3387N/A<!
DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
3387N/A<
TITLE>Apache HTTP Server Documentation</
TITLE>
3387N/A<
H1>Security tips for server configuration</
H1>
3387N/A<
P>Some hints and tips on security issues in setting up a web server. Some of
3387N/Athe suggestions will be general, other, specific to Apache
3387N/A<
H2>Permissions on Log File Directories</
H2>
3387N/A<
P>When Apache starts, it opens the log files as the user who started the
3387N/Aserver before switching to the user defined in the
3387N/Ahas write permission for the directory where any log files are
3387N/Abeing written to can append pseudo-arbitrary data to any file on the
3387N/Asystem which is writable to the user who starts Apache. Since the
3387N/Aserver is normally started by root, you should <
EM>NOT</
EM> give anyone
3387N/Awrite permission to the directory where logs are stored unless you
3387N/Awant them to have root access.
3387N/A<
H2>Server Side Includes</
H2>
3387N/A<
P>Server side includes (SSI) can be configured so that users can execute
3387N/Aarbitrary programs on the server. That thought alone should send a shiver
3387N/Adown the spine of any sys-admin.<
p>
3387N/AOne solution is to disable that part of SSI. To do that you use the
3387N/A<
H2>Non Script Aliased CGI</
H2>
3387N/A<
P>Allowing users to execute <
B>CGI</
B> scripts in any directory should only
3387N/A <
LI>You trust your users not to write scripts which will deliberately or
3387N/Aaccidentally expose your system to an attack.
3387N/A <
LI>You consider security at your site to be so feeble in other areas, as to
3387N/Amake one more potential hole irrelevant.
3387N/A <
LI>You have no users, and nobody ever visits your server.
3387N/A<
H2>Script Alias'ed CGI</
H2>
3387N/A<
P>Limiting <
B>CGI</
B> to special directories gives the admin control over
3387N/Awhat goes into those directories. This is inevitably more secure than
3387N/Anon script aliased CGI, but <
strong>only if users with write access to the
3387N/Adirectories are trusted</
strong> or the admin is willing to test each new CGI
3387N/AMost sites choose this option over the non script aliased CGI approach.<
p>
3387N/Aor your ability to spot potential security holes in CGI, whether they were
3387N/Adeliberate or accidental.<
p>
3387N/AAll the CGI scripts will run as the same user, so they have potential to
3387N/Aconflict (accidentally or deliberately) with other scripts
e.g. 3387N/AUser A hates User B, so he writes a script to trash User B's CGI
3387N/Adatabase. One program which can be used to allow scripts to run
3387N/Aincluded with Apache as of 1.2 and is called from special hooks in
3387N/Athe Apache server code. Another popular way of doing this is with
3387N/A<
H2>Stopping users overriding system wide settings...</
H2>
3387N/A<
P>To run a really tight ship, you'll want to stop users from setting
3387N/Aup <
CODE>.htaccess</
CODE> files which can override security features
3387N/Ayou've configured. Here's one way to do it...<
p>
3387N/AIn the server configuration file, put
3387N/A<Limit GET PUT POST> <
br>
3387N/AThen setup for specific directories<
P>
3387N/AThis stops all overrides, Includes and accesses in all directories apart
3387N/A<
P>Please send any other useful security tips to
3387N/A<
A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</
A>