ea49840bfe8467a7d7bd4db27b1d4880a85511aberikabele<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele This file is generated from xml source: DO NOT EDIT
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletc<title>Security Tips - Apache HTTP Server Version 2.5</title>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
5a58787efeb02a1c3f06569d019ad81fd2efa06end<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
2e545ce2450a9953665f701bb05350f0d3f26275nd<script src="/style/scripts/prettify.min.js" type="text/javascript">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<link href="/images/favicon.ico" rel="shortcut icon" /></head>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Security Tips</h1>
a78048ccbdb6256da15e6b0e7e95355e480c2301nd<p><span>Available Languages: </span><a href="/en/misc/security_tips.html" title="English"> en </a> |
5e740829c3448285963d3882530669f0112cf690gryzor<a href="/fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> |
aee1f193a276866212922ae5072e3014db28582frpluem<a href="/ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Some hints and tips on security issues in setting up a web server.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Some of the suggestions will be general, others specific to Apache.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive<li><img alt="" src="/images/down.gif" /> <a href="#dos">Denial of Service (DoS) attacks</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#ssi">Server Side Includes</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#cgi">CGI in General</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor<li><img alt="" src="/images/down.gif" /> <a href="#dynamicsec">Dynamic content security</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<li><img alt="" src="/images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li>
bd43fc31993cfc191e744a9490481f4294894099covener<li><img alt="" src="/images/down.gif" /> <a href="#merging">Merging of configuration sections</a></li>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="uptodate" id="uptodate">Keep up to Date</a></h2>
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive <p>The Apache HTTP Server has a good record for security and a
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive developer community highly concerned about security issues. But
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive it is inevitable that some problems -- small or large -- will be
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive discovered in software after it is released. For this reason, it
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive is crucial to keep aware of updates to the software. If you have
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive obtained your version of the HTTP Server directly from Apache, we
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive highly recommend you subscribe to the <a href="http://httpd.apache.org/lists.html#http-announce">Apache
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive HTTP Server Announcements List</a> where you can keep informed of
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive new releases and security updates. Similar services are available
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive from most third-party distributors of Apache software.</p>
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive <p>Of course, most times that a web server is compromised, it is
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive not because of problems in the HTTP Server code. Rather, it comes
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive from problems in add-on code, CGI scripts, or the underlying
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive Operating System. You must therefore stay aware of problems and
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive updates with all the software on your system.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive<h2><a name="dos" id="dos">Denial of Service (DoS) attacks</a></h2>
06d77ae37da42a6f8bbea25b7d7f8b6629245629slive <p>All network servers can be subject to denial of service attacks
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive that attempt to prevent responses to clients by tying up the
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive resources of the server. It is not possible to prevent such
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive attacks entirely, but you can do certain things to mitigate the
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive problems that they create.</p>
c6f41bc69d643835804e7e831776d3d46c6f5962slive <p>Often the most effective anti-DoS tool will be a firewall or
c6f41bc69d643835804e7e831776d3d46c6f5962slive other operating-system configurations. For example, most
c6f41bc69d643835804e7e831776d3d46c6f5962slive firewalls can be configured to restrict the number of simultaneous
c6f41bc69d643835804e7e831776d3d46c6f5962slive connections from any individual IP address or network, thus
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem preventing a range of simple attacks. Of course this is no help
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem against Distributed Denial of Service attacks (DDoS).</p>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <p>There are also certain Apache HTTP Server configuration
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive settings that can help mitigate problems:</p>
263168fdb45221efa79580de89bdde883b7561f7sf <li>The <code class="directive"><a href="/mod/mod_reqtimeout.html#requestreadtimeout">RequestReadTimeout</a></code>
263168fdb45221efa79580de89bdde883b7561f7sf directive allows to limit the time a client may take to send the
263168fdb45221efa79580de89bdde883b7561f7sf request.</li>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>The <code class="directive"><a href="/mod/core.html#timeout">TimeOut</a></code> directive
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive should be lowered on sites that are subject to DoS attacks.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Setting this to as low as a few seconds may be appropriate.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem As <code class="directive"><a href="/mod/core.html#timeout">TimeOut</a></code> is currently
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem used for several different operations, setting it to a low value
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem introduces problems with long running CGI scripts.</li>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <li>The <code class="directive"><a href="/mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem directive may be also lowered on sites that are subject to DoS
