Classnotes | UNIX03 | RecentChanges | Preferences As we learned in UNIX02/Apache Configuration, Apache's configuration files are typically located in /etc/httpd/conf or /etc/apache/conf. The main configuration file (and the one we will be concerned with today) is httpd.conf.
We will now examine some specific problems and fixes with respect to security under Apache. You should recall that any time you make system-wide configuration changes to Apache, you should send a hangup signal to the parent httpd to cause it to reread them:
killall -HUP httpd
Apache Ownership and Permissions
Traditionally, Apache opens the web-server on port 80. Because this port is under 1024, Apache must be started as root so that it may open the privileged TCP port. Thus, many people (and many UNIXes) setup Apache to run as root in spite of the grevious security concerns this will cause. (This is one of the reasons that some server administrators run httpd on port 8080.)
The desired setup (and the way that many Linux and BSD distributions default to) is to start Apache as root, and then switch to a non-privileged user after the initial port as been openned. The two most common choices for users to set Apache up as are nobody and httpd. The one consideration is to ensure that whomever Apache is set up as only service using that UID on the system (thus, if you do use nobody, make certain that no other daemon is running as it as well).
Protecting users from themselves
Apache allows for decentralized management of configuration via special files placed inside the web tree. The special files are usually called .htaccess, but any name can be specified in the AccessFileName directive. Directives placed in .htaccess files apply to the directory where you place the file, and all sub-directories. The .htaccess files follow the same syntax as the main configuration files. Since .htaccess files are read on every request, changes made in these files take immediate effect.
.htaccess files can be quite useful, as they allow sub-sites freedom to modify system-wide defaults. They can also be used with respect to certain authentication schemes.
However, there is a real danger in allowing them to be placed haphazardly on your system. A danger exists where a non-priviledged user could maliciously modify/create an .htaccess file and overide global security parameters to undermine the system. Thus you want to be selective where on your web server you wish to allow .htaccess files to be respected.
To disable .htaccess, you must place the AllowOverride None directive inside a declaration for a directory.
If you wanted to disable it system-wide, then you would place it in the main directory declaration:
<Directory />
AllowOverride None
Options None
Allow from all
</Directory>
By default, Apache will be able to access any directory that is world readable, or is readable on Apache's UID or GID. This is probably not something you will want to leave unchecked.
You can prohibit Apache from accessing specific directories by making declarations for them and then setting the Deny from all directive.
For example, if I wanted to prevent Apache from ever accessing some confidential data stored in /http/html/conf_data, I would set a declaration like this
<Directory /http/html/conf_data>
Order deny, allow
Deny from all
</Directory>
Denying access by file extension
Unless told otherwise, Apache will access all files under the directories that it is allowed to use. This may be changed by using the Files declarations. They are placed under the Directory and .htaccess directives and before the Location directives. A first argument of "~" will enable wildcards, with ".", "*", and "$" matching any character, zero or more characters except for a "/", and the end of the line, respectively. A backslash removes the special property of the following character.
As an example, the following will prevent browsers from reading files ending in "~", .swp, .pl, or .exe :
<Files ~ "~$">
Order deny, allow
Deny from all
</Files>
<Files ~ "\.{swp|pl|exe}$">
Order deny, allow
Deny from all
</Files>
Denying access by IP or domain name
Chances are, as you run your web-site you will find that certain specific IP addresses and domains will cause you no end of grief. You can block out such desirables from gaining access to your web-server (or specific directories of your web-server) by using the Deny from IP/URI directive. This directive can be used in any directory declaration.
For example, let's suppose that we had a web-based order-tracking system for our customers in /var/www/orders, and we wanted to prevent our rival company's mrbig.bigwig.com system, a cracker domain .cracker.net, and a specific IP address (216.247.56.62) from accessing it, we would add the following to its declaration:
order allow, deny
deny from .cracker.net
deny from mrbig.bigwig.com
deny from 216.247.56.62
allow from all
Conversely, you can prevent all access to a site except to those users of a specific domain/IP/etc by using the allow from directive.
For example, let's suppose that we had a web-based financial records system for our business office to use. The business office machines all have an IP of 192.168.188.*. We also want no one else to access it. We would use:
order deny, allow
allow from 192.168.188
deny from all
