httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guille -bisho- <bi...@onirica.com>
Subject Re: Fwd: [Bug 8061] Avoid reading some files when httpd.conf directory style is used.
Date Tue, 16 Apr 2002 01:04:54 GMT
> > Actually, before Josh drops this into the 'Won't Consider' pile,
> 
> By the way, I am quite agressive about "resolving" bugs like this, because
> otherwise they tend to just hang around forever.  I think it is better to
> give people some response rather than just let bugs sit there because
> nobody is quite sure what to do with them.  Others should, of course, feel
> free to undo these decisions.

I think it's interesting to increase the security by default in apache.

As I have said some time ago, I will propose also to put near to the
comented lines about php and other dinamic page extensions:

<Files ~ "(~|.swp|.inc|.conf|.bak|.old|.kk)$">
    Order allow,deny
    Deny from all
</Files>

Many many people has .inc's, .old's and so on on his webservers, without
parsing by PHP module. This directive could be commented, but near to
the code to activate PHP, for example, with indications about security.

Another important thing is having:
<IfModule !mod_php4.c>
<Files ~ ".php$">
    Order allow,deny
    Deny from all
</Files>
</IfModule>

Sometimes your php module fails (when you break dependences or
something) and then all your php files are nor parser and server "as-is"
by apache. Normally it's solved quickly, but having this config on
apache prevents this kind of problems.

-- 
        .,,,   Guillermo Pérez    -=] 16/04/2002 [=-
      _' .,,,,  - bisho@ ( onirica.com | eurielec.etsit.upm.es )
     (v)/ ,''
      ( \/    ::     Onírica: Páginas y aplicaciones web dinámicas    ::
bisho! ``\\



Mime
View raw message