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem attacks. Some sites even turn off the keepalives completely via
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <code class="directive"><a href="/mod/core.html#keepalive">KeepAlive</a></code>, which has of course
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem other drawbacks on performance.</li>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <li>The values of various timeout-related directives provided by
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem other modules should be checked.</li>
aee1f193a276866212922ae5072e3014db28582frpluem <li>The directives
c6f41bc69d643835804e7e831776d3d46c6f5962slive <code class="directive"><a href="/mod/core.html#limitrequestbody">LimitRequestBody</a></code>,
c6f41bc69d643835804e7e831776d3d46c6f5962slive <code class="directive"><a href="/mod/core.html#limitrequestfields">LimitRequestFields</a></code>,
06d77ae37da42a6f8bbea25b7d7f8b6629245629slive <code class="directive"><a href="/mod/core.html#limitrequestfieldsize">LimitRequestFieldSize</a></code>,
c6f41bc69d643835804e7e831776d3d46c6f5962slive <code class="directive"><a href="/mod/core.html#limitrequestline">LimitRequestLine</a></code>, and
c6f41bc69d643835804e7e831776d3d46c6f5962slive <code class="directive"><a href="/mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code>
c6f41bc69d643835804e7e831776d3d46c6f5962slive should be carefully configured to limit resource consumption
c6f41bc69d643835804e7e831776d3d46c6f5962slive triggered by client input.</li>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>On operating systems that support it, make sure that you use
c6f41bc69d643835804e7e831776d3d46c6f5962slive the <code class="directive"><a href="/mod/core.html#acceptfilter">AcceptFilter</a></code> directive
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive to offload part of the request processing to the operating
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive system. This is active by default in Apache httpd, but may
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive require reconfiguration of your kernel.</li>
ffb01336be79c64046b636e59fa8ddca8ec029edsf <li>Tune the <code class="directive"><a href="/mod/mpm_common.html#maxrequestworkers">MaxRequestWorkers</a></code> directive to allow
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive the server to handle the maximum number of simultaneous
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive connections without running out of resources. See also the <a href="perf-tuning.html">performance tuning
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>The use of a threaded <a href="/mpm.html">mpm</a> may
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive allow you to handle more simultaneous connections, thereby
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar mitigating DoS attacks. Further, the
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <code class="module"><a href="/mod/event.html">event</a></code> mpm
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive uses asynchronous processing to avoid devoting a thread to each
4ee3ac9c23e31f43d39414f4072f1b1456e43ff8igalic connection. Due to the nature of the OpenSSL library the
aee1f193a276866212922ae5072e3014db28582frpluem <code class="module"><a href="/mod/event.html">event</a></code> mpm is currently incompatible with
fb8e9fe6c16732646511fb8050845a14e726be19jailletc <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> and other input filters. In these
4ee3ac9c23e31f43d39414f4072f1b1456e43ff8igalic cases it falls back to the behaviour of the
4ee3ac9c23e31f43d39414f4072f1b1456e43ff8igalic <code class="module"><a href="/mod/worker.html">worker</a></code> mpm.</li>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>There are a number of third-party modules available through
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <a href="http://modules.apache.org/">http://modules.apache.org/</a>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive that can restrict certain client behaviors and thereby mitigate
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive DoS problems.</li>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
aee1f193a276866212922ae5072e3014db28582frpluem <p>In typical operation, Apache is started by the root user, and it
650ba5bfc49e73bf370f3cff32d3cdca004a2861rbowen switches to the user defined by the <code class="directive"><a href="/mod/mod_unixd.html#user">User</a></code> directive to serve hits. As is the
aee1f193a276866212922ae5072e3014db28582frpluem case with any command that root executes, you must take care that it is
aee1f193a276866212922ae5072e3014db28582frpluem protected from modification by non-root users. Not only must the files
aee1f193a276866212922ae5072e3014db28582frpluem themselves be writeable only by root, but so must the directories, and
aee1f193a276866212922ae5072e3014db28582frpluem parents of all directories. For example, if you choose to place
aee1f193a276866212922ae5072e3014db28582frpluem ServerRoot in <code>/usr/local/apache</code> then it is suggested that
aee1f193a276866212922ae5072e3014db28582frpluem you create that directory as root, with commands like these:</p>
ea49840bfe8467a7d7bd4db27b1d4880a85511aberikabele mkdir bin conf logs <br />
ea49840bfe8467a7d7bd4db27b1d4880a85511aberikabele chown 0 . bin conf logs <br />
ea49840bfe8467a7d7bd4db27b1d4880a85511aberikabele chgrp 0 . bin conf logs <br />
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chmod 755 . bin conf logs
aee1f193a276866212922ae5072e3014db28582frpluem <p>It is assumed that <code>/</code>, <code>/usr</code>, and
aee1f193a276866212922ae5072e3014db28582frpluem <code>/usr/local</code> are only modifiable by root. When you install the
aee1f193a276866212922ae5072e3014db28582frpluem <code class="program"><a href="/programs/httpd.html">httpd</a></code> executable, you should ensure that it is
aee1f193a276866212922ae5072e3014db28582frpluem similarly protected:</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>You can create an htdocs subdirectory which is modifiable by other
aee1f193a276866212922ae5072e3014db28582frpluem users -- since root never executes any files out of there, and shouldn't
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele be creating files in there.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>If you allow non-root users to modify any files that root either
aee1f193a276866212922ae5072e3014db28582frpluem executes or writes on then you open your system to root compromises.
