Apache Notes

From NST Wiki
Revision as of 12:05, 3 March 2007 by Rwh (talk | contribs) (Tightening Security)
Jump to navigationJump to search

Apache Notes

This document provides information related to the Apache Web Server (httpd daemon) used in the NST distribution.

Security Violations

A default Apache configuration and installation tries very hard to keep the system secure. Unfortunately, these security settings make it impossible to provide the functionality we desired in the creation of the NST WUI (we needed to do things as the root user which a standard Apache installation should never permit). In particular, we have done the following:

  1. We made the apache user part of the root and nagios groups.
  2. We made it possible for the apache user to run ANY command on the system as root via the sudo command (this was done by updating the configuration file: "/etc/sudoers").

We convinced ourselves that the security violations we introduced into our Apache configuration were acceptable for the following reasons:

  1. We configured the httpd process such that it only accepted SSL connections.
  2. We configured the httpd process such that one could not gain access to it without first logging in as root.

We treat the web server on a NST system as a "pseudo" terminal access point for the root user.

Tightening Security

You can tighten security on a NST web server by limiting what systems are permitted to access which resources. This is done by adding (or replacing) the Order, Allow and Deny directives within the Directory entities that appear in the many configuration files. For example, if you wanted to limit access to the NST WUI to the local system and the system having a IP address of: "", you would specify the Order and Deny directives as shown below in the file: "/etc/httpd/conf.d/nstwui.conf".

# Directives to allow use of the nstwui-1.5.0 as a CGI
<Directory "/usr/local/nstwui-1.5.0">
  DirectoryIndex index.cgi index.html index.html.var index.php index.php3
  Options Indexes FollowSymLinks ExecCGI +Includes

  Order allow,deny
  Allow from

  AuthType Basic
  AuthName "NST WUI: System Management"
  AuthUserFile "/etc/httpd/conf/htuser.nst"
  require user root

Alias /nstwui "/usr/local/nstwui-1.5.0"

There are MANY locations where this can be done. The file: "/etc/httpd/conf/httpd.conf" contains numerous Directory entities (including the top level setting), and the directory: "/etc/httpd/conf.d" contains numerous configuration files containing Directory entities.

If you want to completely disable the web service on a NST system, run the following commands:

Commands: "service" & "chkconfig"
[root@probe ~]# service httpd off
[root@probe ~]#
[root@probe ~]# chkconfig httpd off
[root@probe ~]#
[root@probe ~]# chkconfig --list httpd
httpd            0:off   1:off   2:off    3:off    4:off    5:off    6:off
[root@probe ~]#

[root@probe]# service httpd off
Stopping httpd:                                     [  OK  ]
[root@probe]# chkconfig httpd off

Using The NST As A Public Web Server

In general, one should NEVER open a NST probe up to public access. Only those that are very comfortable with configuring Apache web servers should consider it.

If you are really determined to use the NST probe as a public access point, at a minimum you should:

  • Remove the apache user from the root and nagios groups in the file: "/etc/groups".
  • Remove the apache line in the file: "/etc/sudoers".
  • Remove the files: "/etc/httpd/conf.d/nstwui.conf" and "/etc/httpd/conf.d/fs.conf".
  • Restart the httpd service.

Once the above steps have been completed, the web server will be in a much more secure state and you should be able to start editing the configuration file(s). In particular, it is recommended to replace all Order, Allow and Deny lines in Directory entities which you do not want to share with the following:

   Order Allow,Deny
   Deny from All


Information on configuring the httpd process.