97 lines
6.0 KiB
HTML
97 lines
6.0 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="topic" />
|
||
|
<meta name="DC.Title" content="Security tips for HTTP Server" />
|
||
|
<meta name="abstract" content="This topic provides tips to secure your HTTP Server." />
|
||
|
<meta name="description" content="This topic provides tips to secure your HTTP Server." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaieconcepts.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaiesecuritytips" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Security tips for HTTP Server</title>
|
||
|
</head>
|
||
|
<body id="rzaiesecuritytips"><a name="rzaiesecuritytips"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Security tips for HTTP Server</h1>
|
||
|
<div><p>This topic provides tips to secure your HTTP Server.</p>
|
||
|
<div class="important"><span class="importanttitle">Important:</span> Information
|
||
|
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
|
||
|
It is recommended that you install the latest PTFs to upgrade to the latest
|
||
|
level of the HTTP Server for i5/OS. Some of the topics documented here are
|
||
|
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
|
||
|
<p>Some hints and tips on security issues in setting up the HTTP Server. </p>
|
||
|
<ul><li><a href="#serverroot">Permissions on HTTP Server directories</a></li>
|
||
|
<li><a href="#secoverride">Stopping users from overriding system wide settings for HTTP Server (powered by Apache)</a></li>
|
||
|
<li><a href="#secdefault">Protect server files by default for HTTP Server (powered by Apache)</a></li>
|
||
|
<li><a href="#ssi">Server Side Includes for HTTP Server (powered by Apache)</a></li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaieconcepts.htm" title="This topic provides concepts of functions on HTTP Server and IBM Web Administration for i5/OS interface.">Concepts of functions of HTTP Server</a></div>
|
||
|
</div>
|
||
|
</div><div class="hr" id="serverroot"><a name="serverroot"><!-- --></a><h2 class="topictitle2">Permissions on HTTP Server directories</h2>
|
||
|
<div><p>In typical operation, the HTTP Server is started under the iSeries™ user
|
||
|
profile QTMHHTTP and requests coming into the server are run under that user
|
||
|
profile. It is possible to start the server and serve requests under different
|
||
|
profiles. Refer to the ServerUserID and <a href="rzaiemod_as_auth.htm#userid">UserID</a> directives for more information.
|
||
|
You must also ensure that all of the resources that can be accessed by a Web
|
||
|
client are properly protected. See <a href="rzaiesetauth.htm">User profiles and required authorities for HTTP Server</a> for
|
||
|
additional information. </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="secoverride"><a name="secoverride"><!-- --></a><h2 class="topictitle2">Stopping users from overriding system wide settings for HTTP Server
|
||
|
(powered by Apache) </h2>
|
||
|
<div><p>You will want to stop users from setting up .htaccess files which can override
|
||
|
security features. Here is one example: </p>
|
||
|
<pre class="block"><Directory />
|
||
|
AllowOverride None
|
||
|
Options None
|
||
|
</Directory></pre>
|
||
|
<p>This stops all overrides, Includes, and accesses in all directories. You
|
||
|
also need to set up directory containers to allow access for specific directories. </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="secdefault"><a name="secdefault"><!-- --></a><h2 class="topictitle2">Protect server files by default for HTTP Server (powered by Apache) </h2>
|
||
|
<div><p>HTTP Server (powered by Apache) has a default access feature. To prevent
|
||
|
clients from seeing the entire file system, add the following block to the
|
||
|
configuration: </p>
|
||
|
<pre class="block"><Directory />
|
||
|
Order deny,allow
|
||
|
Deny from all
|
||
|
</Directory></pre>
|
||
|
<p>This forbids default access to filesystem locations. Add appropriate <a href="rzaiemod_core.htm#directory"><Directory></a> blocks
|
||
|
to allow access. For example,</p>
|
||
|
<pre class="block"><Directory /users/public_html>
|
||
|
Order deny,allow
|
||
|
Allow from all
|
||
|
</Directory></pre>
|
||
|
<p>Pay particular attention to the interactions of <a href="rzaiemod_core.htm#location"><Location></a> and <a href="rzaiemod_core.htm#directory"><Directory></a> directives. For example,
|
||
|
even if <Directory /> denies access, a <Location /> directive might
|
||
|
override it.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="ssi"><a name="ssi"><!-- --></a><h2 class="topictitle2">Server Side Includes for HTTP Server (powered by Apache) </h2>
|
||
|
<div><p>Server side includes (SSI) can be configured so that users can execute
|
||
|
programs on the server. To disable that part of SSI use the IncludesNOEXEC
|
||
|
option to the Options directive. </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
</body>
|
||
|
</html>
|