<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
-<TITLE>Apache HTTP Server Documentation</TITLE>
+<TITLE>Apache HTTP Server: Security Tips</TITLE>
</HEAD>
<BODY>
<!--#include virtual="header.html" -->
-<H1>Security tips for server configuration</H1>
+<H1>Security Tips for Server Configuration</H1>
<hr>
<P>Some hints and tips on security issues in setting up a web server. Some of
-the suggestions will be general, other, specific to Apache
+the suggestions will be general, others specific to Apache.
<HR>
<a href="../mod/core.html#user"><b>User</b></a> directive. Anyone who
has write permission for the directory where any log files are
being written to can append pseudo-arbitrary data to any file on the
-system which is writable to the user who starts Apache. Since the
+system which is writable by the user who starts Apache. Since the
server is normally started by root, you should <EM>NOT</EM> give anyone
write permission to the directory where logs are stored unless you
want them to have root access.
This stops all overrides, Includes and accesses in all directories apart
from those named.<p>
+<HR>
+<H2>
+ Protect server files by default
+</H2>
+<P>
+One aspect of Apache which is occasionally misunderstood is the feature
+of default access. That is, unless you take steps to change it, if the
+server can find its way to a file through normal URL mapping rules, it
+can serve it to clients.
+</P>
+<P>
+For instance, consider the following example:
+</P>
+<OL>
+ <LI><SAMP># cd /; ln -s / public_html</SAMP>
+ </LI>
+ <LI>Accessing <SAMP>http://localhost/~root/</SAMP>
+ </LI>
+</OL>
+<P>
+This would allow clients to walk through the entire filesystem. To work
+around this, add the following block to your server's configuration:
+</P>
+<PRE>
+ <Directory />
+ Order deny,allow
+ Deny from all
+ </Directory>
+</PRE>
+<P>
+This will forbid default access to filesystem locations. Add
+appropriate
+<A
+ HREF="../mod/core.html#directory"
+><SAMP><Directory></SAMP></A>
+blocks to allow access only
+in those areas you wish. For example,
+</P>
+<PRE>
+ <Directory /usr/users/*/public_html>
+ Order deny,allow
+ Allow from all
+ </Directory>
+ <Directory /usr/local/httpd>
+ Order deny,allow
+ Allow from all
+ </Directory>
+</PRE>
+<P>
+Pay particular attention to the interactions of
+<A
+ HREF="../mod/core.html#location"
+><SAMP><Location></SAMP></A>
+and
+<A
+ HREF="../mod/core.html#directory"
+><SAMP><Directory></SAMP></A>
+directives; for instance, even if <SAMP><Directory /></SAMP>
+denies access, a <SAMP><Location /></SAMP> directive might
+overturn it.
+</P>
+<P>
+Also be wary of playing games with the
+<A
+ HREF="../mod/mod_userdir.html#userdir"
+>UserDir</A>
+directive; setting it to something like <SAMP>"./"</SAMP>
+would have the same effect, for root, as the first example above.
+</P>
<HR>
<P>Please send any other useful security tips to
<li>Apply any FileInfo directives in <code>/home/web/.htaccess</code>
</menu>
+<P>
+<STRONG>
+Note that the default Apache access for <Directory /> is
+<SAMP>Allow from All</SAMP>. This means that Apache will serve any file
+mapped from an URL. It is recommended that you change this with a block
+such as
+</STRONG>
+<PRE>
+ <Directory />
+ Order Deny,Allow
+ Deny from All
+ </Directory>
+</PRE>
+<P>
+<STRONG>
+and then override this for directories you <EM>want</EM> accessible.
+See the
+<A
+ HREF="../misc/security_tips.html"
+>Security Tips</A>
+page for more details.
+</STRONG>
+</P>
+
The directory sections typically occur in the access.conf file, but they
may appear in any configuration file. <Directory> directives cannot
nest, and cannot appear in a <A HREF="#limit"><Limit></A> section.
projects / apache / commitdiff