1 Reply Latest reply on Feb 10, 2011 9:10 AM by Jean-Frederic Clere

    httpd.conf VirtualHost and security hardening

    Nikos Massios Novice

      Hello,

       

      We are going through a security hardening process in order to go to production. We were controlled by an external securty contractor and one of the things they noticed is the following part of our mod_cluster configuration in httpd.conf

       

       

      <VirtualHost OURHOSTNAME:6666>
          <Directory />
            Order deny,allow
            Deny from all
            Allow from  XXX.YYY.ZZZ.KKK
            Allow from  LLL.MMM.NNN.OOO
         </Directory>
        KeepAliveTimeout 60
        MaxKeepAliveRequests 0
        ...
      </VirtualHost>
      

       

       

      The complaint is that we are allowing access to the root directory / from the cluster members without further contraints.

       

      For example for our normal host (port 80) the configuration is

       

      <Directory />
          Options FollowSymLinks
          AllowOverride None
          Order deny,allow
          Deny from all
      </Directory>
      

       

      This is basically deny from all. In fact if we go on through the rest of our security settings for apache they are pretty restricive.

       

      I understand that the risk that somebody will try to bring the apache down from within the cluster members is low.

       

      The question is. Can we configure the virtual host to be more restrictive? Does mod_cluster really need to have root dirctory access on apache? And if so, why is that? My understanding was that we start the virtual host so that the JBoss AS mod_cluster.sar can send usage statistics/ status updates  to mod_cluster so that the load balancing can be more efficient. Why does this need root directory access?

       

      Thanks in advance,

       

      Nikos

       

       

       

      <VirtualHost   kleopatra:6666>
               <Directory />
                 Order deny,allow
                 Deny from all
                 Allow   from  10.200.251
              </Directory>
             KeepAliveTimeout 60
             MaxKeepAliveRequests 0
             ...
           </VirtualHost>