Why the warning for 'a2dismod autoindex'?

I have Ubuntu 16.04 x64 with LAMP. (Apache2.4)

I consider directory browsing very bad. I just discovered this wonderful solution:

a2dismod autoindex

But it gives this vague but very scary warning:

root@www:~# a2dismod autoindex WARNING: The following essential module will be disabled. This might result in unexpected behavior and should NOT be done unless you know exactly what you are doing! autoindex

To continue type in the phrase 'Yes, do as I say!' or retry by passing '-f':

Can someone explain what it is talking about? It sounds all good to me.

Solution 1:

I think that whoever wrote the a2dismod script thought that was a good idea.

The list of modules considered essential by Apache2 (at least in version 2.2):

my @essential_module_list = (qw/access_compat alias auth_basic authn_file/,
    qw/authz_host authz_user autoindex deflate dir env filter logio/,
    qw/mime negotiation setenvif unixd version watchdog/);

PCI compliance considers autoindex, all the auth*, and the version modules as unsecure (benefiting hackers greatly¹, really) and in most cases they ask you to remove them.

You may use the -f to avoid the message (especially if you are scripting the installation):

a2dismod -f autoindex

Then you won't get the warning.

¹ Obfuscation is not security. However, it makes some (a very few?) hackers life harder to determine what software you are running. Note that one hacker writes a script to determine the version of Apache2, what module it is running, share said script with all his friends, now the obfuscation is totally useless...