Security tips for HTTP Server

In typical operation, the HTTP Server is started under the iSeries™ user profile QTMHHTTP and requests coming into the server are run under that user profile. It is possible to start the server and serve requests under different profiles. Refer to the ServerUserID and UserID directives for more information. You must also ensure that all of the resources that can be accessed by a Web client are properly protected. See User profiles and required authorities for HTTP Server for additional information.

You will want to stop users from setting up .htaccess files which can override security features. Here is one example:

<Directory />
   AllowOverride None
   Options None
</Directory>

This stops all overrides, Includes, and accesses in all directories. You also need to set up directory containers to allow access for specific directories.

HTTP Server (powered by Apache) has a default access feature. To prevent clients from seeing the entire file system, add the following block to the configuration:

<Directory />
   Order deny,allow
   Deny from all
</Directory>

This forbids default access to filesystem locations. Add appropriate <Directory> blocks to allow access. For example,

<Directory /users/public_html>
   Order deny,allow
   Allow from all
</Directory>

Pay particular attention to the interactions of <Location> and <Directory> directives. For example, even if <Directory /> denies access, a <Location /> directive might override it.

Server side includes (SSI) can be configured so that users can execute programs on the server. To disable that part of SSI use the IncludesNOEXEC option to the Options directive.