FusionAuth was installed via Debian packages for reference. Running version 1.38.1.
We have FusionAuth set up behind Apache2 acting as a reverse proxy. I used the sample configuration available here as a starting point. I disabled all directory listings in the main Apache configuration.
This configuration works with little issues.
Our FusionAuth instance is running out of /usr/local/fusionauth/fusionauth-app/ which contains 4 other sub directories, bin/, lib/, template/, web/, 3rd-party-licenses/.
When testing behavior for this setup, it came to my attention that you could access, for example, the start script that is in the bin directory when navigating to https://ourfusionauthserver.com/bin from the browser.
The same can be said for the other directories at that level.
I added explicit ProxyPass exclusions for each of these paths at the virtual host level and it does have the intended effect of limiting access to these files from browser.
However, I haven't yet found this particular issue raised in other documentation, and it's making me think I have something configured incorrectly either in FusionAuth or Apache2.
If anyone has insight on this configuration or have resolved this issue themselves, I would appreciate the help.