9bcfc3697a91b5215893a7d0206865b13fc72148nd For example, someone could replace the <code class="program"><a href="/programs/httpd.html">httpd</a></code> binary so
9bcfc3697a91b5215893a7d0206865b13fc72148nd that the next time you start it, it will execute some arbitrary code. If
9bcfc3697a91b5215893a7d0206865b13fc72148nd the logs directory is writeable (by a non-root user), someone could replace
aee1f193a276866212922ae5072e3014db28582frpluem a log file with a symlink to some other system file, and then root
aee1f193a276866212922ae5072e3014db28582frpluem might overwrite that file with arbitrary data. If the log files
aee1f193a276866212922ae5072e3014db28582frpluem themselves are writeable (by a non-root user), then someone may be
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele able to overwrite the log itself with bogus data.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Server Side Includes (SSI) present a server administrator with
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele several potential security risks.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>The first risk is the increased load on the server. All
aee1f193a276866212922ae5072e3014db28582frpluem SSI-enabled files have to be parsed by Apache, whether or not
aee1f193a276866212922ae5072e3014db28582frpluem there are any SSI directives included within the files. While this
aee1f193a276866212922ae5072e3014db28582frpluem load increase is minor, in a shared server environment it can become
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele significant.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>SSI files also pose the same risks that are associated with CGI
aee1f193a276866212922ae5072e3014db28582frpluem scripts in general. Using the <code>exec cmd</code> element, SSI-enabled
aee1f193a276866212922ae5072e3014db28582frpluem files can execute any CGI script or program under the permissions of the
aee1f193a276866212922ae5072e3014db28582frpluem user and group Apache runs as, as configured in
aee1f193a276866212922ae5072e3014db28582frpluem <p>There are ways to enhance the security of SSI files while still
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele taking advantage of the benefits they provide.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>To isolate the damage a wayward SSI file can cause, a server
aee1f193a276866212922ae5072e3014db28582frpluem administrator can enable <a href="/suexec.html">suexec</a> as
10a304fc5348d394375b98ae10ca9b137fd10cafkess described in the <a href="#cgi">CGI in General</a> section.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Enabling SSI for files with <code>.html</code> or <code>.htm</code>
aee1f193a276866212922ae5072e3014db28582frpluem extensions can be dangerous. This is especially true in a shared, or high
aee1f193a276866212922ae5072e3014db28582frpluem traffic, server environment. SSI-enabled files should have a separate
aee1f193a276866212922ae5072e3014db28582frpluem extension, such as the conventional <code>.shtml</code>. This helps keep
aee1f193a276866212922ae5072e3014db28582frpluem server load at a minimum and allows for easier management of risk.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Another solution is to disable the ability to run scripts and
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele programs from SSI pages. To do this replace <code>Includes</code>
aee1f193a276866212922ae5072e3014db28582frpluem with <code>IncludesNOEXEC</code> in the <code class="directive"><a href="/mod/core.html#options">Options</a></code> directive. Note that users may
aee1f193a276866212922ae5072e3014db28582frpluem still use <code><--#include virtual="..." --></code> to execute CGI
aee1f193a276866212922ae5072e3014db28582frpluem scripts if these scripts are in directories designated by a <code class="directive"><a href="/mod/mod_alias.html#scriptalias">ScriptAlias</a></code> directive.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
aee1f193a276866212922ae5072e3014db28582frpluem <p>First of all, you always have to remember that you must trust the
aee1f193a276866212922ae5072e3014db28582frpluem writers of the CGI scripts/programs or your ability to spot potential
aee1f193a276866212922ae5072e3014db28582frpluem security holes in CGI, whether they were deliberate or accidental. CGI
aee1f193a276866212922ae5072e3014db28582frpluem scripts can run essentially arbitrary commands on your system with the
aee1f193a276866212922ae5072e3014db28582frpluem permissions of the web server user and can therefore be extremely
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele dangerous if they are not carefully checked.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>All the CGI scripts will run as the same user, so they have potential
