107 lines
7.0 KiB
HTML
107 lines
7.0 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
|
<!DOCTYPE html
|
||
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
|
<html lang="en-us" xml:lang="en-us">
|
||
|
|
<head>
|
||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
|
<meta name="security" content="public" />
|
||
|
|
<meta name="Robots" content="index,follow" />
|
||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
|
<meta name="DC.Type" content="concept" />
|
||
|
|
<meta name="DC.Title" content="Web serving security" />
|
||
|
|
<meta name="abstract" content="When you provide access for visitors to your web site, you do not want to expose your viewers to information about how the site is set up and the coding that is used to generate the page." />
|
||
|
|
<meta name="description" content="When you provide access for visitors to your web site, you do not want to expose your viewers to information about how the site is set up and the coding that is used to generate the page." />
|
||
|
|
<meta name="DC.Relation" scheme="URI" content="rzaj45zrscenario1risks.htm" />
|
||
|
|
<meta name="DC.Relation" scheme="URI" content="rzaj45bejavasecurity.htm" />
|
||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
|
<meta name="DC.Format" content="XHTML" />
|
||
|
|
<meta name="DC.Identifier" content="rzaj45bchttpsec" />
|
||
|
|
<meta name="DC.Language" content="en-us" />
|
||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
|
<!-- US Government Users Restricted Rights -->
|
||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
|
<title>Web serving security</title>
|
||
|
|
</head>
|
||
|
|
<body id="rzaj45bchttpsec"><a name="rzaj45bchttpsec"><!-- --></a>
|
||
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
<h1 class="topictitle1">Web serving security</h1>
|
||
|
|
<div><p>When you provide access for visitors to your web site, you do not
|
||
|
|
want to expose your viewers to information about how the site is set up and
|
||
|
|
the coding that is used to generate the page.</p>
|
||
|
|
<p>You want their visit to your page to be easy, fast, and seamless, with
|
||
|
|
all the work being done behind the scenes. As an administrator, you want to
|
||
|
|
ensure that your security practices do not negatively affect your Web site.
|
||
|
|
When using your iSeries™ as
|
||
|
|
a web server, consider these points:</p>
|
||
|
|
<ul><li>The server administrator must define directives for the server before
|
||
|
|
a client can interact with the HTTP server. There are two methods for creating
|
||
|
|
security checks: general server directives and server protection directives.
|
||
|
|
Any request to the web server must satisfy any and all restrictions that these
|
||
|
|
directives provide before the server honors the request.</li>
|
||
|
|
<li>You can create and edit these directives by using the server admin web
|
||
|
|
pages for server configuration. Server directives allow you to control the
|
||
|
|
overall behavior of the web server. Server protection directives allow you
|
||
|
|
to specify and control the security models the server uses for specific URLs
|
||
|
|
that the web server handles.</li>
|
||
|
|
<li>You can use map or pass directives and the server admin web pages to configure
|
||
|
|
the server. <ul><li>Use map or pass directives to mask the file names on your iSeries web
|
||
|
|
server. More specifically there are PASS server directives and MAP server
|
||
|
|
directives that control the directories from which the web server serves URLs.
|
||
|
|
You can also find an EXEC server directive that controls the libraries in
|
||
|
|
which CGI-BIN programs reside. <p>You define protection directives for each
|
||
|
|
server URL. Not all URLs require a protection directive. But, if you want
|
||
|
|
to control how a URL resource is accessed or by whom, then a protection directive
|
||
|
|
for that URL is required.</p>
|
||
|
|
</li>
|
||
|
|
<li>Also, you can use the server Admin web pages to configure the server rather
|
||
|
|
than using WRKHTTPCFG (Work with HTTP Configuration command) and typing the
|
||
|
|
directives. Working with protection directives through the command line interface
|
||
|
|
can be very complicated. Therefore, it is recommended that you use the Admin
|
||
|
|
web pages to ensure that you set up your directives correctly.</li>
|
||
|
|
</ul>
|
||
|
|
<div class="p">HTTP provides you with the capability to display data, but not alter
|
||
|
|
data in a database file. However, there are some applications you will write
|
||
|
|
that will need to update a database file. To do this, you can use CGI-BIN
|
||
|
|
programs. For instance, you may want to create forms that, once users complete
|
||
|
|
them, update an iSeries database.
|
||
|
|
As security administrator, you should monitor the authorizations of that user
|
||
|
|
profile and the functions that the CGI programs perform. Also, be sure to
|
||
|
|
evaluate what sensitive objects might have inappropriate public authority.
|
||
|
|
<div class="note"><span class="notetitle">Note:</span> Common Gateway Interface (CGI) is an industry standard for the exchange
|
||
|
|
of information between a web server and computer programs that are external
|
||
|
|
to it. The programs can be written in any programming language that is supported
|
||
|
|
on the operating system where the web server is running.</div>
|
||
|
|
</div>
|
||
|
|
<p>In
|
||
|
|
addition to using CGI programs in your web pages, you may want to use Java™.
|
||
|
|
You should understand Java security before you add Java to
|
||
|
|
your web pages.</p>
|
||
|
|
<p>The HTTP server provides an access log that you can
|
||
|
|
use to monitor both accesses and attempted accesses through the server.</p>
|
||
|
|
<p>The
|
||
|
|
proxy server receives HTTP requests from web browsers and resends them to
|
||
|
|
web servers. Web servers that receive these requests are only aware of the
|
||
|
|
proxy server IP address. They cannot determine the names or addresses of the
|
||
|
|
PCs that originated the requests. The proxy server can handle URL requests
|
||
|
|
for HTTP, File Transfer Protocol (FTP), Gopher, and WAIS.</p>
|
||
|
|
<p>You
|
||
|
|
can also use the HTTP proxy support of the <a href="http://www.iseries.ibm.com/products/http/httpindex.htm" target="_blank">IBM<sup>®</sup> HTTP Server for iSeries</a> <img src="www.gif" alt="Link outside
Information Center." /> to consolidate web access. The proxy server
|
||
|
|
can also log all URL requests that are for tracking purposes. You can then
|
||
|
|
review the logs to monitor use and misuse of network resources.</p>
|
||
|
|
</li>
|
||
|
|
</ul>
|
||
|
|
</div>
|
||
|
|
<div>
|
||
|
|
<div class="familylinks">
|
||
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zrscenario1risks.htm" title="Use this information to learn about common Internet security risks for a number of popular Internet applications and services and measures that you can take to manage these risks.">Application security options</a></div>
|
||
|
|
</div>
|
||
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
|
<div><a href="rzaj45bejavasecurity.htm" title="Java programming is becoming increasingly widespread in today's computing environments.">Java Internet security</a></div>
|
||
|
|
</div>
|
||
|
|
</div>
|
||
|
|
</body>
|
||
|
|
</html>
|