Setting Permissions in Apache - Enabling CGI Scripts
(Page 4 of 4 )
Only enable CGI scripts when you need them. When you do, a good practice is to have all scripts grouped in a single folder (typically named cgi-bin). That way you will know what is executed on the server. The alternative solution is to enable script execution across the web server tree, but then it is impossible to control script execution; a developer may install a script you may not know about. To allow execution of scripts in the /var/www/cgi-bin directory, include the following <Directory> directive in the configuration file:
<Directory /var/www/cgi-bin>
Options ExecCGI
SetHandler cgi-script
</Directory>
An alternative is to use theScriptAliasdirective, which has a similar effect:
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
There is a subtle but important difference between these two approaches. In the first approach, you are setting the configuration for a directory directly. In the second, a virtual directory is created and configured, and the original directory is still left without a configuration. In the examples above, there is no difference because the names of the two directories are the same, and the virtual directory effectively hides the real one. But if the name of the virtual directory is different (e.g., my-cgi-bin/), the real directory will remain visible under its own name and you would end up with one web site directory where files are treated like scripts (my-cgi-bin/) and with one where files are treated as files (cgi-bin/). Someone could download the source code of all scripts from the latter. Using the<Directory>directive approach is recommended when the directory with scripts is under the web server tree. In other cases, you may useScriptAliassafely.
Logging
Having a record of web server activity is of utmost importance. Logs tell you which content is popular and whether your server is underutilized, overutilized, misconfigured, or misused. This subject is so important that a complete chapter is dedicated to it. Here I will only bring your attention to two details: explaining how to configure logging and how not to lose valuable information. It is not important to understand all of the meaning of logging directives at this point. When you are ready, proceed to Chapter 8 for a full coverage.
Two types of logs exist. The access log is a record of all requests sent to a particular web server or web site. To create an access log, you need two steps. First, use theLogFormatdirective to define a logging format. Then, use theCustomLogdirective to create an access log in that format:
LogFormat "%h %l %u %t "%r" %>s %b \ "%{Referer}i" \ "%{User-Agent}i"" combined
CustomLog /var/www/logs/access_log combined
The error log contains a record of all system events (such as web server startup and shutdown) and a record of errors that occurred during request processing. For example, a request for a resource that does not exist generates an HTTP404 response for the client, one entry in the access log, and one entry in the error log. Two directives are required to set up the error log, just as for the access log. The followingLogLeveldirective increases the logging detail from a default value ofnoticetoinfo. TheErrorLog directive creates the actual log file:
LogLevel info
ErrorLog /var/www/logs/error_log
Please check back next week for the continuation of this article.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Check it out today at your favorite bookstore. Buy this book now.
|
|