aee1f193a276866212922ae5072e3014db28582frpluem to conflict (accidentally or deliberately) with other scripts e.g. User
aee1f193a276866212922ae5072e3014db28582frpluem A hates User B, so he writes a script to trash User B's CGI database. One
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele program which can be used to allow scripts to run as different users is
aee1f193a276866212922ae5072e3014db28582frpluem <a href="/suexec.html">suEXEC</a> which is included with Apache as of
aee1f193a276866212922ae5072e3014db28582frpluem 1.2 and is called from special hooks in the Apache server code. Another
aee1f193a276866212922ae5072e3014db28582frpluem popular way of doing this is with
8ba6e8ba8d8ad4d8228872d5526fa7295ff43149poirier <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a>.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="nsaliasedcgi" id="nsaliasedcgi">Non Script Aliased CGI</a></h2>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Allowing users to execute CGI scripts in any directory should only be
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive considered if:</p>
aee1f193a276866212922ae5072e3014db28582frpluem <li>You trust your users not to write scripts which will deliberately
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele or accidentally expose your system to an attack.</li>
aee1f193a276866212922ae5072e3014db28582frpluem <li>You consider security at your site to be so feeble in other areas,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele as to make one more potential hole irrelevant.</li>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <li>You have no users, and nobody ever visits your server.</li>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="saliasedcgi" id="saliasedcgi">Script Aliased CGI</a></h2>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Limiting CGI to special directories gives the admin control over what
aee1f193a276866212922ae5072e3014db28582frpluem goes into those directories. This is inevitably more secure than non
aee1f193a276866212922ae5072e3014db28582frpluem script aliased CGI, but only if users with write access to the
aee1f193a276866212922ae5072e3014db28582frpluem directories are trusted or the admin is willing to test each
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele new CGI script/program for potential security holes.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Most sites choose this option over the non script aliased CGI
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele approach.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="dynamic" id="dynamic">Other sources of dynamic content</a></h2>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Embedded scripting options which run as part of the server itself,
aee1f193a276866212922ae5072e3014db28582frpluem such as <code>mod_php</code>, <code>mod_perl</code>, <code>mod_tcl</code>,
aee1f193a276866212922ae5072e3014db28582frpluem and <code>mod_python</code>, run under the identity of the server itself
650ba5bfc49e73bf370f3cff32d3cdca004a2861rbowen (see the <code class="directive"><a href="/mod/mod_unixd.html#user">User</a></code> directive), and
aee1f193a276866212922ae5072e3014db28582frpluem therefore scripts executed by these engines potentially can access anything
aee1f193a276866212922ae5072e3014db28582frpluem the server user can. Some scripting engines may provide restrictions, but
a3388213b2b4d46b356be205e38204e67b4304d8rbowen it is better to be safe and assume not.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor<h2><a name="dynamicsec" id="dynamicsec">Dynamic content security</a></h2>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor <p>When setting up dynamic content, such as <code>mod_php</code>,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor <code>mod_perl</code> or <code>mod_python</code>, many security considerations
df321386f1d9ed17a3e5e6468807996a12890d50gryzor get out of the scope of <code>httpd</code> itself, and you need to consult
df321386f1d9ed17a3e5e6468807996a12890d50gryzor documentation from those modules. For example, PHP lets you setup <a href="http://www.php.net/manual/en/ini.sect.safe-mode.php">Safe Mode</a>,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor which is most usually disabled by default. Another example is <a href="http://www.hardened-php.net/suhosin/">Suhosin</a>, a PHP addon for more
df321386f1d9ed17a3e5e6468807996a12890d50gryzor security. For more information about those, consult each project
df321386f1d9ed17a3e5e6468807996a12890d50gryzor documentation.</p>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor <p>At the Apache level, a module named <a href="http://modsecurity.org/">mod_security</a>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor can be seen as a HTTP firewall and, provided you configure it finely enough,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor can help you enhance your dynamic content security.</p>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="systemsettings" id="systemsettings">Protecting System Settings</a></h2>
