore directive add to the list. Multiple IndexIgnore directives do not replace the list of ignored files. If you do IndexIgnore fileabc in your httpd.conf and also IndexIgnore uvwxyz in your .htaccess file, both files will be excluded from directory listing.
Do I need to have some module enabled for IndexIgnore to work?
Yes, IndexIgnore is related to the mod_autoindex module. Without this module enabled, no directory listings take place. So, if this module is not enabled, you do not need to worry about IndexIgnore. When you open your httpd.conf file, look for the following line in it:
LoadModule autoindex_module modules/mod_autoindex.so
Make sure there is no hash (#) in front of the line if you want to work with directory listings, or the other way around, make sure there is a hash in front of the line if you want to disable directory listing completely.
I updated IndexIgnore, and it does not work
Remember that if you make changes to the httpd.conf server configuration file, you must restart the server in order for your changes to take effect.
Your setting in the httpd.conf server configuration file should be in sync with your setting in your .htaccess files. In other words, if you restrict directory listing globally in your httpd.conf server configuration file, you will not be able to re-enable it in your .htaccess files because the IndexIgnore definitions are additive.
Is there any other setting related to IndexIgnore?