Security tips for HTTP Server

This topic provides tips to secure your HTTP Server.

Important: Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm Link outside Information Center for more information.

Some hints and tips on security issues in setting up the HTTP Server.

Permissions on HTTP Server directories

In typical operation, the HTTP Server is started under the iSeries™ user profile QTMHHTTP and requests coming into the server are run under that user profile. It is possible to start the server and serve requests under different profiles. Refer to the ServerUserID and UserID directives for more information. You must also ensure that all of the resources that can be accessed by a Web client are properly protected. See User profiles and required authorities for HTTP Server for additional information.

Stopping users from overriding system wide settings for HTTP Server (powered by Apache)

You will want to stop users from setting up .htaccess files which can override security features. Here is one example:

<Directory />
   AllowOverride None
   Options None
</Directory>

This stops all overrides, Includes, and accesses in all directories. You also need to set up directory containers to allow access for specific directories.

Protect server files by default for HTTP Server (powered by Apache)

HTTP Server (powered by Apache) has a default access feature. To prevent clients from seeing the entire file system, add the following block to the configuration:

<Directory />
   Order deny,allow
   Deny from all
</Directory>

This forbids default access to filesystem locations. Add appropriate <Directory> blocks to allow access. For example,

<Directory /users/public_html>
   Order deny,allow
   Allow from all
</Directory>

Pay particular attention to the interactions of <Location> and <Directory> directives. For example, even if <Directory /> denies access, a <Location /> directive might override it.

Server Side Includes for HTTP Server (powered by Apache)

Server side includes (SSI) can be configured so that users can execute programs on the server. To disable that part of SSI use the IncludesNOEXEC option to the Options directive.