APACHE :: URL Access Hardening (Without 3rd Party Modules)
Author: Cody Tubbs (codytubbs@gmail.com) 05/14/2006

Directives used/referenced: LocationMatch, DocumentRoot, VirtualHost, Directory, FilesMatch, Include

Firstly, save the below script to 'whitelist.rb' and change the 'documentRoot' variable to your correct DocumentRoot path.
<snip whitelist.rb>

#!/usr/bin/env ruby
documentRoot = '/var/www/html'
fd = open("./whitelist.conf", "w")
fd.print('<LocationMatch "')
fd2 = IO.popen("find #{documentRoot} -xtype f")
fd2.each { |file| fd.print("^#{file.chomp}$|\\" + "\n") }
fd.print("^/custom403.html$\">\nallow from all\n</LocationMatch>")

</snip>
The whitelist.conf will use apaches LocationMatch directive which natively
parses regular expression. Execute the script and then edit 'whitelist.conf' with
your editor. Comment out or remove any files you do not want the world to access.
You can then slim up your whitelist.conf by utilizing regex on your redundant
entries, IE: ^/images/*\.(jpe?g|gif)$|\ or ^/sources/*\.(c|bzip2|tar|gz)$|\.
If you wish to create the whitelist.conf by hand, the correct format follows:

<LocationMatch "^/images/*\.(jpe?g|gif)$|\
^/sources/*\.(c|bzip2|tar|gz)$|\
^/files/*.(s?html?|jsp|ppt)"
</LocationMatch>

You can add as many lines as you want, just make sure they start on the beginning
of the line, or apache will not parse <LocationMatch> correctly.
Next you'll need to modify your httpd.conf. Your VirtualHost should look something
like this:
<VirtualHost *:80>
ServerName yourdomain.com
<Directory "/var/www/html">
Options FollowSymLinks
AllowOverride none
Order Deny,Allow
Deny from all
#Next only allow / to be accessed (ie: index.html)
#index.html or your default html page must be in your whitelist.conf
<FilesMatch "^$">
Order allow,deny
allow from all
</FilesMatch>
#You can add unrestricted nets/hosts on the next line (seperated by space)
#Allow from 192.168.100.0/24
</Directory>
Include "/var/www/conf/whitelist.conf"
ErrorDocument 403 /custom403.html
</VirtualHost>
You'll need to modify the <Directory> and Include directives to reflect the correct
path to your DocumentRoot and your whitelist.conf storage path.

The same syntax applies for SSL enabled VirtualHost entries. You can now create a custom
error 403 page that is displayed when someone tries to access a restricted URL.
<snip custom403.html>

<html><head><title>Error</title></head><body bgcolor="white">
<center><b>This is a restricted URL.  This request has been logged.</b><br></center>
</body></html>

</snip>
You can now place custom403.html in your DocumentRoot. Restart Apache and test your
configuration by accessing a URL that is not within your whitelist.conf.