Secure Your Server: How to Disable the Apache Default Page on Fedora
So you’ve just fired up a fresh installation of the Apache web server on your Fedora system. When you navigate to your server’s IP address or localhost, you’re greeted with the default Apache “Welcome” or “Test” page. While this page confirms that Apache is running correctly, leaving it active is a common misstep that can compromise your server’s security and professionalism.
This guide will walk you through the simple but essential process of disabling this default page, providing a more secure and clean slate for your web projects.
Why You Should Disable the Default Apache Page
Leaving the default page enabled is more than just a cosmetic issue. It presents two main problems:
- Information Leakage: The default page explicitly confirms that you are running an Apache server and can sometimes reveal the specific version. This information is a gift to malicious actors who can use it to search for known vulnerabilities associated with your software version. Reducing your server’s information footprint is a fundamental step in security hardening.
- Unprofessional Appearance: If a user accidentally stumbles upon this page instead of your website, it signals an incomplete or poorly configured server. A professional setup should never display default placeholder content.
Fortunately, disabling this page on Fedora is a straightforward process.
Step 1: Locate the Apache Welcome Configuration File
On Fedora and other RHEL-based systems, Apache’s configuration is modular. The settings that control the default welcome page are not in the main httpd.conf file. Instead, they are located in a separate configuration file specifically for this purpose.
You can find this file in the /etc/httpd/conf.d/ directory. The file you need to edit is:
/etc/httpd/conf.d/welcome.conf
Step 2: Edit the Configuration File
You will need to edit this file with superuser privileges. You can use your preferred command-line editor, such as nano or vim.
Open the file using the following command:
sudo nano /etc/httpd/conf.d/welcome.conf
Inside this file, you will see a block of code surrounded by <LocationMatch> tags. It will look similar to this:
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
To disable the test page, you don’t need to delete the file. The safest and most effective method is to comment out every line in the file. You can do this by placing a hash symbol (#) at the beginning of each line.
Your edited welcome.conf file should look like this:
#<LocationMatch "^/+$">
# Options -Indexes
# ErrorDocument 403 /.noindex.html
#</LocationMatch>
#
#<Directory /usr/share/httpd/noindex>
# AllowOverride None
# Require all granted
#</Directory>
#
#Alias /.noindex.html /usr/share/httpd/noindex/index.html
Commenting out the lines is better than deleting the file because it makes the change easily reversible and documents what has been done. Save the file and exit the editor.
Step 3: Restart Apache to Apply Changes
For your changes to take effect, you must restart the Apache service. This will force Apache to reload its configuration files, including your modified welcome.conf.
Run the following command to restart the httpd service:
sudo systemctl restart httpd
To ensure the service restarted without errors, you can check its status:
sudo systemctl status httpd
You should see an “active (running)” status.
Step 4: Verify the Result
Now, open your web browser and navigate to your server’s IP address or domain name again. Instead of the default welcome page, you should now see a “403 Forbidden” error.
This is the expected and correct outcome. This error indicates that Apache is working but has no default page to serve for the root directory, which is precisely what you want. Your server is no longer advertising its default state.
Next Steps for a Secure Server
Disabling the default page is a critical first step. Your next actions should be:
- Create an
index.htmlfile: Place your ownindex.htmlfile in the webroot (typically/var/www/html) to serve as a proper landing page. - Configure Virtual Hosts: If you plan on hosting multiple websites, set up Virtual Hosts. This allows you to define specific document roots and configurations for each domain, giving you full control over what content is served.
By removing the default test page, you have instantly improved your server’s security posture and prepared it for professional deployment. It’s a simple change that makes a significant difference.
Source: https://kifarunix.com/remove-apache-test-page-on-fedora-30-29/
