Commit 6bbf2932 authored by Kirk Webb's avatar Kirk Webb

Updated httpd config file to reflect new access controls introduced

on the Emulab web server.

Some notes:

 1) Public user web directories are now disabled
    - links from above the DocumentRoot to user devel trees must now be used.

 2) Internal access exceptions to production and devel directories are specified
    for the testbed root dir, and inherited by upper directories.
    - Simplifies configuration complextity

 3) External access to system (e.g., / /usr /var, etc) are disallowed now
    - Previously, symlinks could allow access to system directories.
    - Individual exceptions must be introducted when access to a specific
      directory is required.
parent 7623d34c
......@@ -386,8 +386,11 @@ DocumentRoot "@prefix@/www"
# permissions.
#
<Directory />
Options FollowSymLinks
Options None
AllowOverride None
Order deny,allow
Deny from all
# Allow from 155.98.60.
</Directory>
#
......@@ -397,6 +400,61 @@ DocumentRoot "@prefix@/www"
# below.
#
#
# When granting access, try to minimize the number of entries and hence
# complexity of the config file. Also, remember these rules:
#
# 1) <directory> directive options & authconfigs are inherited by subdirs
# 2) Putting a '+' before an option on the 'Options' line adds it to the
# existing set (likely inherited from a dir below it).
# 3) Putting a '-' before an option removes it from the existing options set.
# 4) The 'AllowOverride' directive describes how a .htaccess file can
# override configuration file settings for a directory.
# 5) Allowing a .htaccess file to override 'options' is a security hazard.
#
# People who are involved with testbed devel can get at
# stuff under /usr/testbed, but not "outsiders". If exceptions need
# to be made under /usr/testbed, create a <Directory> entry for them
# below. Try to work under the least req'd privilige model whenever
# possible. Add people's cable modems, etc. that need general devel
# access to the /usr/testbed <Directory> entry.
#
<Directory @prefix@>
Order allow,deny
deny from all
allow from 155.99.212.
allow from 155.98.60.
allow from 204.119.59.136
allow from 18.31.0.114
allow from 18.31.0.144
allow from 24.254.69.120
# Jay's machines.
allow from 207.173.21.122
allow from 207.173.21.123
allow from 207.173.21.126
# Tim Stack
allow from 66.219.220.49
</Directory>
<Directory @prefix@/webglimpse>
Options All MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory @prefix@/www/cricket>
Options ExecCGI SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
</Directory>
<Directory @prefix@/devel/*/www>
Options +ExecCGI
AllowOverride All
</Directory>
#
# This should be changed to whatever you set DocumentRoot to.
#
......@@ -409,7 +467,7 @@ DocumentRoot "@prefix@/www"
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
Options MultiViews
Options All +MultiViews -Indexes
#
# This controls which options the .htaccess files in directories can
......@@ -430,31 +488,14 @@ DocumentRoot "@prefix@/www"
# directory if a ~user request is received.
#
<IfModule mod_userdir.c>
UserDir public_html
# UserDir public_html
UserDir disabled
</IfModule>
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory @prefix@/monitor/cricket/public_html>
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
</Directory>
<Directory @prefix@/webglimpse>
Options MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory @prefix@/www/cricket>
Options ExecCGI SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
AllowOverride All
Order allow,deny
Allow from all
</Directory>
#
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment