From owner-freebsd-questions Thu Jan 2 16:51:54 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D8F537B401 for ; Thu, 2 Jan 2003 16:51:52 -0800 (PST) Received: from shell.siscom.net (shell.siscom.net [209.251.2.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75D4F43EA9 for ; Thu, 2 Jan 2003 16:51:51 -0800 (PST) (envelope-from vogelke@shell.siscom.net) Received: from shell.siscom.net (vogelke@localhost [127.0.0.1]) by shell.siscom.net (8.12.3/8.12.3) with ESMTP id h030pg7g048164; Thu, 2 Jan 2003 19:51:42 -0500 (EST) (envelope-from vogelke@shell.siscom.net) Received: (from vogelke@localhost) by shell.siscom.net (8.12.3/8.12.3/Submit) id h030pf2L048163; Thu, 2 Jan 2003 19:51:41 -0500 (EST) Delivered-To: outgoing@ss118-07u-558.region2.wpafb.af.mil Received: (qmail 17100 invoked by alias); 2 Jan 2003 14:04:42 -0500 Delivered-To: alias-outgoing-freebsd-questions@FreeBSD.ORG Received: (qmail 17079 invoked by uid 583); 2 Jan 2003 14:04:40 -0500 Date: 2 Jan 2003 14:04:40 -0500 Message-ID: <20030102190440.17078.qmail@kev.wpafb.af.mil> From: "Karl Vogel" To: didier.wiroth@mcesr.etat.lu Cc: freebsd-questions@FreeBSD.ORG In-reply-to: <000001c2b23e$9edf0e50$952b6e94@lucifer> Subject: Re: securing apache2 on freebsd Organization: Sumaria Systems Inc. X-Disclaimer: I don't speak for the USAF or Sumaria. X-PGP-ID: 1024/D558F237 1999/04/06 Karl Vogel X-PGP-Fingerprint: 8DF5 1D90 18EC A9EF 9EA6 4611 35F4 BC78 D558 F237 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >> On Thu, 2 Jan 2003 10:09:13 +0100, >> "Didier Wiroth" said: D> How secure is the default installation of apache? Can you tighten it up D> if you only use static html content, no cgi, no php etc..? If you're looking for security first, go with a smaller and simpler webserver like wn. See http://www.wnserver.org/ for more info. Here's a short blurb from the overview: http://www.wnserver.org/docs/overview.html ... The primary design goals for WN are security, robustness, and flexibility, in that order. One of its objectives is to provide functionality usually available only with complex CGI programs without the necessity of writing or using these programs. (Of course CGI/1.1 is fully supported for those who want it). Despite this extensive functionality the WN executable is substantially smaller than the CERN httpd, NCSA httpd or Apache servers. WN was planned with a focus on serving HTML documents. This means such things as enabling full text searching of a single logical HTML document which may consist of many files on the server, or allowing users to search all titles on the server and obtain a menu of matching items, or allowing users to download a total logical document for printing which, in fact, consists of many linked files on the server. All of these are done in a way which is transparent to the user. When WN receives a request, say for /dir/foo.html, it looks in the file /dir/index.cache which contains lines like: file=foo.html&content=text/html&title=whatever... If the server finds a line starting with "file=foo.html" then the file will be served. If such a line does not exist the file will not be served (unless special permission to serve all files in the directory has been granted). This is the basis of WN security. Unlike other servers, the default action for WN is to deny access to a file. A file can only be served if explicit permission to do so has been granted by entering it in the index.cache database or if explicit permission to serve all files in /dir has been given in the index.cache file in /dir. This database also provides other security functions. For example, restricting the execution of CGI/1.1 programs can be done on the basis of the ownership (or group ownership) of their index.cache files. There is no need to limit execution to programs located in particular designated directories. The location of a file in the data hierarchy should be orthogonal to security restrictions on it and this is the case with the WN server. ... -- Karl Vogel, ASC/YCOA I don't speak for the USAF or my company vogelke@dnaco.net http://www.dnaco.net/~vogelke If I get only one thing for Christmas, I hope it's your sister. --rejected Hallmark Cards To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message