ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaie_5.4.0.1/rzaiesecuritytips.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="topic" />
<meta name="DC.Title" content="Security tips for HTTP Server" />
<meta name="abstract" content="This topic provides tips to secure your HTTP Server." />
<meta name="description" content="This topic provides tips to secure your HTTP Server." />
<meta name="DC.Relation" scheme="URI" content="rzaieconcepts.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiesecuritytips" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security tips for HTTP Server</title>
</head>
<body id="rzaiesecuritytips"><a name="rzaiesecuritytips"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security tips for HTTP Server</h1>
<div><p>This topic provides tips to secure your HTTP Server.</p>
<div class="important"><span class="importanttitle">Important:</span> Information
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
 It is recommended that you install the latest PTFs to upgrade to the latest
level of the HTTP Server for i5/OS. Some of the topics documented here are
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
<p>Some hints and tips on security issues in setting up the HTTP Server. </p>
<ul><li><a href="#serverroot">Permissions on HTTP Server directories</a></li>
<li><a href="#secoverride">Stopping users from overriding system wide settings for HTTP Server (powered by Apache)</a></li>
<li><a href="#secdefault">Protect server files by default for HTTP Server (powered by Apache)</a></li>
<li><a href="#ssi">Server Side Includes for HTTP Server (powered by Apache)</a></li>
</ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaieconcepts.htm" title="This topic provides concepts of functions on HTTP Server and IBM Web Administration for i5/OS interface.">Concepts of functions of HTTP Server</a></div>
</div>
</div><div class="hr" id="serverroot"><a name="serverroot"><!-- --></a><h2 class="topictitle2">Permissions on HTTP Server directories</h2>
<div><p>In typical operation, the HTTP Server is started under the iSeries™ user
profile QTMHHTTP and requests coming into the server are run under that user
profile. It is possible to start the server and serve requests under different
profiles. Refer to the ServerUserID and <a href="rzaiemod_as_auth.htm#userid">UserID</a> directives for more information.
You must also ensure that all of the resources that can be accessed by a Web
client are properly protected. See <a href="rzaiesetauth.htm">User profiles and required authorities for HTTP Server</a> for
additional information.  </p>
</div>
</div>
<div class="hr" id="secoverride"><a name="secoverride"><!-- --></a><h2 class="topictitle2">Stopping users from overriding system wide settings for HTTP Server
(powered by Apache) </h2>
<div><p>You will want to stop users from setting up .htaccess files which can override
security features. Here is one example:  </p>
<pre class="block">&lt;Directory /&gt;
   AllowOverride None
   Options None
&lt;/Directory&gt;</pre>
<p>This stops all overrides, Includes, and accesses in all directories. You
also need to set up directory containers to allow access for specific directories. </p>
</div>
</div>
<div class="hr" id="secdefault"><a name="secdefault"><!-- --></a><h2 class="topictitle2">Protect server files by default for HTTP Server (powered by Apache) </h2>
<div><p>HTTP Server (powered by Apache) has a default access feature. To prevent
clients from seeing the entire file system, add the following block to the
configuration:  </p>
<pre class="block">&lt;Directory /&gt;
   Order deny,allow
   Deny from all
&lt;/Directory&gt;</pre>
<p>This forbids default access to filesystem locations. Add appropriate <a href="rzaiemod_core.htm#directory">&lt;Directory&gt;</a> blocks
to allow access. For example,</p>
<pre class="block">&lt;Directory /users/public_html&gt;
   Order deny,allow
   Allow from all
&lt;/Directory&gt;</pre>
<p>Pay particular attention to the interactions of <a href="rzaiemod_core.htm#location">&lt;Location&gt;</a> and <a href="rzaiemod_core.htm#directory">&lt;Directory&gt;</a> directives. For example,
even if &lt;Directory /&gt; denies access, a &lt;Location /&gt; directive might
override it.</p>
</div>
</div>
<div class="hr" id="ssi"><a name="ssi"><!-- --></a><h2 class="topictitle2">Server Side Includes for HTTP Server (powered by Apache) </h2>
<div><p>Server side includes (SSI) can be configured so that users can execute
programs on the server. To disable that part of SSI use the IncludesNOEXEC
option to the Options directive.  </p>
</div>
</div>

</body>
</html>