Securing Your Web Pages with Apache

Maxwell's Demon and Hat Colour

"Long ago and far away
Maxwell felt the need one day
For a Demon, scarce as high
As the atoms going by.
Over heat he gave it sway,
Making warmth go either way
From the vector Nature gave.
Maxwell's Demon, come and save!"

     -- Christopher Stasheff, Her Majesty's Wizard

Chances are that your Web site has at least a few pages that you really don't want published to the Internet at large. How do you keep the Black Hats from seeing them, whilst not impeding the access of the White Hats that need the pages?

What Apache Security Won't Help

With Web security becoming a paramount concern, securing your Apache installation should be the highest priority on your to-do list. Apache expert Ken Coar explains how Apache enforces security mechanisms and what you can do to enforce a secure system.

At the time I'm writing this (February 2000), there's a lot of current-events news about major Web sites being taken down temporarily by denial-of-service (DoS) attacks. The specific attack type in question cannot be stopped by Apache, even though it may be aimed at the Web site. Apache is just a software application running on the system; these attacks are aimed at the systems themselves. As someone has pointed out, "If you have 1GB/s heading for your server then the pipe is going to saturate before Apache even gets a chance to see the packets."

But for less extreme cases, Apache's implementation of the Web security mechanisms, when properly implemented, should be more than adequate to protect your sensitive pages from exposure.

Assumptions in This Article

For the rest of this article, I'm going to make the following assumptions:

  1. your Apache source tree starts at ./apache-1.3/
  2. your Apache ServerRoot is /usr/local/web/apache
  3. your Apache DocumentRoot is /usr/local/web/htdocs
  4. the username under which Apache runs (the value of the User directive in your httpd.conf file) is nobody

All of the cd and other shell commands in this article that refer to directories use these locations.

Mandatory versus Discretionary Access Control

There are two basic types of access control: those that verify who you say you are, and those that verify who you really are. The three basic verification methods are to check

  1. what you have,
  2. what you know, or
  3. what you are

or even some combination of these. In common non-computer usage, an example of the 'what you have' method would be having the key to a padlock; you can get in if you do. 'What you know' is the method used to keep other people out of your account; if they don't know your password, tough luck for them. And 'what you are' is coming into prominent play in criminal investigations, as DNA patterns are admitted as evidence.

The best security systems use a combination. Your bank's teller machines, for instance, use a combination of the first two methods: you need to have the ATM card, and know the PIN associated with the card (or the account).

This article was originally published on Jun 29, 2000

Thanks for your registration, follow us on our social networks to keep up-to-date