[web] Firewalling httpd
I run apache on my local machine, in order to run a CMS locally and then publish out to the webserver. I realised today that this of course means that I have a publicly accessible web server, and I haven't been too careful setting permissions...
I don't have any real experience with *nix/web server security, so I was hoping you could provide some suggestions. Is there a way to configure ipfw to refuse incoming http requests (port 80 and 8080 I guess)? Or is there a way to configure apache to only honour requests from localhost (127.0.0.1)?
The most obvious way is to have Apache only bind to localhost - this will ensure that you can never connect from a foreign host, firewall or not.
This can be accomplished with one or more "Listen" directives, e.g.
Would listen only on localhost on port 8080, unless you had other "Listen" directives. More than one is permitted - this is usually used for listening on multiple ports.
If *all* your "Listen" directives name localhost (or 127.0.0.1) explicitly, Apache should be entirely inaccessible externally.
Mark
This can be accomplished with one or more "Listen" directives, e.g.
Listen 127.0.0.1:8080
Would listen only on localhost on port 8080, unless you had other "Listen" directives. More than one is permitted - this is usually used for listening on multiple ports.
If *all* your "Listen" directives name localhost (or 127.0.0.1) explicitly, Apache should be entirely inaccessible externally.
Mark
Thanks, now I don't have to worry about someone coming in over cable and using php to wipe my hard drive :)
Uh, no. A Listen on localhost still allows other people to visit the webserver IIRC. YOu need this:
<Directory /path/to/webroot> Order deny,allow deny from all allow from 127.0.0.1</Directory>
I just realised that my local web server was probably never publicly accessible, since I am on an encrypted wireless network behind a firewalled router that does not forward ports 80 or 8080. Am I correct in this?
Yep, that's right. If your router does not forward port 80 to your machine, than the webserver will not be publicly accessible.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement