Apache server configuration name resolution (virtual host naming + security)
Posted
by
Homunculus Reticulli
on Super User
See other posts from Super User
or by Homunculus Reticulli
Published on 2012-03-28T11:28:39Z
Indexed on
2012/03/28
11:32 UTC
Read the original article
Hit count: 370
I have just setup a minimal (hopefully secure? - comments welcome) apache website using the following configuration file:
<VirtualHost *:80>
ServerName foobar.com
ServerAlias www.foobar.com
ServerAdmin [email protected]
DocumentRoot /path/to/websites/foobar/web
DirectoryIndex index.php
# CustomLog with format nickname
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y%m.foobar.access.log" common
LogLevel notice
ErrorLog "|/usr/bin/cronolog /var/log/apache2/%Y%m.foobar.errors.log"
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
<Directory /path/to/websites/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
I am able to access the website by using www.foobar.com, however when I type foobar.com, I get the error 'Server not found' - why is this?
My second question concerns the security implications of the directive:
<Directory /path/to/websites/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
in the configuration above. What exactly is it doing, and is it necessary?. From my (admitedly limited) understanding of Apache configuration files, this means that anyone will be able to access (write to?) the /path/to/websites/ folder. Is my understanding correct? - and if yes, how is this not a security risk?
© Super User or respective owner
