httpd-wiki-changes mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "CommonMisconfigurations" by ChrisPepper
Date Mon, 05 Jul 2010 18:25:10 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "CommonMisconfigurations" page has been changed by ChrisPepper.
http://wiki.apache.org/httpd/CommonMisconfigurations?action=diff&rev1=9&rev2=10

--------------------------------------------------

    # Options and stuff defined here.
  </VirtualHost>
  }}}
- Why is the first virtual host wrong? It's wrong on a couple of levels. The most obvious
is that some.domain.com used in the first <!VirtualHost> block doesn't match *:80 used
in !NameVirtualHost. The other being that !NameVirtualHost refers to an interface, not a domain.
For instance using *:80, means catch all interfaces on port 80. !NameVirtualHost 1.1.1.1:80,
would mean to catch the interface defined as 1.1.1.1 on port 80. While you can use a "!NameVirtualHost
some.domain.com/<!VirtualHost some.domain.com>" combination, it doesn't really make
sense and is not used... at least not used by anyone who's experienced with Apache administration.<<BR>><<BR>>
+ Why is the first virtual host wrong? It's wrong on a couple levels. The most obvious is
that some.domain.com, used in the first <!VirtualHost> block, doesn't match *:80 used
in !NameVirtualHost. The other is that !NameVirtualHost refers to an interface, not a domain.
For instance, using *:80 means all interfaces on port 80. !NameVirtualHost 1.1.1.1:80 means
address 1.1.1.1 on port 80. While you can use a "!NameVirtualHost some.domain.com/<!VirtualHost
some.domain.com>" combination, it doesn't make much sense and is not generally used...
at least not used by anyone experienced with Apache administration.<<BR>><<BR>>
  
  Reports in #httpd suggest that Webmin 1.510 (at least) may cause this issue. <<BR>><<BR>>
  
@@ -102, +102 @@

    # SSL options, other options, and stuff defined here.
  </VirtualHost>
  }}}
- Because of the nature of SSL, host information isn't used when first establishing a SSL
connection. Apache will always use the certificate of the default virtual host, which is the
first defined virtual host in name based virtual hosts. While this doesn't mean that you won't
ever be able to access the second virtual host, it does mean your users will always get a
certificate mismatch popup warning when trying to access some.domain2.com. Read more about
this at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2.<<BR>><<BR>>
Also, note that the configuration above isn't something someone would normally use for SSL,
which requires a static, non-shared IP address -- !NameVirtualHost 127.124.3.53:80 is a more
likely format. However, using !NameVirtualHost *:443 is commonly seen in howtos for Debian/Ubuntu.<<BR>><<BR>>
+ Because of the nature of SSL, host information isn't used when ''establishing'' an SSL connection.
Apache will always use the certificate of the default virtual host, which is the first defined
virtual host for name-based virtual hosts. While this doesn't mean that you won't ever be
able to access the second virtual host, it does mean your users will always get a certificate
mismatch warning when trying to access some.domain2.com. Read more about this at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2.<<BR>><<BR>>
Also, note that the configuration above isn't something someone would normally use for SSL,
which requires a static, non-shared IP address -- !NameVirtualHost 127.124.3.53:80 is a more
likely format. However, using !NameVirtualHost *:443 is common in howtos for Debian/Ubuntu.<<BR>><<BR>>
  
  === Scope ===
  ==== Adding/Restricting access and options in <Directory /> ====
@@ -144, +144 @@

    # Other options defined.
  </Directory>
  }}}
- Script aliased directories do not allow for directory listings specified with Options Indexes.
This is a security feature. Also, script aliased directories automatically try and execute
everything in them. So, Options ExecCGI is unnecessary. The DirectoryIndex directive also
does not work in a script aliased directory. The workaround for this if you really need directory
listings or other directory indexing options is to use Alias instead of ScriptAlias.<<BR>><<BR>>
Example:
+ Script aliased directories do not allow directory listings specified with Options Indexes
-- this is a security feature. Also, script aliased directories automatically try to execute
everything in them, so Options ExecCGI is unnecessary. The DirectoryIndex directive also does
not work in a script aliased directory. The workaround, if you really need directory listings
or other directory indexing options, is to use Alias instead of ScriptAlias.<<BR>><<BR>>
Example:
  
  {{{
  Alias /cgi-bin/ /var/www/cgi-bin/

Mime
View raw message