Date: 2 Jan 2003 14:04:40 -0500 From: "Karl Vogel" <vogelke@dnaco.net> To: didier.wiroth@mcesr.etat.lu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: securing apache2 on freebsd Message-ID: <20030102190440.17078.qmail@kev.wpafb.af.mil> In-Reply-To: <000001c2b23e$9edf0e50$952b6e94@lucifer>
next in thread | previous in thread | raw e-mail | index | archive | help
>> On Thu, 2 Jan 2003 10:09:13 +0100, >> "Didier Wiroth" <didier.wiroth@mcesr.etat.lu> said: D> How secure is the default installation of apache? Can you tighten it up D> if you only use static html content, no cgi, no php etc..? If you're looking for security first, go with a smaller and simpler webserver like wn. See http://www.wnserver.org/ for more info. Here's a short blurb from the overview: http://www.wnserver.org/docs/overview.html ... The primary design goals for WN are security, robustness, and flexibility, in that order. One of its objectives is to provide functionality usually available only with complex CGI programs without the necessity of writing or using these programs. (Of course CGI/1.1 is fully supported for those who want it). Despite this extensive functionality the WN executable is substantially smaller than the CERN httpd, NCSA httpd or Apache servers. WN was planned with a focus on serving HTML documents. This means such things as enabling full text searching of a single logical HTML document which may consist of many files on the server, or allowing users to search all titles on the server and obtain a menu of matching items, or allowing users to download a total logical document for printing which, in fact, consists of many linked files on the server. All of these are done in a way which is transparent to the user. When WN receives a request, say for /dir/foo.html, it looks in the file /dir/index.cache which contains lines like: file=foo.html&content=text/html&title=whatever... If the server finds a line starting with "file=foo.html" then the file will be served. If such a line does not exist the file will not be served (unless special permission to serve all files in the directory has been granted). This is the basis of WN security. Unlike other servers, the default action for WN is to deny access to a file. A file can only be served if explicit permission to do so has been granted by entering it in the index.cache database or if explicit permission to serve all files in /dir has been given in the index.cache file in /dir. This database also provides other security functions. For example, restricting the execution of CGI/1.1 programs can be done on the basis of the ownership (or group ownership) of their index.cache files. There is no need to limit execution to programs located in particular designated directories. The location of a file in the data hierarchy should be orthogonal to security restrictions on it and this is the case with the WN server. ... -- Karl Vogel, ASC/YCOA I don't speak for the USAF or my company vogelke@dnaco.net http://www.dnaco.net/~vogelke If I get only one thing for Christmas, I hope it's your sister. --rejected Hallmark Cards To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030102190440.17078.qmail>