aee1f193a276866212922ae5072e3014db28582frpluem <p>To run a really tight ship, you'll want to stop users from setting
aee1f193a276866212922ae5072e3014db28582frpluem up <code>.htaccess</code> files which can override security features
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele you've configured. Here's one way to do it.</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <pre class="prettyprint lang-config"><Directory "/">
c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowen AllowOverride None
4aa603e6448b99f9371397d439795c91a93637eand</Directory></pre>
aee1f193a276866212922ae5072e3014db28582frpluem <p>This prevents the use of <code>.htaccess</code> files in all
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele directories apart from those specifically enabled.</p>
fb8e9fe6c16732646511fb8050845a14e726be19jailletc <p>Note that this setting is the default since Apache 2.3.9.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="protectserverfiles" id="protectserverfiles">Protect Server Files by Default</a></h2>
aee1f193a276866212922ae5072e3014db28582frpluem <p>One aspect of Apache which is occasionally misunderstood is the
aee1f193a276866212922ae5072e3014db28582frpluem feature of default access. That is, unless you take steps to change it,
aee1f193a276866212922ae5072e3014db28582frpluem if the server can find its way to a file through normal URL mapping
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele rules, it can serve it to clients.</p>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>For instance, consider the following example:</p>
ea49840bfe8467a7d7bd4db27b1d4880a85511aberikabele # cd /; ln -s / public_html <br />
aee1f193a276866212922ae5072e3014db28582frpluem <p>This would allow clients to walk through the entire filesystem. To
aee1f193a276866212922ae5072e3014db28582frpluem work around this, add the following block to your server's
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele configuration:</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <pre class="prettyprint lang-config"><Directory "/">
8d0e4e42e6712806f61f5c099a498b2e5e09d7d7humbedooh Require all denied
4aa603e6448b99f9371397d439795c91a93637eand</Directory></pre>
aee1f193a276866212922ae5072e3014db28582frpluem <p>This will forbid default access to filesystem locations. Add
aee1f193a276866212922ae5072e3014db28582frpluem appropriate <code class="directive"><a href="/mod/core.html#directory">Directory</a></code> blocks to
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele allow access only in those areas you wish. For example,</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <pre class="prettyprint lang-config"><Directory "/usr/users/*/public_html">
8d0e4e42e6712806f61f5c099a498b2e5e09d7d7humbedooh Require all granted
c3c006c28c5b03892ccaef6e4d2cbb15a13a2072rbowen</Directory>
8d0e4e42e6712806f61f5c099a498b2e5e09d7d7humbedooh Require all granted
4aa603e6448b99f9371397d439795c91a93637eand</Directory></pre>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Pay particular attention to the interactions of <code class="directive"><a href="/mod/core.html#location">Location</a></code> and <code class="directive"><a href="/mod/core.html#directory">Directory</a></code> directives; for instance, even
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar if <code><Directory "/"></code> denies access, a <code>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <Location "/"></code> directive might overturn it.</p>
aee1f193a276866212922ae5072e3014db28582frpluem <p>Also be wary of playing games with the <code class="directive"><a href="/mod/mod_userdir.html#userdir">UserDir</a></code> directive; setting it to
aee1f193a276866212922ae5072e3014db28582frpluem something like <code>./</code> would have the same effect, for root, as
13dd6a45ad3051c84a03bfbc88f0e314a5322ed6rbowen the first example above. We strongly
aee1f193a276866212922ae5072e3014db28582frpluem recommend that you include the following line in your server
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele configuration files:</p>
b3c1e4e5b0fc67887a85bc388c16949a21e66f51humbedooh <pre class="prettyprint lang-config">UserDir disabled root</pre>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<h2><a name="watchyourlogs" id="watchyourlogs">Watching Your Logs</a></h2>
aee1f193a276866212922ae5072e3014db28582frpluem <p>To keep up-to-date with what is actually going on against your server
aee1f193a276866212922ae5072e3014db28582frpluem you have to check the <a href="/logs.html">Log Files</a>. Even though
