Apache *.conf files and security

Discussion in 'Server Operation' started by robertlouwen, Jun 2, 2009.

  1. robertlouwen

    robertlouwen New Member

    Gentlemen,

    In /etc/httpd/conf/httpd.conf is this line include conf.d/*.conf so out of curiosity I looked in /etc/httpd/conf.d and found among others :

    • BackupPC.conf
    • roundcubemail.conf
    • webalizer.conf
    In these files you can find their alias, now when I go http://something.org/alias I get error 401, not authorized, error 403, forbidden and / or error 404, page not found.

    If I change
    Code:
    order deny,allow
    deny from all
    allow from 127.0.0.1 
    Into this
    Code:
    order allow,deny
    allow from all
    #allow from 127.0.0.1
    am I exposing my server to a security risk ?

    PS when I changed the code the pages showed with or without username / password prompt.
     
    Last edited: Jun 2, 2009
  2. HooGLaNDeR

    HooGLaNDeR New Member

    By altering these lines, you make it available for the whole world. If you have no problems with it, then theres no problem.
     
  3. robertlouwen

    robertlouwen New Member

    @ Hooglander,


    In the mean time I tried some other allow from lines
    • allow from 192.168.0.1, my gateway, this works
    • allow from 192.168.0.10, a computer in my home network, does not work
    • allow from 192.168.0.100, my webserver, does not work
    • allow from 62.194.xxx.xxx, my internet IP, does not work
    I would like to access these pages from every computer ( at work, at friends, when with holyday )
    There is no need for the world to access these pages.
     
  4. id10t

    id10t Member

    You can do it with a ssh tunnel...
     
  5. robertlouwen

    robertlouwen New Member

    ssh tunnel ????
     
  6. HooGLaNDeR

    HooGLaNDeR New Member

    Code:
          Order Deny,Allow
          Deny From All
          Allow From 127.0.0.1
          Allow From 192.168.0.1
          Allow From 192.168.0.100
          Allow From 62.194.xxx.xxx
    
    Alternatively, you can allow it to the world, but protect it with .htaccess
     

Share This Page