1. Главная
  2. Книги
  3. Tyler Chris
  4. Fedora Linux
  5. Страница 134
Выбрать главу

For example, to enable access only from computers on your internal network, assuming your network is 12.200.X.X :

Order Allow,Deny

Allow from 12.200.0.0/16

Deny from all

On the other hand, you could enable access only from computers that are not in your internal network:

Order Deny,Allow

Deny from 12.200.0.0/255.255.0.0

Allow from all

Or you could exclude access from specific domains:

Order Deny,Allow

Deny from .gov ourcompetition.com

Allow from all

The AllowOverride directive enables the use of a hidden file, .htaccess , which may be placed in directories to override the configuration of that directory and subdirectories. Although there are several possible values for this directive, it is normally set to None (no overrides are permitted) or AuthConfig (the .htaccess file can control whether a user ID and password are required to access the content of that directory).

The next set of directory containers configure special permissions for the icon , cgi-bin , and error directories in /var/www :

<Directory "/var/www/icons">

 Options Indexes MultiViews

 AllowOverride None

 Order Allow,Deny

 Allow from all

</Directory>

<Directory "/var/www/cgi-bin">

 AllowOverride None

 Options None

 Order Allow,Deny

 Allow from all

</Directory>

<Directory "/var/www/error">

 AllowOverride None

 Options IncludesNoExec

 AddOutputFilter Includes html

 AddHandler type-map var 

 Order Allow,Deny

 Allow from all

 LanguagePriority en es de fr

 ForceLanguagePriority Prefer Fallback

</Directory>

These directories are not within the normal DocumentRoot and are instead made accessible through the use of Alias and ScriptAlias directives:

Alias /icons/ "/var/www/icons/"

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

Alias /error/ "/var/www/error/"

These directives make the indicated directories appear to exist within the document tree; for example, a request for http://<hostname>/icons/text.png is fulfilled using the file /var/www/icons/text.png (instead of /var/www/html/icons/text.png ). This permits /var/www/html to remain uncluttered by icons, scripts, and error messages.

Since /cgi-bin/ is aliased using a ScriptAlias directive, it is assumed that all files in that directory are actually scripts (executable programs) rather than document files, regardless of their extension. In the default configuration, this is the only directory that may contain scripts, so you only have to look in one place to check for script vulnerabilities.

7.5.1.6.4. Enabling personal web pages

To permit each user to maintain her own web directory, find the UserDir section of httpd.conf:

<IfModule mod_userdir.c>

 #

 # UserDir is disabled by default since it can confirm the presence

 # of a username on the system (depending on home directory

 # permissions).

 #

 UserDir disable

 #

 # To enable requests to /~user/ to serve the user's public_html

 # directory, remove the "UserDir disable" line above, and uncomment

 # the following line instead:

 #

 #UserDir public_html

</IfModule>

Comment out the line that reads UserDir disable and uncomment the line which reads UserDir public_html :

<IfModule mod_userdir.c>

 #

 # UserDir is disabled by default since it can confirm the presence

 # of a username on the system (depending on home directory

 # permissions).

 #

 #UserDir disable

 #

 # To enable requests to /~user/ to serve the user's public_html

 # directory, remove the "UserDir disable" line above, and uncomment

 # the following line instead:

 #

 UserDir public_html

</IfModule>

Then uncomment the container section <Directory /home/*/public_html> :

#

# Control access to UserDir directories. The following is an example

# for a site where these directories are restricted to read-only.

#

<Directory /home/*/public_html>

 AllowOverride FileInfo AuthConfig Limit

 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

 <Limit GET POST OPTIONS>

  Order allow,deny

  Allow from all

 </Limit>

 <LimitExcept GET POST OPTIONS>

  Order deny,allow

  Deny from all

 </LimitExcept>

</Directory>

Each user can then create a ~/public_html directory and place her own personal content in that directory.

If you have SELinux enabled, each user will need to execute this command to make his content accessible to Apache:

$ chcon -R -t httpd_sys_content_t ~/public_html

Alternately, users can make their public_html content accessible to both Apache and Samba (see Lab 8.2, "Using SELinux").

7.5.1.6.5. Using virtual hosts

Virtual hosting permits one web server to serve web pages for multiple hostnames. There are two ways of detecting which host a browser is trying to connect to: the web server can respond to multiple IP addresses and serve different content based on which IP address is used (IP-based virtual hosts), or the web server can serve the content based on the Host: header sent by the browser (name-based virtual hosts).

~ 134 ~