aee1f193a276866212922ae5072e3014db28582frpluem the log files only reports what has already happened, they will give you
aee1f193a276866212922ae5072e3014db28582frpluem some understanding of what attacks is thrown against the server and
22cebd88e14c30aedd5dd95323ba66e4887dc94bkess allow you to check if the necessary level of security is present.</p>
ea49840bfe8467a7d7bd4db27b1d4880a85511aberikabele grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele grep "client denied" error_log | tail -n 10
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>The first example will list the number of attacks trying to exploit the
aee1f193a276866212922ae5072e3014db28582frpluem <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat
aee1f193a276866212922ae5072e3014db28582frpluem Source.JSP Malformed Request Information Disclosure Vulnerability</a>,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele the second example will list the ten last denied clients, for example:</p>
aee1f193a276866212922ae5072e3014db28582frpluem [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele by server configuration: /usr/local/apache/htdocs/.htpasswd
aee1f193a276866212922ae5072e3014db28582frpluem <p>As you can see, the log files only report what already has happened, so
aee1f193a276866212922ae5072e3014db28582frpluem if the client had been able to access the <code>.htpasswd</code> file you
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele would have seen something similar to:</p>
82178a3043043b8813c0d7288a06ca1b7d110d4atakashi foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
aee1f193a276866212922ae5072e3014db28582frpluem <p>in your <a href="/logs.html#accesslog">Access Log</a>. This means
aee1f193a276866212922ae5072e3014db28582frpluem you probably commented out the following in your server configuration
4aa603e6448b99f9371397d439795c91a93637eand <pre class="prettyprint lang-config"><Files ".ht*">
8d0e4e42e6712806f61f5c099a498b2e5e09d7d7humbedooh Require all denied
4aa603e6448b99f9371397d439795c91a93637eand</Files></pre>
bd43fc31993cfc191e744a9490481f4294894099covener </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
bd43fc31993cfc191e744a9490481f4294894099covener<h2><a name="merging" id="merging">Merging of configuration sections</a></h2>
bd43fc31993cfc191e744a9490481f4294894099covener <p> The merging of configuration sections is complicated and sometimes
bd43fc31993cfc191e744a9490481f4294894099covener directive specific. Always test your changes when creating dependencies
bd43fc31993cfc191e744a9490481f4294894099covener on how directives are merged.</p>
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar <p> For modules that don't implement any merging logic, such as
bd43fc31993cfc191e744a9490481f4294894099covener <code class="directive">mod_access_compat</code>, the behavior in later sections
bd43fc31993cfc191e744a9490481f4294894099covener depends on whether the later section has any directives
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar from the module. The configuration is inherited until a change is made,
5effc8b39fae5cd169d17f342bfc265705840014rbowen at which point the configuration is <em>replaced</em> and not merged.</p>
a78048ccbdb6256da15e6b0e7e95355e480c2301nd<p><span>Available Languages: </span><a href="/en/misc/security_tips.html" title="English"> en </a> |
5e740829c3448285963d3882530669f0112cf690gryzor<a href="/fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> |
aee1f193a276866212922ae5072e3014db28582frpluem<a href="/ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p>
727872d18412fc021f03969b8641810d8896820bhumbedooh</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
727872d18412fc021f03969b8641810d8896820bhumbedoohvar comments_shortname = 'httpd';
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedoohvar comments_identifier = 'http://httpd.apache.org/docs/trunk/misc/security_tips.html';
0d0ba3a410038e179b695446bb149cce6264e0abnd(function(w, d) {
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
727872d18412fc021f03969b8641810d8896820bhumbedooh d.write('<div id="comments_thread"><\/div>');
0d0ba3a410038e179b695446bb149cce6264e0abnd var s = d.createElement('script');
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
0d0ba3a410038e179b695446bb149cce6264e0abnd (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
727872d18412fc021f03969b8641810d8896820bhumbedooh d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
0d0ba3a410038e179b695446bb149cce6264e0abnd})(window, document);
205f749042ed530040a4f0080dbcb47ceae8a374rjung<p class="apache">Copyright 2015 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
0d0ba3a410038e179b695446bb149cce6264e0abndif (typeof(prettyPrint) !== 'undefined') {
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd prettyPrint();