How to disable directory browsing for a flask application hosted using apache mod_wsgi for CNAME access from a different domain

https://stackoverflow.com/questions/20942183

24-09-2022
|

Question

Something weird is happening with my flask application that I have hosted using apache mod_wsgi on Ubuntu. I have a virtualhost setup with my flask app imported to it. My virtualhost is present is /etc/apache2/sites-available/ and has been enabled. The file is this:

<VirtualHost *:80>
    ServerName domain1.com

    WSGIDaemonProcess app user=flask group=www-data threads=5 home=/var/www/app
    WSGIScriptAlias / /var/www/app/app.wsgi

    <Directory /var/www/app>
        WSGIProcessGroup app
        WSGIApplicationGroup %{GLOBAL}
        WSGIScriptReloading On
        Order deny,allow
        Allow from all
    </Directory>
</VirtualHost>

My application works perfectly fine when I access it using domain1.com. However, if I have a domain2.com with a CNAME record pointing to domain1.com, I can view the directories and files when domain2.com is accessed. Similarly, when I change the ServerName to domain2.com, the directory listing is visible from domain1.com.

I've been advised to edit the httpd.conf file and remove the Indexes entry or change it to -Indexes to turn off the directory browsing but the file is empty. I would like the app to work only from the domain specified in the ServerName and not from any other domain name pointing to it. Please advise.

Solution

The advice given is correct but I believe on Ubuntu the default virtual host is in /etc/apache2/apache2.conf or /etc/apache2/sites-available/default. what's happening is that because both domains resolve to the same ip, domain2 picks up the default Apache configuration because it doesn't have its own virtual host.

You could also prevent this by moving the document root of domain1 to a different location but its a good idea to turn off the indexes in any case.

OTHER TIPS

For the second domain name, because Apache cannot find a matching VirtualHost, it will fall back to using the very first VirtualHost definition it found when parsing the configuration.

For an explanation of this in a slightly different context see:

http://blog.dscpl.com.au/2012/10/requests-running-in-wrong-django.html

Read the section 'Fallback to default VirtualHost definition'.

If you want all other domain names blocked, then change the default VirtualHost to:

<VirtualHost _default_:*>
Deny from all
</VirtualHost>

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow