httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Blocking invalid URIs?
Date Mon, 13 Mar 2006 07:49:40 GMT
> -----Original Message-----
> From: John Rodenbiker [mailto:jrodenbiker@rodenbiker.net] 
> Sent: Freitag, 10. März 2006 22:59
> To: users@httpd.apache.org
> Subject: [users@httpd] Blocking invalid URIs?
> 
> I'm very new to running a web server.
> 
> Is there a way to have httpd drop requests 

No. The HTTP RFC requires a server to respond to a valid HTTP request. It can respond with
an error (401, 403, 404 etc) but it must respond. [NB - a request for a resource you don't
have is a valid request].

>to URIs that don't 
> actually 
> exist in my environment?
> 
> For example, if I have a very simple web site with just the document 
> "index.html" I don't want people trying to access 
> "../../../../../users/john/secretstuff". I would prefer such attempts 
> be dropped, logged, and an alert thrown to my mailbox or a 
> script that 
> calls my cell phone.

They'll be responded with a 403 Forbidden (assuming they land outside the docroot) and logged
in the access log and error log. You can define the ErrorDocument directive to run a program
when the error is hit (see docs for details) and that program can do what you like - send
mails, ring phones etc.  Do you really want your phone to ring ever time someone sends a funny
request?

> 
> If such functionality exists, is there a way for httpd to 
> automatically 
> figure out which URIs are valid and which are not without me 
> changing a 
> database, config file, etc. every time I update my site?

No. httpd is a webserver - it parses requests, fetches the resource and sends the data. The
only way you can figure out the extent of a website is by mirroring it. So you could run something
like wget on your site, make an image, then write a module that only allowed requests if the
resource was in the image (but that's what apache does anyway?) 

> 
> It seems like this is an obvious way 

How is it obvious? What you are asking is, in parts, in violation of the RFC, impossible,
extremely difficult, performance-reducing and re-inventing the wheel.

>to prevent a host of 
> attacks on my 
> web server like 

> buffer-overflow attempts, 

Buffer overflows are identified and fixed by the guys in the white hats long before anyone
ever develops an exploit - keep up to date with patches and upgrades and you don't need to
worry.

> mis-configuration of the server, 

If you've misconfigured your server, your wget image will contain the misconfiguration so
will be allowed. UNless you define the image separately (ah - but you don't want to do that).

> cross-site scripting attacks,

Eh? This is java-script loaded into forum pages and so on... That's valid content. If you
don't want it, filter it at the form-handler.

To put your mind at ease, an up-to-date apache, with up-to-date components (OpenSSL, modules
etc) running on an up-to-date OS is a pretty solid proposition. Sure, you'll get lots of wierd
requests but they'll all end up in the bit-bucket and are nothing to worry about...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 



> etc. I 
> just can't figure out where to look to turn this on and configure it.
> 
> Thanks.
> -- 
> Freedom, Truth, Love, Beauty.
> John Rodenbiker
> jrodenbiker@rodenbiker.net
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen-
bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature.
It is not related to the exchange or business activities of the SWX Group. Le présent e-mail
est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message