Apache Security - Ivan Ristic [20]
* * *
Warning
The Apache syntax for adding and removing options can be confusing. If all option names in a given Options statement for a particular directory are preceded with a plus or minus character, then the new configuration will be merged with the existing configuration, with the new configuration overriding the old values. In all other cases, the old values will be ignored, and only the new values will be used.
* * *
If you need symbolic links consider using the Alias directive, which tells Apache to incorporate an external folder into the web server tree. It serves the same purpose but is more secure. For example, it is used in the default configuration to allow access to the Apache manual:
Alias /manual/ /usr/local/apache/manual/
If you want to keep symbolic links, it is advisable to turn ownership verification on by setting the SymLinksIfOwnerMatch option. After this change, Apache will follow symbolic links if the target and the destination belong to the same user:
Options -FollowSymLinks +SymLinksIfOwnerMatch
Other features you do not want to allow include the ability to have scripts and server-side includes executed anywhere in the web server tree. Scripts should always be placed in special folders, where they can be monitored and controlled.
Options -Includes -ExecCGI
If you do not intend to use content negotiation (to have Apache choose a file to serve based on the client's language preference), you can (and should) turn all of these features off in one go:
Options None
* * *
Tip
Modules sometimes use the settings determined with the Options directive to allow or deny access to their features. For example, to be able to use mod_rewrite in per-directory configuration files, the FollowSymLinks option must be turned on.
* * *
AllowOverride directive
In addition to serving any file it can access by default, Apache also by default allows parts of configuration data to be placed under the web server tree, in files normally named .htaccess . Configuration information in such files can override the information in the httpd.conf configuration file. Though this can be useful, it slows down the server (because Apache is forced to check whether the file exists in any of the subfolders it serves) and allows anyone who controls the web server tree to have limited control of the web server. This feature is controlled with the AllowOverride directive, which, like Options, appears within the AuthConfig Allows use (in .htaccess files) of the authorization directives (explained in Chapter 7) FileInfo Allows use of the directives controlling document types Indexes Allows use of the directives controlling directory indexing Limit Allows use of the directives controlling host access Options Allows use of the directives controlling specific directory functions (the Options and XbitHack directives) All Allows all options listed None Ignores .htaccess configuration files For our default configuration, we choose the None option. So, our Order Deny,Allow Deny from all Options None AllowOverride None Order Allow,Deny Allow from all * * * Tip * * * Enabling CGI Scripts Only
Modules sometimes use AllowOverride settings to make other decisions as to whether something should be allowed. Therefore, a change to a setting can have unexpected consequences. As an example, including Options as one of the AllowOverride options will allow PHP configuration directives to be used in .htaccess files. In theory, every directive of every module should fit into one of the AllowOverride settings, but in practice it depends on whether their respective developers have considered it.