| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> |
| <HTML> |
| <HEAD> |
| <TITLE>Apache HTTP Server Documentation</TITLE> |
| </HEAD> |
| |
| <BODY> |
| <IMG SRC="../images/apache_sub.gif" ALT=""> |
| <H1>Security tips for server configuration</H1> |
| |
| <hr> |
| |
| <P>Some hints and tips on security issues in setting up a web server. Some of |
| the suggestions will be general, other, specific to Apache |
| |
| <HR> |
| |
| <H2>Server Side Includes</H2> |
| <P>Server side includes (SSI) can be configured so that users can execute |
| arbitrary programs on the server. That thought alone should send a shiver |
| down the spine of any sys-admin.<p> |
| |
| One solution is to disable that part of SSI. To do that you use the |
| IncludesNOEXEC option to the <A HREF="core.html#options">Options</A> |
| directive.<p> |
| |
| <HR> |
| |
| <H2>Non Script Aliased CGI</H2> |
| <P>Allowing users to execute <B>CGI</B> scripts in any directory should only |
| be considered if; |
| <OL> |
| <LI>You trust your users not to write scripts which will deliberately or |
| accidentally expose your system to an attack. |
| <LI>You consider security at your site to be so feeble in other areas, as to |
| make one more potential hole irrelevant. |
| <LI>You have no users, and nobody ever visits your server. |
| </OL><p> |
| <HR> |
| |
| <H2>Script Alias'ed CGI</H2> |
| <P>Limiting <B>CGI</B> to special directories gives the admin control over |
| what goes into those directories. This is inevitably more secure than |
| non script aliased CGI, but <strong>only if users with write access to the |
| directories are trusted</strong> or the admin is willing to test each new CGI |
| script/program for potential security holes.<P> |
| |
| Most sites choose this option over the non script aliased CGI approach.<p> |
| |
| <HR> |
| <H2>CGI in general</H2> |
| <P>Always remember that you must trust the writers of the CGI script/programs |
| or your ability to spot potential security holes in CGI, whether they were |
| deliberate or accidental.<p> |
| |
| All the CGI scripts will run as the same user, so they have potential to |
| conflict (accidentally or deliberately) with other scripts e.g. User A hates |
| User B, so he writes a script to trash User B's CGI database.<P> |
| |
| <HR> |
| |
| Please send any other useful security tips to |
| <A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A> |
| <p> |
| <HR> |
| |
| <H2>Stopping users overriding system wide settings...</H2> |
| <P>To run a really tight ship, you'll want to stop users from setting |
| up <CODE>.htaccess</CODE> files which can override security features |
| you've configured. Here's one way to do it...<p> |
| |
| In the server configuration file, put |
| <blockquote><code> |
| <Directory> <br> |
| AllowOverride None <br> |
| Options None <br> |
| <Limit GET PUT POST> <br> |
| allow from all <br> |
| </Limit> <br> |
| </Directory> <br> |
| </code></blockquote> |
| |
| Then setup for specific directories<P> |
| |
| This stops all overrides, Includes and accesses in all directories apart |
| from those named.<p><hr> |
| |
| <A HREF="../"><IMG SRC="../images/apache_home.gif" ALT="Home"></A> |
| <A HREF="./"><IMG SRC="../images/apache_index.gif" ALT="Index"></A> |
| |
| </BODY> |
| </HTML> |