Skip site navigation (1)Skip section navigation (2)
Date:      2 Jan 2003 14:04:40 -0500
From:      "Karl Vogel" <vogelke@dnaco.net>
To:        didier.wiroth@mcesr.etat.lu
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: securing apache2 on freebsd
Message-ID:  <20030102190440.17078.qmail@kev.wpafb.af.mil>
In-Reply-To: <000001c2b23e$9edf0e50$952b6e94@lucifer>

next in thread | previous in thread | raw e-mail | index | archive | help
>> On Thu, 2 Jan 2003 10:09:13 +0100, 
>> "Didier Wiroth" <didier.wiroth@mcesr.etat.lu> said:

D> How secure is the default installation of apache? Can you tighten it up
D> if you only use static html content, no cgi, no php etc..?

   If you're looking for security first, go with a smaller and simpler
   webserver like wn.  See http://www.wnserver.org/ for more info.
   Here's a short blurb from the overview:

     http://www.wnserver.org/docs/overview.html

     ...
     The primary design goals for WN are security, robustness, and
     flexibility, in that order.  One of its objectives is to provide
     functionality usually available only with complex CGI programs
     without the necessity of writing or using these programs.  (Of course
     CGI/1.1 is fully supported for those who want it).  Despite this
     extensive functionality the WN executable is substantially smaller
     than the CERN httpd, NCSA httpd or Apache servers.

     WN was planned with a focus on serving HTML documents.  This means
     such things as enabling full text searching of a single logical
     HTML document which may consist of many files on the server, or
     allowing users to search all titles on the server and obtain a menu
     of matching items, or allowing users to download a total logical
     document for printing which, in fact, consists of many linked files
     on the server.  All of these are done in a way which is transparent
     to the user.

     When WN receives a request, say for /dir/foo.html, it looks in the
     file /dir/index.cache which contains lines like:

         file=foo.html&content=text/html&title=whatever...

     If the server finds a line starting with "file=foo.html" then the
     file will be served.  If such a line does not exist the file will
     not be served (unless special permission to serve all files in the
     directory has been granted).  This is the basis of WN security.
     Unlike other servers, the default action for WN is to deny access
     to a file.  A file can only be served if explicit permission to do
     so has been granted by entering it in the index.cache database or
     if explicit permission to serve all files in /dir has been given in
     the index.cache file in /dir.

     This database also provides other security functions.  For example,
     restricting the execution of CGI/1.1 programs can be done on the
     basis of the ownership (or group ownership) of their index.cache
     files.  There is no need to limit execution to programs located in
     particular designated directories.  The location of a file in the
     data hierarchy should be orthogonal to security restrictions on it
     and this is the case with the WN server.

     ...
     
-- 
Karl Vogel, ASC/YCOA            I don't speak for the USAF or my company
vogelke@dnaco.net                          http://www.dnaco.net/~vogelke

If I get only one thing for Christmas, I hope it's your sister.
                                               --rejected Hallmark Cards

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030102190440.17078.qmail>