Hello,

We are going through a security hardening process in order to go to production. We were controlled by an external securty contractor and one of the things they noticed is the following part of our mod_cluster configuration in httpd.conf

<VirtualHost OURHOSTNAME:6666>
    <Directory />
      Order deny,allow
      Deny from all
      Allow from  XXX.YYY.ZZZ.KKK
      Allow from  LLL.MMM.NNN.OOO
   </Directory>
  KeepAliveTimeout 60
  MaxKeepAliveRequests 0
  ...
</VirtualHost>

The complaint is that we are allowing access to the root directory / from the cluster members without further contraints.

For example for our normal host (port 80) the configuration is

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

This is basically deny from all. In fact if we go on through the rest of our security settings for apache they are pretty restricive.

I understand that the risk that somebody will try to bring the apache down from within the cluster members is low.

The question is. Can we configure the virtual host to be more restrictive? Does mod_cluster really need to have root dirctory access on apache? And if so, why is that? My understanding was that we start the virtual host so that the JBoss AS mod_cluster.sar can send usage statistics/ status updates  to mod_cluster so that the load balancing can be more efficient. Why does this need root directory access?

Thanks in advance,

Nikos